Date: Sun, 18 Aug 2013 01:29:36 +0200 From: Terje Elde <terje@elde.net> To: Frank Leonhardt <freebsd-doc@fjl.co.uk> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: VPN where local private address collide Message-ID: <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net> In-Reply-To: <520F8AA8.8030407@fjl.co.uk> References: <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk> <B86F8EA5-67BE-4791-8CAE-6E70BB326500@elde.net> <520F8AA8.8030407@fjl.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17. aug. 2013, at 16:37, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote: > This is just the sort of problem Google will have when it buys Facebook :-= ) Probably not. If Google were to buy Facebook, I'm confident they'd be able t= o renumber their networks if they have to.=20 > Your explanation of the foul-up possible with NAPT is well made, although n= ot really talking about the kind of NAT used on Home/SME routers (one public= address hiding many private one) - I'm thinking of Basic NAT - one-to-one r= eplacement, not one-to-many. (i.e. static address assignment). All the route= r (or firewall) needs to do is swap the IP address in the header as it passe= s through, and swap it back when it returns. The two hosts shouldn't notice a= thing. That's a good theory. In reality, it's much more complicated.=20 What about SSL/TLS for example? How would the router swap the header in an e= ncrypted session? (That's a likely scenario with blth VoIP, teleconferencing and ftp over ssl b= tw).=20 Swapping headers is also a bit outside the scope of NAT, and over to applica= tion level gateway. I've seen probably hundreds of attempts at such solution= s, most didn't work at all, and few - if any - worked well.=20 > FWIW it works pretty well without NAT if you can avoid address conflicts, a= nd in a small installation its possible. But consider this really trivial ex= ample: If you're fine with the way it works without conflicts, why not just move th= ings around? Change statically configured IPs, and narrow the DHCP scopes to= avoid conflict? > The obvious answer is IPv6, of course. I'm surprised no one has mentioned i= t yet. You seemed dead set on not renumbering the networks, and moving to IPv6 woul= d not only be just that, but also be harder than just renumbering IPv4-nets,= so you answered that question for us already.=20 > mpd does handle NAT (Section 4.14 of its manual). It doesn't go in to grea= t detail execept to say it uses ng_nat, which in turn uses libalias (like na= td). Looking at the ng_nat 'C' interface, NGM_NAT_REDIRECT_ADDR sounds like w= hat I'm after but it all looks geared to NAPT (which is, I guess, what most p= eople use NAT for). And I've got this nagging feeling that ipfw is going to b= e involved somewhere, just to make it really tricky. If you do insist on shooting the networkowner(s) in the foot, pf would proba= bly do fine for the NAT.=20 Best of luck on your adventure sir, you'll need it. If not today, then some d= ay ahead. Bring a towel.=20 Terje
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1FF39756-0555-4CD8-95B7-862F9644CF78>