Looks like thats it then! Will it be available on the Firewall Tab (my preference) or will it go in user.conf?
Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Sunday, 29 May 2016 at 12:59 PM To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Firewall forwarding I understand what you are saying, but NAT_NETWORK seems like "the" NAT_NETWORK not an "additional" NAT_NETWORK. I think a year from now if I saw NAT_FOREIGN_NETWORK defined I would know it was a subnet outside of AstLinux. Even if it was a broad summarized network as you suggested, I would know it contained subnets outside of AstLinux. I think NAT_FOREIGN_NETWORK is still the one to beat. Lonnie On May 28, 2016, at 6:31 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Yes FOREIGN is good although I think it should be standard NAT configuration > e.g. NAT_NETWORK and put in the notes that you don't need to add this > parameter for locally connected networks! > For larger sites with lots of 'FOREIGN' networks, you would want to add this > as a summarised network e.g. 10.1.0.0/16 which might actually include the > directly connected networks. I assume this should not be a problem? > In this case, FOREIGN does not make as much sense. > > Regards > Michael Knill > > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Sunday, 29 May 2016 at 3:34 AM > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Firewall forwarding > > Hi Michael, > > Indeed dividing the /24 into two /25's is a hack and should be ignored. > > The solution is, as you suggested, to add a rc.conf variable to specify > routed LAN subnets downstream from AstLinux to be NAT'ed. > > I think the route to 'hidden' subnets downstream will still have to be a > rc.elocal route manually defined. > > This is similar to the IPSec XAuth case with rc.conf variables > IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). > The "ipsec-xauth-up-down" script automatically handles the routes in the > IPSec case. > > I replicated your Cisco situation in the lab by using a downstream AstLinux > box with NONAT defined for a LAN interface so it is routed rather than NAT'ed. > > Michael, off-list I have a AIF custom-rules workaround, but a rc.conf > variable would be better, possibly using CIDR notation so multiple subnets > could be specified. > > Perhaps... > > NAT_FOREIGN_NETWORK="192.168.6.0/24" > > a space separated list of network(s) in CIDR notation would be allowed. Is > that a good name ? > > Lonnie ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.