[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Connecting two seperate networks with OpenBSD

To: misc@openbsd.org
Subject: Re: Connecting two seperate networks with OpenBSD
From: mark.l.johnson@barclays.co.uk
Date: Fri, 7 Jun 2002 14:15:36 +0100

what about having 2 openbsd boxes one doing the nat one way and the other
doing the other direction. then on the clients have a custom route so that
any packets for 1.1.3.10 go via the second openbsd.....

ENGLAND 1 - ARGENTINA 0

> -----Original Message-----
> From: Dries Schellekens [mailto:gwyllion@ace.ulyssis.org]
> Sent: 07 June 2002 13:47
> To: Dan Sveen Olsen
> Cc: misc
> Subject: Re: Connecting two seperate networks with OpenBSD
> 
> 
> On Fri, 7 Jun 2002, Dan Sveen Olsen wrote:
> 
> > More like:
> >
> > Lan-A <---> GW <---> OpenBSD (NAT) <---> GW <---> Lan-B
> >
> > Left side 1.1.2.2 wants to talk to other side. 1.1.2.2 
> sends packet to
> > 1.1.6.10. Since it's not local, it gets routed through the 
> GW and to the NAT
> > server (with static arp for 1.1.6.10). The NAT server 
> accept the packet and
> > now both source and destination addresses should have been 
> rewritten and
> > sent off to the other side. But how? Which rules should be 
> used? Is it even
> > possible.
> >
> > I have tried with the following commands:
> >
> > route add -host 1.1.3.10 1.1.6.1 <-- IP address of the left 
> side GW (tcpdump
> > shows it works)
> > route add -host 1.1.6.10 1.1.3.1 <-- IP address of the right side GW
> >
> > ... and rules:
> >
> > binat ep1 1.1.2.2 to any -> 1.1.6.10 <-- ep1 is the left side if
> > binat tl0 1.1.2.2 to any -> 1.1.3.10 <-- tl0 is the right side if
> >
> > But this doesn't work... is it because pf thinks the packet 
> when NATed, are
> > to be routed back the way it came since it that way it 
> first saw the 1.1.2.2
> > address?
> 
> I completely understand what your trying to do :-) This 
> worked it you had
> binat ep1 1.1.2.2 to any -> 1.1.6.10
> binat tl0 1.1.4.2 to any -> 1.1.3.10
>              ^^^^
> Cool. Nice to know. If you look at http://mniam.net/pf/pf.png you see
> packets going twice through BINAT.
> 
> I think the server is confused that you have 1.1.2.2 twice :-) So the
> routing table will just send it back on the same interface like you
> suggested. IP address have to be unique, it's as simple as that.
> 
> This setup is impossible.
> 
> 
> Cheers,
> 
> Dries
> -- 
> Dries Schellekens
> email: gwyllion@ulyssis.org
> 

Internet communications are not secure and therefore the Barclays Group
does not accept legal responsibility for the contents of this message.
Although the Barclays Group operates anti-virus programmes, it does not
accept responsibility for any damage whatsoever that is caused by
viruses being passed.  Any views or opinions presented are solely those
of the author and do not necessarily represent those of the Barclays
Group.  Replies to this email may be monitored by the Barclays Group
for operational or business reasons.

Prev by Date: Re: PF and "route-to"
Next by Date: Re: isakmpd and freeswan interaction
Prev by thread: Re: Connecting two seperate networks with OpenBSD
Next by thread: Re: Connecting two seperate networks with OpenBSD
Index(es):
- Date
- Thread