On 08/21/2006 02:04:02 PM, Steve Chinatti wrote:
Won't that be an issue for the firewall? It would RDR the packet in
order to change the destination address to 192.168.x.x (for a packet
destined for the tunnel), but the firewall also has routes to the
internal network for those addresses.
I think my thoughts were not fully developed.
I'm a little hazy on the addressing you're currently using
and which device is doing what....
I think the flaw in my scheme is the RDR, which will mess
with the destination IP and so make it impossible to get
the packet where it ultimately needs to go. My first thought
was to use a "route-to", which wouldn't have such a flaw,
but I saw that NAT didn't have a route-to option so I tried
a RDR but that's wrong. Maybe
a separate pass firewall rule with route-to will do the trick?
My understanding of route-to is that it'll get the packet delivered
to the right MAC address on an attached LAN without messing with
the packet contents. If this is right then so long as the
external address on your firewall is globally unique (or you
make an alias you NAT to that is) then this _should_ work.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
