blackmilk
February 1st, 2004, 20:44
I have a situation where I need to implement NAT on my OpenBSD machine. The firewall is already using a private address obtained via a 4 port router.
Here's my current network:
[code:1:f314ad424b]
[Modem - Real IP xxx.xxx.xxx.xxx]
|
[Router/NAT - Priv IP 192.168.2.1] --- [Node1 - 192.168.2.1xx]
| --- [Node2 - 192.168.2.2xx]
| --- [Node3 - 192.168.2.3xx]
| --- [Node4 - 192.168.2.4xx]
[/code:1:f314ad424b]
New Network:
[code:1:f314ad424b]
[Modem - Real IP xxx.xxx.xxx.xxx]
|
[Router/NAT - Priv IP 192.168.2.1] --- [Node1 - 192.168.2.1xx] --- [Node5 - 192.168.2.5xx]
| --- [Node2 - 192.168.2.2xx]
| --- [Node3 - 192.168.2.3xx]
| --- [Node4 - 192.168.2.4xx]
[/code:1:f314ad424b]
I'm currently looking over Absolute OpenBSD and the pf man page.
Am i correct in thinking that I could use an alias IP on Node1, and implement binat and redirection of packets to have an IP that can have filtering done at the Router, and also at the openbsd machine.
I see on the documentation in front of me that binat assumes a real IP will be used, though I myself can't see any trouble with my idea. Can any of you?
Thank you
bsdjunkie
February 2nd, 2004, 14:38
Ive never actually played with binat yet, but give it a try and tell us if it works. From what ive read it seems to be for an external/internal address, so I am not sure if it will work on an alias or not.
Strog
February 2nd, 2004, 15:35
The diagram looks like the first 4 computers plugged into the Linksys. Is that correct?
What do you want to do with this 5th machine? Is it being protected from the rest of the network or you just needing connectivity?
BiNAT is a 1 to 1 mapping of of an address on a subnet to a machine on a different subnet. It doesn't have to use public IPs but it does have to be on another subnet.
I have put an aliased IP on my firewall and pointed to a machine on another subnet using RDR so it seems like BiNAT is not really needed in most cases. I'm sure that there's a place it might be better but I'm not sure where that might be. I'm using rdr on $int_if from $int_net to $alias_IP -> $nfsserver. I ping the alias IP and I get the nfs server. This really got me out of a bind booting diskless workstations on another subnet.
Bridging allows you to use the same subnet and still filter if you would rather go that route.
blackmilk
February 2nd, 2004, 16:18
Yes, 4 computers, I'm attempting to add connectivity with strict filtering.
It certainly looks like BiNAT is out of the question, the reason for this is that I have 4 computers in 4 different locations, I only have one box here to use.
I thought of mimicking BiNAT, though I'm aiming for performance, hence the BiNAT idea.
I'm looking over the bridge and brconfig man pages, I see a location within the brconfig syntax that allows you to add a static address to an interface, am I correct in my presumption or will I need ip aliasing in place.
[code:1:88359a1c1a]
BRCONFIG(8)
static interface-name address
Add a static entry into the address cache pointing to interface-
name. Static entries are never aged out of the cache or replaced
if the address is seen on a different interface[/code:1:88359a1c1a]
I'm looking up some more information on bridging.
I'm at a disadvantage, I've never done anything like this before, including wiring. I bought some crimpers and cutters the other day, and I'm in the process of purchasing a few wires and jacks.
Am I correct in thinking this will require a crossover cable?
Thanks for the input so far, a great help!
Strog
February 2nd, 2004, 18:25
Bridges can use an IP on them. It's generally discouraged because it turns a transparent firewall into one the can be seen by IP. This probably isn't going to be an issue for you since you were going to use an IP anyway.
If you NIC to NIC without a hub/switch/etc. then you are probably going to need a crossover cable. Don't worry, making patch cables isn't too tough and will seem easy after a few times. Just make sure and get every wire flush against the end and you will be fine. Most bad ends I've seen have a wire pulled out just a bit and a good tug on it and it loses connection. Here's a good link for anyone looking to make some cables (www.lanshack.com/make-cat5E.asp).
blackmilk
February 3rd, 2004, 15:35
Great link! I chose a slightly different site before hand, the instructions we're as easy as you can get. Here's the link! (http://www.littlewhitedog.com/modules.php?name=Content&pa=showpage&pid=8)
ATM, I haven't implemented bridging, all I've done is NAT with rdr. I've still to get the NIC recognised as it doesn't show in ifconfig output (hence my interest in rj45-serial)
I've just written my pf.conf for my new set-up, rather basic looking at the moment, and not as strict due to me being unwilling to write rules for outbound traffic.
Here's my pf.conf for those interested:
http://screamingelectron.org/phpBB2/viewtopic.php?p=8717