Sent from my iPad
Michael > Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: > > Hi Michael, > > Indeed dividing the /24 into two /25's is a hack and should be ignored. > > The solution is, as you suggested, to add a rc.conf variable to specify > routed LAN subnets downstream from AstLinux to be NAT'ed. > > I think the route to 'hidden' subnets downstream will still have to be a > rc.elocal route manually defined. > > This is similar to the IPSec XAuth case with rc.conf variables > IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). > The "ipsec-xauth-up-down" script automatically handles the routes in the > IPSec case. > > I replicated your Cisco situation in the lab by using a downstream AstLinux > box with NONAT defined for a LAN interface so it is routed rather than NAT'ed. > > Michael, off-list I have a AIF custom-rules workaround, but a rc.conf > variable would be better, possibly using CIDR notation so multiple subnets > could be specified. > > Perhaps... > > NAT_FOREIGN_NETWORK="192.168.6.0/24" I don't think "foreign" is intuitive, but I do not have a better idea yet. Was there not a way that Kristian always used with Astlinux in front of the customers router on the DMZ (or was it Darrick)? > > a space separated list of network(s) in CIDR notation would be allowed. Is > that a good name ? > > Lonnie > > > >> On May 27, 2016, at 11:18 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> wrote: >> >> Michael, >> >> I've never tried this before, so bare with me... >> >> How about if your AstLinux 2nd internal interface is: >> 192.168.6.1 / 255.255.255.0 >> >> Configure your Cisco WAN as 192.168.6.2/25 and Cisco LAN as 192.168.6.129/25 >> (IP range: 192.168.6.129 - 192.168.6.254) >> >> finally add AstLinux routes: >> -- >> ip route add 192.168.6.0/25 dev eth2 >> ip route add 192.168.6.128/25 via 192.168.6.2 dev eth2 >> -- >> >> Would the AstLinux /24 broadcast address not matching be an issue ? >> >> Lonnie >> >> >>> On May 27, 2016, at 8:57 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Wow I didnt realise that only locally connected networks were supported for >>> NAT! This is certainly going to be a big issue for me moving forward. I >>> REALLY dont want to do double NAT. >>> >>> Can you add a parameter which the firewall uses to add/override the >>> standard LAN masqueraded networks? >>> Most firewalls require you to specify the NATed networks! >>> >>> Regards >>> Michael Knill > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
