[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Firewall and remote machine



I'm putting up a temporary network in a couple of weeks that will be
operative for just a few days. The problem is that the Internet connection
at the location where I'm putting it up is behind a firewall, more
specifically it's a WAN behind a Novell Bordermanager server that I don't
have access to. I do however, have access to a server A running OpenBSD
connected direcetly to the Internet at another location just a few hops away
from the firewall (and I've got lots of IP addresses for this server as
well). What I want to do, is basically to "tunnell" all the traffic through
this machine, so that the clients won't notice that they're behind a strict
NAT'ing firewall. I'm not sure if this is possible at all, but here's a
simple figure of how I imagine the situation;
The machine at the 'remote' location with unfirewalled Internet access has
IP addresses 193.2.2.1 to 193.2.2.255
The machines connecting to the firewalled wide area network get IP adressess
10.0.0.1 to 10.0.0.255
The firewall running Novell Bordermanager has the external IP address
212.2.2.1
I first hook up another server B with two NICs running OpenBSD to the
firewalled network, it's external interface gets IP 10.0.0.2 through DHCP,
it'll then 'appear' on the Internet as 212.2.2.1. I connect the internal
interface on server B to a switch, and connect the clients that form the
temporary network to this switch. So far so good, I can now simply run NAT
on server B, and it'll work fairly good, but what I want is unique IP
addresses for all the machines. To sum up what the situation might be like;
client (193.2.2.56) --Local Area Network--> (193.2.2.1 - internal interface)
server B running OpenBSD behind firewall (external interface -
10.0.0.2) --Wide Area Network--> (10.0.0.1 - internal interface) firewall
running Novell BorderManager (external interface - 212.2.2.1) --Internet-->
(193.2.2.2) server A with unfirewalled Internet access and many IP addresses
running OpenBSD (193.2.2.2) --Internet--> www.somesite.com (12.23.23.23)
sees the client accessing it as 193.2.2.56.
In an ideal situation, the client won't even notice the firewall, a
traceroute to www.somesite.com should be something like;
1    <1 ms    <1 ms    <1 ms  193.2.2.1
2    18 ms    19 ms    19 ms  193.2.2.2
--*snip*--
9    58 ms    56 ms    61 ms  www.somesite.com [12.23.23.23]
As mentioned earlier, I'm not sure how to do this, or even if it's possible
at all. If it is, I would be glad to get some advice how to accomplish it.
Final commentary; I apologize if this message should have been sent to
another mailing list than pf in the first place, but I recon this problem as
a mixture between tunnelling and use of pf.
Sincerely yours,
Anders Rosvoldaunet
[email protected]