Re: Julian's networking challenge 2005

From: Julian Elischer (julian_at_elischer.org)
Date: 06/28/05

  • Next message: Jeremie Le Hen: "Re: Julian's netowrking challenge 2005" 
    Date: Mon, 27 Jun 2005 22:18:16 -0700
To: Julian Elischer <julian@elischer.org>

    This time with fewer typos..

    Julian Elischer wrote:
    >
    > So for reasons that I won't go into, I find myself renumbering half of a
    > company. However I have a particular problem I can't figure out how to fix.
    >
    > I have a gateway/firewall machine running 4.x
    >
    > It has 3 interfaces
    >
    > fxp0 goes to the internal trusted network fxp1 goes to the internet via a T1
    > via a cisco box, but is shared with another section of the company. the
    > company web service is advertised as coming from an address that is
    > advertised as being on this T1. So are other services.
    >
    > fxp2 also goes to the intenet via a cisco box however nothing is using it at
    > the moment.
    >
    > The one shared T1 is being flooded out by users behind this machine much to
    > the annoyance of the users on the other part of the company. This is supposed
    > to be their T1.
    >
    > For reasons that are beyond the scope of this problem, the advertised DNS
    > addresses for the services advertised, can not just be switched to be via the
    > other t1.
    >
    > The network attached to fxp0 needs to be NAT'd to use the Internet as it is
    > using illegal numbers.
    >
    > The challenge:
    >
    > Figure out a way so that all the users on the network behind fxp0 can use the
    > internet using the T1 attached to the cisco off fxp1 while all the advertised
    > services (about 8 of them, few enough to list by hand in rules etc.) which
    > are also behind fxp0 but acccessed by NAT'd addresses from the range on
    > fxp1's net are accessed soley via that T1.
    >
    > [ internet ]
    > | |
    > T1 T1
    > | |
    > [cisco] [cisco]--------[other part of company]
    > | |
    > [fxp1] [fxp2]
    > [ freebsd 4.x ]
    > [fxp0]
    > |
    > |
    > -----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)-----
    > | | |
    > [server 1 ] [server 2] [lots of users]
    >
    > I can get the 'forward' direction easily.. i.e. incoming packets.
    >
    > It's the reverse direction that doesn't work for me. I considered running 2
    > NATDs but I need to run ipfw to identify the reverse streams to force back
    > via fxp2 and the only way I can do that is by using the 'fwd' command. If I
    > do that I can't divert them and if I divert them to natd first, I can't 'fwd'
    > them afterwards as the NATing is already done for the other (wrong)
    > interface.
    >
    > I almost want to add a route add FROM Server 1 via [fxp2 cisco] which I've
    > seen people request but until now I've never understood why..
    >
    >
    > for points:
    > It may be possible by making the bsd box actually 3 boxes
    > joined by a 10.x.x.x interface. describe how..
    >
    > Your friend with less and less hair..
    >
    > julian
    >
    >
    >
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Jeremie Le Hen: "Re: Julian's netowrking challenge 2005"