On Mon, Dec 22, 2003 at 06:07:24PM -0800, Jason C. Wells wrote:
I would like to be able to set the DNS settings for my internal network to
209.20.215.30 and 209.20.215.31. The internal network is addressed as
192.168.1/24.
How can I route from the internal addresses, through the internal
interface of the firewall, to the external interface of the firewall, back
through the port address translation to my internal nameservers?
You can do static NAT -- use the 'redirect_address' option for
natd(8). This will let you map an Internet address on your external
network through to an internal machine: eg.
natd -redirect_address 192.168.1.1 209.20.215.31
This will allow external machines to access a server on your internal
network. Your internal machines should be set up so that they use
just the internal addresses -- you can't route the packets from
internal machines through natd on the external interface as you
describe. It's just the way that natd works, I'm afraid.
If this question is too arcane, please refer me to the correct
documentation. I don't even know where to start. Routing has always just
magically worked on FreeBSD. I would think it would be possible to add
some sort of manual route to the routing tables, but what do I know.
The idea is to allow roamers to roam and never have to change any of their
configuration settings, namely their DNS settings.
This does depend somewhat on how you set up the roaming access to your
network. If you create a VPN tunnel into your private network, then
the roaming users will see your internal servers just fine: no
renumbering necessary. However you will have to solve the initial
problem of making the network connections required to set up the VPN.
Split DNS obviously can handle all other settings such as mail, time, web
and so forth. Handling the DNS settings themselves, which are by IP
address, proves more difficult.
Ah -- this is what DHCP is for. You can run DHCP on your internal
network to configure machines there, and also have a default lease
which dhclient(8) will fall back to when it can't find a DHCP server
-- as the man page says:
A mobile host which may sometimes need to access a network on which no
DHCP server exists may be preloaded with a lease for a fixed address on
that network. When all attempts to contact a DHCP server have failed,
dhclient will try to validate the static lease, and if it succeeds,
will use that lease until it is restarted.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
