1 |
On 2008-03-03, kashani <kashani-list@××××××××.net> wrote: |
2 |
> Grant Edwards wrote: |
3 |
> |
4 |
>> I don't understand why I have to do NAT. Can you explain why? |
5 |
>> (Or point me to docs that explain why?) |
6 |
> |
7 |
> router01.your.network.com |
8 |
> eth0 - 10.11.12.1 |
9 |
> eth1 - 24.1.2.231 - Comcast |
10 |
> eth2 - 64.1.2.132 - Speakeasy |
11 |
> |
12 |
> Naturally RFC 1918 space is useless outside your network so |
13 |
> you have to NAT. |
14 |
|
15 |
Both of my gateways are on local networks and are doing NAT. |
16 |
|
17 |
> However you need to make sure that you are making your policy |
18 |
> routing decisions at eth0. You don't want traffic marked as |
19 |
> originating from 24.1.2.231 going out eth2 |
20 |
|
21 |
I don't have IP forwarding enabled, so that shouldn't happen. |
22 |
|
23 |
> since Speakeasy could (and should) drop traffic that is not |
24 |
> origination from its IP space. Additionally traffic will be |
25 |
> routing back to your via Comcast connection resulting in |
26 |
> asymmetric routing which can increase the chances of packets |
27 |
> arriving out of order. |
28 |
> |
29 |
> router01.your.network.com |
30 |
> eth0 - 24.2.3.1/29 |
31 |
> eth0 - 64.2.3.1/29 |
32 |
> eth1 - 24.1.2.231 - Comcast |
33 |
> eth2 - 64.1.2.132 - Speakeasy |
34 |
> |
35 |
> Same case with this setup even with real IPs. The chances of convincing |
36 |
> any ISP to accept routes smaller than /24 from you are tiny. And finding |
37 |
> anyone who knows what you even want to do even when you have the IP |
38 |
> space is pretty much non-existent. I know, I've tried. Same thing in |
39 |
> this case, you'll NAT at eth1 and eth2 and policy router at eth0. |
40 |
> |
41 |
> If you are doing this from a single machine with two IP's and no other |
42 |
> networks or interfaces, it should just work. |
43 |
|
44 |
The machine will have different non-routing IPs on the two |
45 |
interfaces where the two NAT/firewall/gateways are. The |
46 |
machine does have interfaces/networks, but since I'm not |
47 |
forwarding packets, they should be irrelevant. |
48 |
|
49 |
> Linux should use the IP of interface the packet leaves from, |
50 |
> but I'd use tcpdump to make sure. |
51 |
|
52 |
Good idea. |
53 |
|
54 |
-- |
55 |
Grant Edwards grante Yow! Hello, GORRY-O!! |
56 |
at I'm a GENIUS from HARVARD!! |
57 |
visi.com |
58 |
|
59 |
-- |
60 |
gentoo-user@l.g.o mailing list |