From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 23 02:30:11 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1069E16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Dec 2003 02:30:11 -0800 (PST)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id AD08843D3F
	for <freebsd-questions@freebsd.org>;
	Tue, 23 Dec 2003 02:30:07 -0800 (PST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	hBNATwWP035187
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 23 Dec 2003 10:29:58 GMT
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id hBNATuIg035182;
	Tue, 23 Dec 2003 10:29:56 GMT	(envelope-from matthew)
Date: Tue, 23 Dec 2003 10:29:56 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: "Jason C. Wells" <jcw@highperformance.net>
Message-ID: <20031223102956.GB34651@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	"Jason C. Wells" <jcw@highperformance.net>,
	freebsd-questions@freebsd.org
References: <Pine.BSF.4.44.0312221754500.11773-100000@s1.stradamotorsports.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="R3G7APHDIzY6R/pk"
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.44.0312221754500.11773-100000@s1.stradamotorsports.com>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.61
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-questions@freebsd.org
Subject: Re: Routing to External IPs from Internal IPs
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2003 10:30:11 -0000


--R3G7APHDIzY6R/pk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote:
> I would like to be able to set the DNS settings for my internal network to
> 209.20.215.30 and 209.20.215.31.  The internal network is addressed as
> 192.168.1/24.
>=20
> How can I route from the internal addresses, through the internal
> interface of the firewall, to the external interface of the firewall, back
> through the port address translation to my internal nameservers?

You can do "static NAT" -- use the 'redirect_address' option for
natd(8).  This will let you map an Internet address on your external
network through to an internal machine: eg.

    natd -redirect_address 192.168.1.1 209.20.215.31

This will allow external machines to access a server on your internal
network.  Your internal machines should be set up so that they use
just the internal addresses -- you can't route the packets from
internal machines through natd on the external interface as you
describe.  It's just the way that natd works, I'm afraid.
=20
> If this question is too arcane, please refer me to the correct
> documentation.  I don't even know where to start.  Routing has always just
> magically worked on FreeBSD.  I would think it would be possible to add
> some sort of manual route to the routing tables, but what do I know.
>=20
> The idea is to allow roamers to roam and never have to change any of their
> configuration settings, namely their DNS settings.

This does depend somewhat on how you set up the roaming access to your
network.  If you create a VPN tunnel into your private network, then
the roaming users will see your internal servers just fine: no
renumbering necessary.  However you will have to solve the initial
problem of making the network connections required to set up the VPN.
=20
> Split DNS obviously can handle all other settings such as mail, time, web
> and so forth.  Handling the DNS settings themselves, which are by IP
> address, proves more difficult.

Ah -- this is what DHCP is for.  You can run DHCP on your internal
network to configure machines there, and also have a default lease
which dhclient(8) will fall back to when it can't find a DHCP server
-- as the man page says:

       A  mobile host which may sometimes need to access a network on which=
 no
       DHCP server exists may be preloaded with a lease for a fixed address=
 on
       that network.   When all attempts to contact a DHCP server have fail=
ed,
       dhclient will try to validate the static lease,  and  if  it  succee=
ds,
       will use that lease until it is restarted.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--R3G7APHDIzY6R/pk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/6BkjdtESqEQa7a0RAmCzAJ4/cS6P3UWMkGF7VGmW+fQ/VVEnNACeMYXC
/3tDZKEu9b22Xr7GJ/1Nc0c=
=h8k7
-----END PGP SIGNATURE-----

--R3G7APHDIzY6R/pk--