[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Connecting two seperate networks with OpenBSD
what about having 2 openbsd boxes one doing the nat one way and the other
doing the other direction. then on the clients have a custom route so that
any packets for 188.8.131.52 go via the second openbsd.....
ENGLAND 1 - ARGENTINA 0
> -----Original Message-----
> From: Dries Schellekens [mailto:email@example.com]
> Sent: 07 June 2002 13:47
> To: Dan Sveen Olsen
> Cc: misc
> Subject: Re: Connecting two seperate networks with OpenBSD
> On Fri, 7 Jun 2002, Dan Sveen Olsen wrote:
> > More like:
> > Lan-A <---> GW <---> OpenBSD (NAT) <---> GW <---> Lan-B
> > Left side 184.108.40.206 wants to talk to other side. 220.127.116.11
> sends packet to
> > 18.104.22.168. Since it's not local, it gets routed through the
> GW and to the NAT
> > server (with static arp for 22.214.171.124). The NAT server
> accept the packet and
> > now both source and destination addresses should have been
> rewritten and
> > sent off to the other side. But how? Which rules should be
> used? Is it even
> > possible.
> > I have tried with the following commands:
> > route add -host 126.96.36.199 188.8.131.52 <-- IP address of the left
> side GW (tcpdump
> > shows it works)
> > route add -host 184.108.40.206 220.127.116.11 <-- IP address of the right side GW
> > ... and rules:
> > binat ep1 18.104.22.168 to any -> 22.214.171.124 <-- ep1 is the left side if
> > binat tl0 126.96.36.199 to any -> 188.8.131.52 <-- tl0 is the right side if
> > But this doesn't work... is it because pf thinks the packet
> when NATed, are
> > to be routed back the way it came since it that way it
> first saw the 184.108.40.206
> > address?
> I completely understand what your trying to do :-) This
> worked it you had
> binat ep1 220.127.116.11 to any -> 18.104.22.168
> binat tl0 22.214.171.124 to any -> 126.96.36.199
> Cool. Nice to know. If you look at http://mniam.net/pf/pf.png you see
> packets going twice through BINAT.
> I think the server is confused that you have 188.8.131.52 twice :-) So the
> routing table will just send it back on the same interface like you
> suggested. IP address have to be unique, it's as simple as that.
> This setup is impossible.
> Dries Schellekens
> email: firstname.lastname@example.org
Internet communications are not secure and therefore the Barclays Group
does not accept legal responsibility for the contents of this message.
Although the Barclays Group operates anti-virus programmes, it does not
accept responsibility for any damage whatsoever that is caused by
viruses being passed. Any views or opinions presented are solely those
of the author and do not necessarily represent those of the Barclays
Group. Replies to this email may be monitored by the Barclays Group
for operational or business reasons.