This time with fewer typos..
Julian Elischer wrote:
So for reasons that I won't go into, I find myself renumbering half of a
company. However I have a particular problem I can't figure out how to fix.
I have a gateway/firewall machine running 4.x
It has 3 interfaces
fxp0 goes to the internal trusted network fxp1 goes to the internet via a T1
via a cisco box, but is shared with another section of the company. the
company web service is advertised as coming from an address that is
advertised as being on this T1. So are other services.
fxp2 also goes to the intenet via a cisco box however nothing is using it at
the moment.
The one shared T1 is being flooded out by users behind this machine much to
the annoyance of the users on the other part of the company. This is supposed
to be their T1.
For reasons that are beyond the scope of this problem, the advertised DNS
addresses for the services advertised, can not just be switched to be via the
other t1.
The network attached to fxp0 needs to be NAT'd to use the Internet as it is
using illegal numbers.
The challenge:
Figure out a way so that all the users on the network behind fxp0 can use the
internet using the T1 attached to the cisco off fxp1 while all the advertised
services (about 8 of them, few enough to list by hand in rules etc.) which
are also behind fxp0 but acccessed by NAT'd addresses from the range on
fxp1's net are accessed soley via that T1.
[ internet ]
| |
T1 T1
| |
[cisco] [cisco]--------[other part of company]
| |
[fxp1] [fxp2]
[ freebsd 4.x ]
[fxp0]
|
|
-----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)-----
| | |
[server 1 ] [server 2] [lots of users]
I can get the 'forward' direction easily.. i.e. incoming packets.
It's the reverse direction that doesn't work for me. I considered running 2
NATDs but I need to run ipfw to identify the reverse streams to force back
via fxp2 and the only way I can do that is by using the 'fwd' command. If I
do that I can't divert them and if I divert them to natd first, I can't 'fwd'
them afterwards as the NATing is already done for the other (wrong)
interface.
I almost want to add a route add FROM Server 1 via [fxp2 cisco] which I've
seen people request but until now I've never understood why..
for points:
It may be possible by making the bsd box actually 3 boxes
joined by a 10.x.x.x interface. describe how..
Your friend with less and less hair..
julian
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
