Date: Tue, 23 Dec 2003 10:29:56 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: "Jason C. Wells" <jcw@highperformance.net> Cc: freebsd-questions@freebsd.org Subject: Re: Routing to External IPs from Internal IPs Message-ID: <20031223102956.GB34651@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <Pine.BSF.4.44.0312221754500.11773-100000@s1.stradamotorsports.com> References: <Pine.BSF.4.44.0312221754500.11773-100000@s1.stradamotorsports.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--R3G7APHDIzY6R/pk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote:
> I would like to be able to set the DNS settings for my internal network to
> 209.20.215.30 and 209.20.215.31. The internal network is addressed as
> 192.168.1/24.
>=20
> How can I route from the internal addresses, through the internal
> interface of the firewall, to the external interface of the firewall, back
> through the port address translation to my internal nameservers?
You can do "static NAT" -- use the 'redirect_address' option for
natd(8). This will let you map an Internet address on your external
network through to an internal machine: eg.
natd -redirect_address 192.168.1.1 209.20.215.31
This will allow external machines to access a server on your internal
network. Your internal machines should be set up so that they use
just the internal addresses -- you can't route the packets from
internal machines through natd on the external interface as you
describe. It's just the way that natd works, I'm afraid.
=20
> If this question is too arcane, please refer me to the correct
> documentation. I don't even know where to start. Routing has always just
> magically worked on FreeBSD. I would think it would be possible to add
> some sort of manual route to the routing tables, but what do I know.
>=20
> The idea is to allow roamers to roam and never have to change any of their
> configuration settings, namely their DNS settings.
This does depend somewhat on how you set up the roaming access to your
network. If you create a VPN tunnel into your private network, then
the roaming users will see your internal servers just fine: no
renumbering necessary. However you will have to solve the initial
problem of making the network connections required to set up the VPN.
=20
> Split DNS obviously can handle all other settings such as mail, time, web
> and so forth. Handling the DNS settings themselves, which are by IP
> address, proves more difficult.
Ah -- this is what DHCP is for. You can run DHCP on your internal
network to configure machines there, and also have a default lease
which dhclient(8) will fall back to when it can't find a DHCP server
-- as the man page says:
A mobile host which may sometimes need to access a network on which=
no
DHCP server exists may be preloaded with a lease for a fixed address=
on
that network. When all attempts to contact a DHCP server have fail=
ed,
dhclient will try to validate the static lease, and if it succee=
ds,
will use that lease until it is restarted.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--R3G7APHDIzY6R/pk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/6BkjdtESqEQa7a0RAmCzAJ4/cS6P3UWMkGF7VGmW+fQ/VVEnNACeMYXC
/3tDZKEu9b22Xr7GJ/1Nc0c=
=h8k7
-----END PGP SIGNATURE-----
--R3G7APHDIzY6R/pk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031223102956.GB34651>