Re: Hair pinning with pf and NetBSD

To: Brian Buhrow <buhrow%lothlorien.nfbcal.org@localhost>
Subject: Re: Hair pinning with pf and NetBSD
From: Phil Nelson <phil%cs.wwu.edu@localhost>
Date: Tue, 24 Nov 2009 12:03:01 -0800

On Tuesday 24 November 2009 11:25:16 am Brian Buhrow wrote:
>         Hello.  Each box has an internal and external address.  
> So, for example, I have two boxes:
> 192.168.25.2 and 192.168.25.4
> Each have external addresses:
> 157.22.25.2 and 17.22.25.4
> (These are theoretical numbers)
> The customer wants to be on 192.168.25.2 and talk to 192.168.25.4, but
> address it as 157.22.25.4.

A possible way to do this is to ignore the NAT box.   I'm assuming
that all traffic from external goes through your NAT box and so
the configuration on 192.168.25.2 and .4 just has the private IP
configured.

I'd add an alias on 192.168.25.2 and .4 with their external
IP's of 157.22.25.2 and .4.  Make their netmask small enough to
cover just your external IP address range.  Then, the machines
will directly talk to each other on the local net and will not have
to send any packets to the NAT box.  Both boxes will then be using
their "external IP addresses" on the internal network.  They can
also use their internal addresses to communicate.  But on your local
network you won't have a box using their internal IP to communicate with
another box using its external IP.  That is how you ignore the NAT box.

The result:  any host on the 157.22.25.x/y net looks local on the local
net and no packets are sent to the NAT box.  The NAT box sends external
traffic to 157.22.25.z to their 192.168.25.z address and the NAT box is
happy.  Hosts behind the NAT box still send their packets to the NAT box
if communicating to any other net other than the internal and the 
157.22.25.x net.  The default route of the hosts should still be the
internal address of the NAT box so that the hosts use their internal
addresses when sending packets to the NAT box for external routing.
The only possible problem is talking to the NAT box using an external IP,
but that may also be solvable.

--Phil

-- 
Phil Nelson (phil at cs.wwu.edu) http://www.cs.wwu.edu/nelson
NetBSD: http://www.NetBSD.org  Coda: http://www.coda.cs.cmu.edu

Attachment: signature.asc
Description: This is a digitally signed message part.

References:
- Re: Hair pinning with pf and NetBSD
  - From: Brian Buhrow

Prev by Date: Re: "chgrp: operation not permitted" during cvs update
Next by Date: Re: Hair pinning with pf and NetBSD
Previous by Thread: Re: Hair pinning with pf and NetBSD
Next by Thread: Re: Hair pinning with pf and NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index