Quote:
Originally Posted by jggimi
If the router is routing, rather than bridging, your external facing network is only attached to the router, and none of your servers would have an external address -- the mapping to Internet-facing addresses would be done by the router, and only the router.
|
Yep, I understand that. I've been a network engineer and architect for over 2 decades.
What I don't understand (yet) is how FreeBSD handles all of these things. To be honest, Linux does
this part really well and I'm actually considering converting just the router back to it. But, before I throw in the towel:
In a binat scenario, the router's interfaces:
- em0: XX.YY.ZZ.222/24 # Public side, Verizon IPs. Of those, I have 13.
- re0: 172.16.0.0/24 # RFC1918 side of "public" servers. Binat sources.
- re1: 192.168.100.0/24 # Private LAN for wireless, NFS server, etc.
So, packets coming in em0 destined for one of the public IPs will get binat'd out towards re0. Conversely, packets from the 172.16.0.0/24 LAN outbound on
any of the interfaces
also need to be binat'd via the same 1-to-1 mapping.
Packets coming in re1 and destined to the Internet should be NAT'd via the last NAT rule I listed. The many-to-1. Packets coming in re1 and destined to XX.YY.ZZ.210 - .220 should
not be many-to-1 NAT'd, but
should trigger the 1-to-1 binat.
This is where it gets confusing. Theoretically, if the router gets a packet destined for XX.YY.ZZ.210-.220 (the binat IPs) from
any interface, it should know that it owns those 11 IPs, and do the binat appropriately. Correct?
For instance, let's say I have the NAT'ing rules applied as previously posted. And...
source: 192.168.100.10
destination: XX.YY.ZZ.210
The packet from 192.168.100.10 should hit interface re1, and then... what? Will the binat, which is sitting on interface em0, get triggered? Will the router know to send the packet, translated, to 172.16.0.210? Or will it just get dropped?