Re: Join two overlapping subnets with two way NAT/BINAT
Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. For what it's worth, this is one thing that Cisco PIX firewalls actually do very well. I won't use them for ordinary internet-facing firewalls, but for your scenario they're perfect. -Adam Thompson athom...@athompso.net
Join two overlapping subnets with two way NAT/BINAT
Hi Folks, I've been trying to wrap my head around a problem for a little while and I'm getting nowhere fast so thought I'd ask the experts: Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. So I need to setup a PF box which links to both networks and translates between the two. Conceptually I want to have it that from NetA's perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is 172.16.30.0/24 NetA NetB-NAT (172.16.20.0/24) - NIC1 (172.16.10.254/24) PF Firewall/Route NIC2 (172.16.10.254/24) NetA-NAT (172.16.30.0) - NetB I've read about bitmask on NAT/BITNAT etc and all this looks good the problem however is that this is done on the outgoing interface however given that both the outbound and inbound interfaces share an ip/subnet the packets never get to the outbound interface to be translated. I'm sure there's something completely obvious I'm missing, any help would be much appreciated. Simon
Re: Join two overlapping subnets with two way NAT/BINAT
On 09/07/13 21:32, Simon Slaytor wrote: Hi Folks, I've been trying to wrap my head around a problem for a little while and I'm getting nowhere fast so thought I'd ask the experts: Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. So I need to setup a PF box which links to both networks and translates between the two. Conceptually I want to have it that from NetA's perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is 172.16.30.0/24 NetA NetB-NAT (172.16.20.0/24) - NIC1 (172.16.10.254/24) PF Firewall/Route NIC2 (172.16.10.254/24) NetA-NAT (172.16.30.0) - NetB I've read about bitmask on NAT/BITNAT etc and all this looks good the problem however is that this is done on the outgoing interface however given that both the outbound and inbound interfaces share an ip/subnet the packets never get to the outbound interface to be translated. I'm sure there's something completely obvious I'm missing, any help would be much appreciated. Simon So you have 172.16.10.254 on two interfaces on the same box? I don't think that will end well. I would go with two firewalls, one nats NetA, the other nats NetB and put a link net in between.
Re: Join two overlapping subnets with two way NAT/BINAT
On 07/09/2013 23:22, Florian Obser wrote: On 09/07/13 21:32, Simon Slaytor wrote: Hi Folks, I've been trying to wrap my head around a problem for a little while and I'm getting nowhere fast so thought I'd ask the experts: Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. So I need to setup a PF box which links to both networks and translates between the two. Conceptually I want to have it that from NetA's perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is 172.16.30.0/24 NetA NetB-NAT (172.16.20.0/24) - NIC1 (172.16.10.254/24) PF Firewall/Route NIC2 (172.16.10.254/24) NetA-NAT (172.16.30.0) - NetB I've read about bitmask on NAT/BITNAT etc and all this looks good the problem however is that this is done on the outgoing interface however given that both the outbound and inbound interfaces share an ip/subnet the packets never get to the outbound interface to be translated. I'm sure there's something completely obvious I'm missing, any help would be much appreciated. Simon So you have 172.16.10.254 on two interfaces on the same box? I don't think that will end well. I would go with two firewalls, one nats NetA, the other nats NetB and put a link net in between. - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3392 / Virus Database: 3222/6645 - Release Date: 09/07/13 Cheers Florian, Yes I was thinking this myself, just wondering if I could do something with VRF's and PF's route to as a way to avoid this?
Re: Join two overlapping subnets with two way NAT/BINAT
On Sun, Sep 08, 2013 at 12:47:28AM +0100, Simon Slaytor wrote: On 07/09/2013 23:22, Florian Obser wrote: So you have 172.16.10.254 on two interfaces on the same box? I don't think that will end well. I would go with two firewalls, one nats NetA, the other nats NetB and put a link net in between. Yes I was thinking this myself, just wondering if I could do something with VRF's and PF's route to as a way to avoid this? Of course, you can do this with rdomains and PF on OpenBSD. I attached an example below. The PF bits can probably be simplified, but I currently don't remember if there was a nicer way to do this. This example has some limitations when it comes to the gateway itself; you cannot reach the gateway address from the remote side (172.16.20.1 from NET_A). # ifconfig em0 rdomain 1 172.16.10.1/24 # ifconfig em1 rdomain 2 172.16.10.1/24 /etc/pf.conf: ---snip--- net_a_if=em0 net_b_if=em1 block in pass out pass in on rdomain 1 to 172.16.20.0/24 rdr-to 172.16.10.0/24 bitmask \ route-to $net_b_if tag NET_A rtable 2 pass out on rdomain 2 nat-to 172.16.30.0/24 static-port bitmask tagged NET_A pass in on rdomain 2 to 172.16.30.0/24 rdr-to 172.16.10.0/24 bitmask \ route-to $net_a_if tag NET_B rtable 1 pass out on rdomain 1 nat-to 172.16.20.0/24 static-port bitmask tagged NET_B ---snap--- Reyk
