[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: **URGENT URGENT** Problems with IPFilter
...
> map RL0 205.35.191.0/26 -> 10.1.191.0/26
>
> Initially we have a pass in/out all rule in IPFIlter
>
> Any traffic initiated from the internal network goes out without a
> hitch.
>
> Yet if anyone tries to talk to our servers behind the OpenBsd box
> they get host unreachable.
>
Hi.
I have not used ipnat very much except as just dynamic/hide NAT, but isn't
'bimap' (instead of 'map') what you are looking for?
I.e
bimap RL0 205.35.191.0/26 -> 10.1.191.0/26
(Look at bimap in the ipnat(8) manual page)
This should be used in combination with either a bunch of static ARP
entries;
arp -s 205.35.191.x aa:bb:cc:dd:ee:ff pub
with all 'x':es of the .0/26 network.
or if it's possible, by routing the whole 205.35.191.0/26 network via the
box's external interface. (For example, let's say you have
205.25.191.64/28 or something as the network to the NAT box, like in;
.65 .66
[router] ----- [openbsd/NAT box] ---- (inside)
then you can (or should be able to, haven't tried this with ipnat
specifically) add the following route to the 'router' box above; (written
in OpenBSD 'route' syntax)
route add -net 205.35.191.0 -netmask 255.255.255.192 205.35.191.66
The latter way you should not have to have some 64 published ARP entries
on the NAT box. :)
Good luck,
Håkan.
--
Håkan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB