Hello Bryan,
Years of Waldorf Schule for this :-)
All are cross over connections (I'm cheap)
+--------+ +--------------+ +---------------+
| CISCO | | OpenBSD 3.3 | | Linux + qmail |
| router +------------+ FW_NAT +-----------+ mail_server |
+--------+ +--------------+ +---------------+
ISP<---------------------->FW<--------------------->Mail Server
$ext_if $inf_if $mail_if
old_gw_ip.....old_single_ip $internal_gw $mail_ip
new_gw_ip.....new_couple_ip
But I've thint that Alexey E. Suslikov has given my an idea:
+--------+ +--------+ +-------+--------------+ +---------------+
| CISCO | | +----+$ext_if| OpenBSD 3.3 | | Linux + qmail |
| +--+ SWITCH | +-------+ +--+ |
| | | | | | | |
| router | | +----+-------+ FW_NAT | | mail_server |
| | | | |$old_if| | | |
+--------+ +--------+ +-------+--------------+ +---------------+
$ext_ip="new.ip"
$old_ip="old.ip"
so I can do:
nat on $ext_if inet from <intnets> to any -> $ext_addr
rdr on $ext_if inet proto tcp from any to $ext_ip port 25 -> \
$mail_ip
rdr on $old_if inet proto tcp from any to $old_ip port 25 -> \
$mail_ip
#Normal connection
pass in quick on $ext_if inet proto tcp from any to $mail_ip \
port 25 flags S/SAFRUP keep state
#Old IP connections
pass in quick on $old_if reply-to $old_gw_ip inet proto tcp from any \
to $mail_ip port 25 flags S/SAFRUP keep state
block on quick $ext_if from any to any
At this stage I wont tag nor queue and all this interfaces are real,
so I hope I wont have any problems.
Regards,
Alejandro Belluscio
Tuesday, July 15, 2003, 4:37:59 PM, you wrote:
Bryan> I'm having trouble picturing this. How's your ascii art?
Bryan> --Bryan
Bryan> On Tue, 2003-07-15 at 12:02, Alejandro G. Belluscio wrote:
>> Hello pf,
>>
>> I've go a firewall/nat machine for my company. We'd been asigned a
>> /32 so we asked for a /29. But our ISP was so stupid that instead of
>> routing the /29 to our /32 they are taking back the /32 and the new
>> default gateway is within the /29 (bastards!). But that's not the
>> point. I have to make the transition. Since the glries of DNS have a
>> latency of at least a week (yep, I've already lowered the TTL to 1
>> hour, but I guess most dns resolvers might be broken) I want to have
>> both running for a while together.
>> I will describe the problem. But I haven't actually implemented it. So
>> I'm mistaken and this actuaally works you can flame me at will:). The
>> problem is the following:
>>
>> -IP packet comes to mail server through IP_old.
>> -Gets RDR to IP_server.
>> -Server responds through firewall.
>> -It gets RDR back to IP_old.
>> -It gets forwarded to it's default gateway: IP_new_gw.
>> -IP_new_gw doesn't knows about IP_old.
>> -BAM!
>>
>> Other prossible solution.
>> -To have both firewalls running concurrently, FW_new and FW_old.
>> -Server has default gateway FW_new (internal IP).
>> -IP packet comes to mail server through IP_old.
>> -Gets RDR to IP_server.
>> -Server responds through FW_new.
>> -BAM!
>>
>> I think I could assign two local IPs to the server so I could try:
>>
>> nat on $ext_if inet from <intnets> to any -> $ext_addr
>> rdr on $ext_if inet proto tcp from any to $new_ip port 25 -> \
>> $mail_ip
>> rdr on $ext_if inet proto tcp from any to $old_ip port 25 -> \
>> $mail_ip2
>> pass in quick on $ext_if reply-to $old_gw_ip inet proto tcp from any \
>> to $old_ip port 25 keep state
>> pass in quick on $ext_if inet proto tcp from any to $old_ip port 25 \
>> keep state
>> block on quick $ext_if from any to any
>>
>> Seems reasonable?
--
Best regards,
Alejandro Belluscio
