Yes FOREIGN is good although I think it should be standard NAT configuration e.g. NAT_NETWORK and put in the notes that you don't need to add this parameter for locally connected networks! For larger sites with lots of 'FOREIGN' networks, you would want to add this as a summarised network e.g. 10.1.0.0/16 which might actually include the directly connected networks. I assume this should not be a problem? In this case, FOREIGN does not make as much sense.
Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Sunday, 29 May 2016 at 3:34 AM To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Firewall forwarding Hi Michael, Indeed dividing the /24 into two /25's is a hack and should be ignored. The solution is, as you suggested, to add a rc.conf variable to specify routed LAN subnets downstream from AstLinux to be NAT'ed. I think the route to 'hidden' subnets downstream will still have to be a rc.elocal route manually defined. This is similar to the IPSec XAuth case with rc.conf variables IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). The "ipsec-xauth-up-down" script automatically handles the routes in the IPSec case. I replicated your Cisco situation in the lab by using a downstream AstLinux box with NONAT defined for a LAN interface so it is routed rather than NAT'ed. Michael, off-list I have a AIF custom-rules workaround, but a rc.conf variable would be better, possibly using CIDR notation so multiple subnets could be specified. Perhaps... NAT_FOREIGN_NETWORK="192.168.6.0/24" a space separated list of network(s) in CIDR notation would be allowed. Is that a good name ? Lonnie On May 27, 2016, at 11:18 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > Michael, > > I've never tried this before, so bare with me... > > How about if your AstLinux 2nd internal interface is: > 192.168.6.1 / 255.255.255.0 > > Configure your Cisco WAN as 192.168.6.2/25 and Cisco LAN as 192.168.6.129/25 > (IP range: 192.168.6.129 - 192.168.6.254) > > finally add AstLinux routes: > -- > ip route add 192.168.6.0/25 dev eth2 > ip route add 192.168.6.128/25 via 192.168.6.2 dev eth2 > -- > > Would the AstLinux /24 broadcast address not matching be an issue ? > > Lonnie > > > On May 27, 2016, at 8:57 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Wow I didnt realise that only locally connected networks were supported for >> NAT! This is certainly going to be a big issue for me moving forward. I >> REALLY dont want to do double NAT. >> >> Can you add a parameter which the firewall uses to add/override the standard >> LAN masqueraded networks? >> Most firewalls require you to specify the NATed networks! >> >> Regards >> Michael Knill ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
