connecting to external binat ip from internal network

Mon, 26 Jan 2009 07:49:57 -0800 

Hi,
I am dealing with a 3.9 firewall with 6 Gigabit interfaces and half a dozen vlans. 

2 of the interfaces are the uplinks , em0 and em1.

em0 talks to network say, 1.2.3.0/24 and has ip address 1.2.3.4


em1 talks to 1.2.4.0/24, has no ip address, and belongs to a bridge with 
bge0. The default gateway for 1.2.4.0/24 is outside our control.


bge0 has ip address 1.2.4.1


bge0 is connected with the switch with all the systems belonging to 
1.2.4.0/24, their default gateway is on em1.



on em2,em3,vlanX interfaces are connected various 10.0.0.0/24 subnets with 
hosts that some are natted, some are binatted, on the em0 interface.



I would like to be able to connect to the binatted hosts from the internal 
network using either their internal ips or their externals ones.



From 10.x ips connecting to 10.x works fine. Connecting to a binatted 10.x 

host using an external ip fails. Ping works, but tcp connections are 
refused, since I am actually connecting to the firewall (em0 has the externals ips 
as aliases) and not to the host. The situation is more or less similar to 
what is described at http://www.openbsd.org/faq/pf/rdr.html. I can get 
around this problem by using rdr on the internal interface and sending 
all tcp/udp ports destined to the external ip to the internal ip.



However, non tcp/udp traffic (icmps for example) still gets replied by the 
firewall, and I was wondering if there is a better solution.



Communication between the bridged network 1.2.4.0 and 10.x is achieved by 
setting 1.2.4.1 (bge0 ip address) as the gateway for 10.x network in the 
1.2.4.0/24 systems. However I have not figured a way for hosts in the

1.2.4.0/24 network to communicate with binatted systems using their external
ip. Pinging the binat external address is successful only for the first
request. The second request never reaches the internal interface for the
10.x network, and tcpdump does not show it up on the external interface (em0)
either. Anyone got a clue?


This setup is legacy and goes back quiet some years (2.x era). The 
are several drawbacks/flaws and while typing this e-mail I spotted even 
more. Work around so far has been using split DNS. There is no effort available

right now to redesign the whole network. Any insight is appreciated.

Cheers,


--
=============================================================================
Dimitris Zilaskos
GridAUTH Operations Centre @ Aristotle University of Thessaloniki , Greece
Tel: +302310998988 Fax: +302310994309
http://www.grid.auth.gr
=============================================================================















    











					Reply via email to