I'm trying to come up with a way to avoid having to run an internal and an
external dns for our network.
Here's the basic layout.
primary +--private LAN 1
router |
internet --- ipfw with nat --+--private LAN 2
|
+--private LAN 3
Each of these private LAN's have public services run on boxes with a static
nat address assigned to them from the primary ipfw with nat box.
So if someone wants to browse a web hosted on private LAN 1 from the public
internet, no problem, the dns points them to the public ip on the primary
router designated to static nat to a box on private LAN 1.
However, if someone on private lan2 makes the same request, using the public
DNS, the packet never arrives because it never goes through the external
interface on the primary router and therefore does not get translated to the
private ip on the destination box.
To overcome this problem, I've created an internal dns that points requests
made from within the private LAN space direct to the private ip's of the
boxes hosting the public services.
However, I'd like to eliminate this requirement.
I attempted to work something out with the ipfw fwd action, but I don't
think I really understand how fwd works and I'm guessing it's not really
meant to do what I'm after.
The other thought I had was to run a second instance of natd on the internal
interface with the -redirect_address option and a specific list of static
nat redirects in internal_natd.conf, however, I don't want public packets
source ip's translated to the internal interface ip as they leave the
internal interface headed for the private networks.
Is there another flag, similar to -unregistered_only where I could specify
that natd translate _only_ addresses coming into the internal interface
bound for specific addresses listed in natd.conf for static nat?
OR...
is there another way to do this without using a divert socket, something
just within ipfw.
Thanks a lot for taking the time to read through all this.
Peter Brezny
SysAdmin Services Inc.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
