Hi Michael, Indeed dividing the /24 into two /25's is a hack and should be ignored.
The solution is, as you suggested, to add a rc.conf variable to specify routed LAN subnets downstream from AstLinux to be NAT'ed. I think the route to 'hidden' subnets downstream will still have to be a rc.elocal route manually defined. This is similar to the IPSec XAuth case with rc.conf variables IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). The "ipsec-xauth-up-down" script automatically handles the routes in the IPSec case. I replicated your Cisco situation in the lab by using a downstream AstLinux box with NONAT defined for a LAN interface so it is routed rather than NAT'ed. Michael, off-list I have a AIF custom-rules workaround, but a rc.conf variable would be better, possibly using CIDR notation so multiple subnets could be specified. Perhaps... NAT_FOREIGN_NETWORK="192.168.6.0/24" a space separated list of network(s) in CIDR notation would be allowed. Is that a good name ? Lonnie On May 27, 2016, at 11:18 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > Michael, > > I've never tried this before, so bare with me... > > How about if your AstLinux 2nd internal interface is: > 192.168.6.1 / 255.255.255.0 > > Configure your Cisco WAN as 192.168.6.2/25 and Cisco LAN as 192.168.6.129/25 > (IP range: 192.168.6.129 - 192.168.6.254) > > finally add AstLinux routes: > -- > ip route add 192.168.6.0/25 dev eth2 > ip route add 192.168.6.128/25 via 192.168.6.2 dev eth2 > -- > > Would the AstLinux /24 broadcast address not matching be an issue ? > > Lonnie > > > On May 27, 2016, at 8:57 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Wow I didnt realise that only locally connected networks were supported for >> NAT! This is certainly going to be a big issue for me moving forward. I >> REALLY dont want to do double NAT. >> >> Can you add a parameter which the firewall uses to add/override the standard >> LAN masqueraded networks? >> Most firewalls require you to specify the NATed networks! >> >> Regards >> Michael Knill ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
