[afnog] IPfw + natd

Phil Regnauld regnauld at x0.dk
Fri Dec 2 18:31:35 EAT 2005


On Fri, Dec 02, 2005 at 03:18:46PM +0000, Brian Candler wrote:
> 
> Another good solution might be to go with pf :-)

	PF has one limitation that bothers me:  I can't do reverse NAT
	on an ingress interface BEFORE it gets processed by the rest
	of the stack.

	For exemple, with IPFW + natd, I can do reverse NAT on the inside
	interface, on packets on the way out, THEN encapsulate them in IPsec,
	thus presenting only 1 IP to SA.

	I've done this for a couple of customers who needed site to site
	VPN with conflicting IP ranges (RFC1918 on both sides) -- the solution
	was to allocate an extra IP address on the outside, use ports/net/choparp
	to grab packets for that IP, route that IP to the inside interface,
	then do reverse NATd to that IP on the inside interface, and finally
	tell IPsec to encapsulate _that_ IP to the remote site.





More information about the afnog mailing list