On 17. aug. 2013, at 16:37, Frank Leonhardt <freebsd-...@fjl.co.uk> wrote: > This is just the sort of problem Google will have when it buys Facebook :-)
Probably not. If Google were to buy Facebook, I'm confident they'd be able to renumber their networks if they have to. > Your explanation of the foul-up possible with NAPT is well made, although not > really talking about the kind of NAT used on Home/SME routers (one public > address hiding many private one) - I'm thinking of Basic NAT - one-to-one > replacement, not one-to-many. (i.e. static address assignment). All the > router (or firewall) needs to do is swap the IP address in the header as it > passes through, and swap it back when it returns. The two hosts shouldn't > notice a thing. That's a good theory. In reality, it's much more complicated. What about SSL/TLS for example? How would the router swap the header in an encrypted session? (That's a likely scenario with blth VoIP, teleconferencing and ftp over ssl btw). Swapping headers is also a bit outside the scope of NAT, and over to application level gateway. I've seen probably hundreds of attempts at such solutions, most didn't work at all, and few - if any - worked well. > FWIW it works pretty well without NAT if you can avoid address conflicts, and > in a small installation its possible. But consider this really trivial > example: If you're fine with the way it works without conflicts, why not just move things around? Change statically configured IPs, and narrow the DHCP scopes to avoid conflict? > The obvious answer is IPv6, of course. I'm surprised no one has mentioned it > yet. You seemed dead set on not renumbering the networks, and moving to IPv6 would not only be just that, but also be harder than just renumbering IPv4-nets, so you answered that question for us already. > mpd does handle NAT (Section 4.14 of its manual). It doesn't go in to great > detail execept to say it uses ng_nat, which in turn uses libalias (like > natd). Looking at the ng_nat 'C' interface, NGM_NAT_REDIRECT_ADDR sounds like > what I'm after but it all looks geared to NAPT (which is, I guess, what most > people use NAT for). And I've got this nagging feeling that ipfw is going to > be involved somewhere, just to make it really tricky. If you do insist on shooting the networkowner(s) in the foot, pf would probably do fine for the NAT. Best of luck on your adventure sir, you'll need it. If not today, then some day ahead. Bring a towel. Terje _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
