Good day all,
I have a working home network that has the following layout:
[Clients (172.31.33.2-172.31.33.200]
|
[Switch||Wireless AP]
|
[Gateway (172.31.33.1,PUBLIC_IP)]
|
{internet}
miniupnpd is enabled as well as a few other bits of tinsel, but all in all works perfectly..
Now the issue;
Of those clients, 2 are xboxs and because of the security measures I have in place they do not work correctly with some multiplayer servers and because there is two xboxs I cannot manually forward the required ports (as there not dynamic) that would only work for 1 of them.
So genius idea, cheap VPS <10ms away lets use that as a public gateway for just the xbox's (1 each)
Now, first of all I assigned a dhcp-host line for the xbox's so there given the ips 172.31.33.254 and 172.31.33.243 (respective, from here on out I will just concentrate on the .254)
So the first thing I did was create a bridge between the freebsd gateway and the VPS, this gave my gateway (we will call it GW1) the ip of 10.0.0.2 and the VPS the ip of 10.0.0.1; I did try this with gre tunnels, gif tunnels, tun0 tunnels; in hte end I decided on using 'tincd' with no encryption and a compression level of '1'; meaning fastest zlib compression.
With that in place from GW1 pinging GW2 I get:
root@GW1:~ # ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=157.440 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=134.502 ms
Note the high latency, this is not a problem there is a large upload in progress for another service.
10.0.0.2(GW1) and 10.0.0.1(GW2) are pingable by all 172.31.33.1/24 clients
as a note on GW1 the NAT rule that works for the clients in the .1-200 range is thus:
nat on $ext_if from $localnet to any -> ($ext_if)
$localnet is a { array } of the ips in range of 1-200, so that the xbox that is currently on .254 is not being NAT'd anywhere at the moment.
As a little more info from GW2 the xbox has this ping (now the network is settled down a little):
root@GW2:~ # ping 172.31.33.254
PING 172.31.33.254 (172.31.33.254): 56 data bytes
64 bytes from 172.31.33.254: icmp_seq=0 ttl=63 time=327.917 ms
64 bytes from 172.31.33.254: icmp_seq=1 ttl=63 time=40.764 ms
64 bytes from 172.31.33.254: icmp_seq=2 ttl=63 time=42.158 ms
64 bytes from 172.31.33.254: icmp_seq=3 ttl=63 time=24.336 ms
So as you can see for the sake of the link it all seems happy, if I was to redirect tcp/udp ports 1-65535 in to 172.31.33.254 from the GW2 for all effects and purposes it would be a DMZ of kinds.
The issue comes with the outbound path from GW1.
How do I tell GW1 that packs from the xbox(172.31.33.254) should be routed out via 10.0.0.1 (GW2)?
I have a working home network that has the following layout:
[Clients (172.31.33.2-172.31.33.200]
|
[Switch||Wireless AP]
|
[Gateway (172.31.33.1,PUBLIC_IP)]
|
{internet}
miniupnpd is enabled as well as a few other bits of tinsel, but all in all works perfectly..
Now the issue;
Of those clients, 2 are xboxs and because of the security measures I have in place they do not work correctly with some multiplayer servers and because there is two xboxs I cannot manually forward the required ports (as there not dynamic) that would only work for 1 of them.
So genius idea, cheap VPS <10ms away lets use that as a public gateway for just the xbox's (1 each)
Now, first of all I assigned a dhcp-host line for the xbox's so there given the ips 172.31.33.254 and 172.31.33.243 (respective, from here on out I will just concentrate on the .254)
So the first thing I did was create a bridge between the freebsd gateway and the VPS, this gave my gateway (we will call it GW1) the ip of 10.0.0.2 and the VPS the ip of 10.0.0.1; I did try this with gre tunnels, gif tunnels, tun0 tunnels; in hte end I decided on using 'tincd' with no encryption and a compression level of '1'; meaning fastest zlib compression.
With that in place from GW1 pinging GW2 I get:
root@GW1:~ # ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=157.440 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=134.502 ms
Note the high latency, this is not a problem there is a large upload in progress for another service.
10.0.0.2(GW1) and 10.0.0.1(GW2) are pingable by all 172.31.33.1/24 clients
as a note on GW1 the NAT rule that works for the clients in the .1-200 range is thus:
nat on $ext_if from $localnet to any -> ($ext_if)
$localnet is a { array } of the ips in range of 1-200, so that the xbox that is currently on .254 is not being NAT'd anywhere at the moment.
As a little more info from GW2 the xbox has this ping (now the network is settled down a little):
root@GW2:~ # ping 172.31.33.254
PING 172.31.33.254 (172.31.33.254): 56 data bytes
64 bytes from 172.31.33.254: icmp_seq=0 ttl=63 time=327.917 ms
64 bytes from 172.31.33.254: icmp_seq=1 ttl=63 time=40.764 ms
64 bytes from 172.31.33.254: icmp_seq=2 ttl=63 time=42.158 ms
64 bytes from 172.31.33.254: icmp_seq=3 ttl=63 time=24.336 ms
So as you can see for the sake of the link it all seems happy, if I was to redirect tcp/udp ports 1-65535 in to 172.31.33.254 from the GW2 for all effects and purposes it would be a DMZ of kinds.
The issue comes with the outbound path from GW1.
How do I tell GW1 that packs from the xbox(172.31.33.254) should be routed out via 10.0.0.1 (GW2)?