I'm putting up a temporary network in a couple of weeks that will be operative for just a few days. The problem is that the Internet connection at the location where I'm putting it up is behind a firewall, more specifically it's a WAN behind a Novell Bordermanager server that I don't have access to. I do however, have access to a server A running OpenBSD connected direcetly to the Internet at another location just a few hops away from the firewall (and I've got lots of IP addresses for this server as well). What I want to do, is basically to "tunnell" all the traffic through this machine, so that the clients won't notice that they're behind a strict NAT'ing firewall. I'm not sure if this is possible at all, but here's a simple figure of how I imagine the situation;
The machine at the 'remote' location with unfirewalled Internet access has IP addresses 193.2.2.1 to 193.2.2.255 The machines connecting to the firewalled wide area network get IP adressess 10.0.0.1 to 10.0.0.255 The firewall running Novell Bordermanager has the external IP address 212.2.2.1 I first hook up another server B with two NICs running OpenBSD to the firewalled network, it's external interface gets IP 10.0.0.2 through DHCP, it'll then 'appear' on the Internet as 212.2.2.1. I connect the internal interface on server B to a switch, and connect the clients that form the temporary network to this switch. So far so good, I can now simply run NAT on server B, and it'll work fairly good, but what I want is unique IP addresses for all the machines. To sum up what the situation might be like; client (193.2.2.56) --Local Area Network--> (193.2.2.1 - internal interface) server B running OpenBSD behind firewall (external interface - 10.0.0.2) --Wide Area Network--> (10.0.0.1 - internal interface) firewall running Novell BorderManager (external interface - 212.2.2.1) --Internet--> (193.2.2.2) server A with unfirewalled Internet access and many IP addresses running OpenBSD (193.2.2.2) --Internet--> www.somesite.com (12.23.23.23) sees the client accessing it as 193.2.2.56. In an ideal situation, the client won't even notice the firewall, a traceroute to www.somesite.com should be something like; 1 <1 ms <1 ms <1 ms 193.2.2.1 2 18 ms 19 ms 19 ms 193.2.2.2 --*snip*-- 9 58 ms 56 ms 61 ms www.somesite.com [12.23.23.23] As mentioned earlier, I'm not sure how to do this, or even if it's possible at all. If it is, I would be glad to get some advice how to accomplish it. Final commentary; I apologize if this message should have been sent to another mailing list than pf in the first place, but I recon this problem as a mixture between tunnelling and use of pf. Sincerely yours, Anders Rosvoldaunet [EMAIL PROTECTED]
