Dimitri Rodis wrote:
Angelo,
pfSense specifically has a feature known as NAT reflection which allows
this to be possible,
Sorry, have you read the page I linked? This is not possible, no matter
how much we love pfSense :)
First of all, what the GUI calls 'reflection' is actually a duplication
on the various internal networks of the 'rdr' rules you specify on the
WAN (reading /tmp/rules.debug is enlightening when you are in doubt).
Please consider that 1:1 ('binat') rules are currently excluded from the
reflection settings.
Try to figure a three-way handshake: one server 10.0.0.1 sends a SYN to
200.0.0.2, actually a RDR under which the sibling server 10.0.0.2 is
visible on the internet. The firewall rewrites the packet as:
source:10.0.0.1 -> dst:10.0.0.2 The destination server will respond to
the originator with SYN/ACK: being on the same subnet, that packet will
never pass through the firewall, so will never get rewritten back. In
the end, 10.0.0.1 will receive a SYN/ACK from a host to which it has
never sent a SYN to: what do you think it should do with it?
mainly because split horizon DNS is not always a
reasonable solution. In the case of the person who started this thread,
he has approx 700 email domains across various servers behind a NAT-- so
when someone from one domain on one server tries to email another person
within the same "system" (but on different servers), SMTP won't connect
because the MX record resolves to a public IP (as it should).
That's exactly what split-DNS is about: the Internet will resolve the
names with public (nat-ed) addresses, while the internal machines will
solve the same names with the internal addresses.
Angelo
-----Original Message-----
From: Angelo Turetta [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 07, 2008 1:09 AM
Please read http://www.openbsd.org/faq/pf/rdr.html#reflect (see:
Redirection and Reflection )
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
