Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Feb 2006 09:26:18 -0600
From:      Greg Barniskis <gregb@scls.lib.wi.us>
To:        Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: question on NAT for multiple subnets
Message-ID:  <43FB311A.2020603@scls.lib.wi.us>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNCEGMFDAA.tedm@toybox.placo.com>
References:  <LOBBIFDAGNMAMLGJJCKNCEGMFDAA.tedm@toybox.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt wrote:
> 
>> -----Original Message-----
>> From: Greg Barniskis [mailto:gregb@scls.lib.wi.us]
>> Sent: Friday, February 17, 2006 10:14 AM
>> To: Ted Mittelstaedt
>> Cc: freebsd-questions
>> Subject: Re: question on NAT for multiple subnets
>>
>>
>> Ted Mittelstaedt wrote:
>>> I've never done it but I think you can run multiple nat instances
>>> and multiple divert sockets, you will have to specify them in the
>>> config file to natd, though.  
>> Excellent. That's what I was hoping for. So instead of one "divert 
>> natd" rule in ipfw, I simply need "divert N", "divert N+1", "divert 
>> N+2", etc. where N is a port number where I bound my first natd, N+1 
>> the next natd instance, etc. I think I can manage that.
>>
> 
> I looked at the man page for natd and they specify the divert port
> with -port, and alias address with -alias_address
> 
> Your going to have a bit of trial and error to work this config
> out but it shouldn't be that bad.  I would love to see it posted
> here once you get it working.

I will share anything I get working, when I do (ipfw, pf or 
otherwise). Might be a while though. My immediate need was only to 
answer the question of whether any significant lab time on it was 
even worthwhile. A yes answer means the topic's tabled for a couple 
of weeks at least.

> 
> PS:  A firewall with a shell that you can actually initiate a telnet
> session from knocks a PIX into a cocked hat.  And I just love 
> dealing with a PIX on a network that has multiple gateways on it.
> Nothing like the lack of icmp redirects to get you swearing.

Wouldn't be asking if the subject hadn't been discussed by staff in 
terms of "Can't we do this outside the [grumble|mumble|curse] PIX?". 
Not to knock it too hard; it does what it does pretty well, pretty 
fast, it's just that the things it doesn't do well are too many.



-- 
Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at scls.lib.wi.us>, (608) 266-6348



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43FB311A.2020603>