Join two overlapping subnets with two way NAT/BINAT

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Join two overlapping subnets with two way NAT/BINAT

Simon Slaytor
Hi Folks,

I've been trying to wrap my head around a problem for a little while and
I'm getting nowhere fast so thought I'd ask the experts:

Due to a company take over I have two networks, NetA and NetB, that I
need to link together for bi directional data sharing etc. Unfortunately
both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and
neither can changed within the timespan available to me.

So I need to setup a PF box which links to both networks and translates
between the two. Conceptually I want to have it that from NetA's
perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is
172.16.30.0/24

NetA ----> NetB-NAT (172.16.20.0/24) -----> NIC1 (172.16.10.254/24) PF
Firewall/Route NIC2 (172.16.10.254/24) <---- NetA-NAT (172.16.30.0)
<----- NetB

I've read about bitmask on NAT/BITNAT etc and all this looks good the
problem however is that this is done on the outgoing interface however
given that both the outbound and inbound interfaces share an ip/subnet
the packets never get to the outbound interface to be translated.

I'm sure there's something completely obvious I'm missing, any help
would be much appreciated.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: Join two overlapping subnets with two way NAT/BINAT

Florian Obser
On 09/07/13 21:32, Simon Slaytor wrote:

> Hi Folks,
>
> I've been trying to wrap my head around a problem for a little while and
> I'm getting nowhere fast so thought I'd ask the experts:
>
> Due to a company take over I have two networks, NetA and NetB, that I
> need to link together for bi directional data sharing etc. Unfortunately
> both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and
> neither can changed within the timespan available to me.
>
> So I need to setup a PF box which links to both networks and translates
> between the two. Conceptually I want to have it that from NetA's
> perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is
> 172.16.30.0/24
>
> NetA ----> NetB-NAT (172.16.20.0/24) -----> NIC1 (172.16.10.254/24) PF
> Firewall/Route NIC2 (172.16.10.254/24) <---- NetA-NAT (172.16.30.0)
> <----- NetB
>
> I've read about bitmask on NAT/BITNAT etc and all this looks good the
> problem however is that this is done on the outgoing interface however
> given that both the outbound and inbound interfaces share an ip/subnet
> the packets never get to the outbound interface to be translated.
>
> I'm sure there's something completely obvious I'm missing, any help
> would be much appreciated.
>
> Simon
>

So you have 172.16.10.254 on two interfaces on the same box? I don't
think that will end well. I would go with two firewalls, one nats NetA,
the other nats NetB and put a link net in between.

Reply | Threaded
Open this post in threaded view
|

Re: Join two overlapping subnets with two way NAT/BINAT

Simon Slaytor
On 07/09/2013 23:22, Florian Obser wrote:

> On 09/07/13 21:32, Simon Slaytor wrote:
>> Hi Folks,
>>
>> I've been trying to wrap my head around a problem for a little while and
>> I'm getting nowhere fast so thought I'd ask the experts:
>>
>> Due to a company take over I have two networks, NetA and NetB, that I
>> need to link together for bi directional data sharing etc. Unfortunately
>> both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and
>> neither can changed within the timespan available to me.
>>
>> So I need to setup a PF box which links to both networks and translates
>> between the two. Conceptually I want to have it that from NetA's
>> perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is
>> 172.16.30.0/24
>>
>> NetA ----> NetB-NAT (172.16.20.0/24) -----> NIC1 (172.16.10.254/24) PF
>> Firewall/Route NIC2 (172.16.10.254/24) <---- NetA-NAT (172.16.30.0)
>> <----- NetB
>>
>> I've read about bitmask on NAT/BITNAT etc and all this looks good the
>> problem however is that this is done on the outgoing interface however
>> given that both the outbound and inbound interfaces share an ip/subnet
>> the packets never get to the outbound interface to be translated.
>>
>> I'm sure there's something completely obvious I'm missing, any help
>> would be much appreciated.
>>
>> Simon
>>
> So you have 172.16.10.254 on two interfaces on the same box? I don't
> think that will end well. I would go with two firewalls, one nats NetA,
> the other nats NetB and put a link net in between.
>
>
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2013.0.3392 / Virus Database: 3222/6645 - Release Date: 09/07/13
>
>
>
Cheers Florian,

Yes I was thinking this myself, just wondering if I could do something
with VRF's and PF's route to as a way to avoid this?

Reply | Threaded
Open this post in threaded view
|

Re: Join two overlapping subnets with two way NAT/BINAT

Reyk Floeter-2
On Sun, Sep 08, 2013 at 12:47:28AM +0100, Simon Slaytor wrote:
> On 07/09/2013 23:22, Florian Obser wrote:
> >So you have 172.16.10.254 on two interfaces on the same box? I don't
> >think that will end well. I would go with two firewalls, one nats NetA,
> >the other nats NetB and put a link net in between.
> >
> Yes I was thinking this myself, just wondering if I could do
> something with VRF's and PF's route to as a way to avoid this?
>

Of course, you can do this with rdomains and PF on OpenBSD.

I attached an example below.  The PF bits can probably be simplified,
but I currently don't remember if there was a nicer way to do this.

This example has some limitations when it comes to the gateway itself;
you cannot reach the gateway address from the remote side (172.16.20.1
from NET_A).

# ifconfig em0 rdomain 1 172.16.10.1/24
# ifconfig em1 rdomain 2 172.16.10.1/24

/etc/pf.conf:
---snip---
net_a_if="em0"
net_b_if="em1"

block in
pass out

pass in on rdomain 1 to 172.16.20.0/24 rdr-to 172.16.10.0/24 bitmask \
        route-to $net_b_if tag NET_A rtable 2
pass out on rdomain 2 nat-to 172.16.30.0/24 static-port bitmask tagged NET_A

pass in on rdomain 2 to 172.16.30.0/24 rdr-to 172.16.10.0/24 bitmask \
        route-to $net_a_if tag NET_B rtable 1
pass out on rdomain 1 nat-to 172.16.20.0/24 static-port bitmask tagged NET_B
---snap---

Reyk

Reply | Threaded
Open this post in threaded view
|

Re: Join two overlapping subnets with two way NAT/BINAT

Adam Thompson
In reply to this post by Simon Slaytor
> Due to a company take over I have two networks, NetA and NetB, that
> I need to link together for bi directional data sharing etc.
> Unfortunately both networks use the same IP addressing scheme i.e.
> 172.16.10.0/24 and neither can changed within the timespan available
> to me.


For what it's worth, this is one thing that Cisco PIX firewalls actually
do very well.  I won't use them for ordinary internet-facing firewalls,
but for your scenario they're perfect.

-Adam Thompson
 [hidden email]