Subject: Re: inside-in redirects
To: Aaron J. Grier <agrier@poofygoof.com>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-users
Date: 07/01/2003 22:31:33
On Mon, Jun 30, 2003 at 01:45:09PM -0700, Aaron J. Grier wrote:
> this is somewhat related to Caloro's setup. I have a NetBSD box
> providing NAT duties for my internal hosts, it looks like this:
>
> (10.0.0.0/8) <--> (10.0.0.1 on le0) NAT (publicIP on le1) <--> internet
>
> NAT is working fine, and port redirections are working from the internet
> to my internal machines. I'd like to hit the next step: inside-in port
> redirects, IE connections to publicIP:80 need to be forwarded back into
> the internal network. I'd like to do this to avoid split DNS for my
> public name. right now hosts on the private network need to use private
> names to access local services. Ideally they should be able to use
> either.
>
> the standard outside-in redirect isn't applicable in this case:
> map le1 10.0.0.0/16 -> 209.162.215.114/32 portmap tcp/udp 1025:65000
> map le1 10.0.0.0/16 -> 209.162.215.114/32
>
> rdr le1 0/0 port 80 -> 10.0.0.6 port 80 tcp
>
> I've tried adding the following, but it doesn't seem to work:
>
> rdr le0 10.0.0.0/8 port 80 -> 10.0.0.6 port 80 tcp
No, this can't work, because the reply from 10.0.0.6 to the client doesn't
get though the router, and so the reply isn't translated.
The client connected to publicip:80, and it gets replies from 10.0.0.6:80.
What I would do, in your case, is split 10.0.0.0/8 in 2 10.0.0.0/16.
Put your server on one, the clients on the others, and an alias on the
le0 interface so that the router is in both. Now all traffic between the
client and server will go though the router.
--
Manuel Bouyer <bouyer@antioche.eu.org>
NetBSD: 24 ans d'experience feront toujours la difference
--