Just a quick thank you to both Carson and Darren..
First, Carson was right and made a better description of my goal than I did
myself - thanks for clarifying!
Following Darren's advice, I managed a half assed proxy-ARP solution that
'fixed' my problem. I'll watch for a more robust solution based on IPF 5.1
when that's released to the public..
Again, thanks for being sounding boards and for ideas that lead to a solution!
-ET-
on 05/20/07 12:46 Darren Reed said:
Carson Gaspar wrote:
Darren Reed wrote:
Eric,
You've got a LAN split across two different sides of a host.
When a host on either side is going to try and talk directly to
a host on the other side, it is going to ARP for that address.
ARP packets aren't routed. You need a proxy ARP daemon
to do that for you.
If you don't want to do that then you can't do what you want
to do, period.
Sorry Darren, that's not what he wants, and you're wrong (unless _I'm_
the one on crack today...). He's talking about what some vendors call
"illegal NAT", where the two different subnets that happen to have the
same address appear in two places. In reality, this happens a _lot_
with corporate acquisitions.
Looking at the docs, it appears that ipfilter does not support NAT on
the source address of incoming packets (destination address of
outgoing packets), so it can't handle this. If I'm wrong Darren,
please correct me.
At the moment that's only possible with 5.0.2 using "rewrite" rules with
ipnat where
you can specify both a new source and destination address/post.
There's still more code I want to write before 5.1 :)
Darren
