Date: Tue, 28 Jun 2005 11:47:05 +0200 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: Milan Obuch <net@dino.sk>, Julian Elischer <julian@elischer.org> Subject: Re: Julian's netowrking challenge 2005 Message-ID: <200506281147.13299.max@love2party.net> In-Reply-To: <200506281139.17582.net@dino.sk> References: <42C0DB3B.6000606@elischer.org> <20050628074640.GY1283@obiwan.tataz.chchile.org> <200506281139.17582.net@dino.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1839717.OuTRco7faI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 28 June 2005 11:39, Milan Obuch wrote: > On Tuesday 28 June 2005 09:46, Jeremie Le Hen wrote: > > Hi Julian, > > > > > The challenge: > > > > > > figure out a way so that all teh users on the network behind fxp0 > > > hcan use the internet using the T1 attached to the cisco off fxp1 > > > while all the advertised services (about 8 of them, few enough to > > > list by hand in rules etc.) which are also behind fxp0 but acccessed = by > > > NAT'd addresses from the addresses on fxp1's net are accessed soly via > > > that T1. > > > > > > [...] > > > > > > I can get the 'forward' direction easily.. i.e. incoming packets. > > > > > > It's the reverse direction that doesn't work for me. > > > I considerred running 2 NATDs > > > but I need to run ipfw to identify teh reverse streams to force back > > > via fxp2 > > > and the only way I can do that is by using the 'fwd' command. > > > if I do that I can't divert them and if I divert them to natd first, I > > > can't 'fwd' them afterwards as the NATing is already done for the oth= er > > > (wrong) interface. > > > > You definitely want a non-terminal "fwd" command. > > Ari Suutari has just implemented the "setnexthop" action that does the > > trick, I think the patch [1] is waiting to be commited in -CURRENT. > > I don't think this would be really difficult to backport to RELENG_4. > > I think this is good solution for him. At least once I needed to solve > something similar, no luck then... Wouldn't a more general approach be better. e.g. a way to "tag" a packet=20 before it is sent to divert and a matching tag-lookup that can do further=20 action. This would make it very easy to do all kinds of stuff that needs t= o=20 know the original address instead of the translated one while avoiding code= =20 duplication. pf does something along these lines in case you are looking for references. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1839717.OuTRco7faI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCwRyhXyyEoT62BG0RAsMRAJ4n2phcR4NCJ/S0fPCpRUNRK6y7XQCfRXFJ kCT1cicvxksdv+CZawEYLyM= =t+sQ -----END PGP SIGNATURE----- --nextPart1839717.OuTRco7faI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506281147.13299.max>