So you mean you could specify a summary network e.g. NAT_FOREIGN_NETWORK="10.1.0.0/16" and then specify a NONAT_NETWORK="10.1.1.0/24"? So just thinking, if you specified NAT_FOREIGN_NETWORK="0/0" would it NAT everything? Would there be a problem with this? Maybe you could configure by default all the Private networks?
Regards Michael Knill -----Original Message----- From: Michael Keuter <li...@mksolutions.info> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Sunday, 29 May 2016 at 8:32 PM To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Firewall forwarding Sent from my iPad Michael > Am 28.05.2016 um 21:43 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: > > >> On May 28, 2016, at 2:12 PM, Michael Keuter <li...@mksolutions.info> wrote: >> >> >> >> Sent from my iPad >> >> Michael >> >>> Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: >>> >>> Hi Michael, >>> >>> Indeed dividing the /24 into two /25's is a hack and should be ignored. >>> >>> The solution is, as you suggested, to add a rc.conf variable to specify >>> routed LAN subnets downstream from AstLinux to be NAT'ed. >>> >>> I think the route to 'hidden' subnets downstream will still have to be a >>> rc.elocal route manually defined. >>> >>> This is similar to the IPSec XAuth case with rc.conf variables >>> IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web >>> interface). The "ipsec-xauth-up-down" script automatically handles the >>> routes in the IPSec case. >>> >>> I replicated your Cisco situation in the lab by using a downstream AstLinux >>> box with NONAT defined for a LAN interface so it is routed rather than >>> NAT'ed. >>> >>> Michael, off-list I have a AIF custom-rules workaround, but a rc.conf >>> variable would be better, possibly using CIDR notation so multiple subnets >>> could be specified. >>> >>> Perhaps... >>> >>> NAT_FOREIGN_NETWORK="192.168.6.0/24" >> >> I don't think "foreign" is intuitive, but I do not have a better idea yet. > > I considered "downstream", "hidden", "remote"... "foreign" seems to fit > without extra connotations. What about "NONAT_NETWORK" ? > > >> >> Was there not a way that Kristian always used with Astlinux in front of the >> customers router on the DMZ (or was it Darrick)? > > You are thinking of the "dmz-dnat" firewall plugin where the WAN interface of > a pre-existing router could be NAT'ed to. Kristian used that idea at one > point years ago. > > (AU) Michael's use case is similar, but his solution is more elegant than > using "dmz-dnat" and does not do double-NAT. > > Lonnie > > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
