Date: Sun, 8 Jun 2014 13:40:37 +0200 From: Andreas Nilsson <andrnils@gmail.com> To: Erich Dollansky <erichsfreebsdlist@alogt.com> Cc: FreeBSD Net <freebsd-net@freebsd.org>, None Secure <none_secure@yahoo.com> Subject: Re: Can you create a FreeBSD gateway, with private IPs, without NAT/divert ? Message-ID: <CAPS9%2BSvGFLO8uFcPdJtEUvr88M6jQxn5c4mYTBTfDT7chw0LJA@mail.gmail.com> In-Reply-To: <20140608091226.3bb9fe60@X220.alogt.com> References: <1402122166.37214.YahooMailNeo@web162101.mail.bf1.yahoo.com> <20140607144043.3d4be435@X220.alogt.com> <1402159719.88183.YahooMailNeo@web162105.mail.bf1.yahoo.com> <20140608091226.3bb9fe60@X220.alogt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 8, 2014 at 3:12 AM, Erich Dollansky <erichsfreebsdlist@alogt.com > wrote: > Hi, > > On Sat, 7 Jun 2014 09:48:39 -0700 (PDT) > None Secure via freebsd-net <freebsd-net@freebsd.org> wrote: > > > Yes, but in this case BOTH IPs of the gateway - both the external and > > the internal interfaces - are non-routable IPs, and so is my ISP > > cable modem. > > > > 192.168.1.1 is the cable modem > > 192.168.1.2 is external interface of my FreeBSD > > 10.10.10.1 is internal interface of my FreeBSD > > > I have had before the reverse situation. 10.x.x.x was the external > address and 192.168.x.x the internal. There have been two interfaces in > the machine. I cannot remember that I have had any problems with this. > I have now an external router so I do not need to use FreeBSD for this. > > Erich > It's sad that they choose CGN in the first place :( But now that they have, couldn't you ask them to give you a /24 subnet of that rfc1918 block? Then you wouldn't really need a gateway at all, just a firewall (which should block arp and so on. And as stated by others: routing/forwarding table really has no notion about human "constraints" on IP addresses, kernel will happily forward traffic from one rfc1918 block to another. That being said, your ISP is running nat, from 192.168.1.1 to some public ip. If the ISP sees traffic from 10.10.10.0/24 ( just guessing about the /24), they will be confused, which is why you need to run nat to translate those internal addresses to your external IP. As for ipfw, could you show us the rules that get added? If it uses divert you definitely should be able to send to different natd processes, as divert sends the traffic to a specified port. If you want to use in-kernel nat it might be a bit trickier, but what if you the process in question in a jail? Then you could easily distinguish it in ipfw. Best regards Andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSvGFLO8uFcPdJtEUvr88M6jQxn5c4mYTBTfDT7chw0LJA>