From owner-freebsd-questions Sat Apr 6 17:27:29 2002 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 5CA3D37B404 for ; Sat, 6 Apr 2002 17:27:24 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g371YXs14288; Sat, 6 Apr 2002 19:34:33 -0600 (CST) (envelope-from nick@rogness.net) Date: Sat, 6 Apr 2002 19:34:32 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Scott Muir Cc: freebsd-questions@FreeBSD.ORG Subject: RE: gateway question... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 6 Apr 2002, Scott Muir wrote: > Thank-you for responding firstly... > > Okay... The simplest thing I want to accomplish is to be able to ping > either of the external ip's from a remote machine. What this is > leading up to is having a production machine and a development machine > behind one firewall but ip#1 is forwarded to production machine and > ip#2 is forwarded to development machine. I just want the 2 servers to > be on the same subnet and I don't want to have 2 firewalls to the > outside. The port forwarding is easy, its the routing stuff that I'm > not able to make sense of... > This is actually a lot harder than one would think because of the way FreeBSD routes traffic. You have to "flag" packets coming inbound on your secondary interface so you know which interface to send them back out. I usually do this by changing the source address for ALL packets coming inbound on your "seconedary interface" to some arbitrary RFC1918 unrouteable. Then your can route them back out the proper interface by routing that source IP address out that secondary interface (making both natd's happy). Here is what you need to do: This requires 3 copies of natd running:-( Assuming xl0 is your default gateway interface and xl1 is your secondary broadband carrier interface. Firewall stuff (psuedo-syntax): # Default natd ipfw divert natd ip from any to any via xl0 # Change destination on inbound xl1 ipfw divert natd2 ip from any to any in via xl1 # Change source on inbound xl1 ipfw divert natd3 ip from any to any in via xl1 # Allow inbound packet to go ipfw allow ip from 192.168.0.1 to any in via xl1 # Change destination outbound xl1 ipfw divert natd3 ip from any to 192.168.0.1 out via xl1 # Change source outbound xl1 ipfw divert natd2 ip from any to any out via xl1 # Allow traffic for now ipfw allow ip from any to any Then just add your other statements: # route add -host 192.168.0.1 $IP_OF_GATEWAY_xl1 # natd -n xl0 -redirect_port blah blah # natd -n xl1 -port 8669 -redirect_port blah blah # natd -reverse -alias_address 192.168.0.1 -port 8670 In /etc/services: natd natd 8668/divert natd 8669/divert natd 8670/divert Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message