On May 28, 2016, at 11:54 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote:
> Looks like thats it then! > Will it be available on the Firewall Tab (my preference) or will it go in > user.conf? This is a power-user feature, I think user.conf fits best, also a rc.elocal script needs to add the routes, so something like: Example: Add a downstream router off the AstLinux 2nd interface (172.30.10.1/24) with IP 172.30.10.2 Subnet 1: 192.168.6.0/24 - Office LAN Subnet 2: 192.168.7.0/24 - Accounting LAN Subnet 3: 10.1.10.0/24 - WiFi Note: NAT is disabled on the downstream router, all subnets are 'routed' On the AstLinux box: -- user.conf snipplet -- NAT_FOREIGN_NETWORK="192.168.6.0/24 192.168.7.0/24 10.1.10.0/24" -- -- /mnt/kd/rc.elocal -- #!/bin/sh . /etc/rc.conf ## Add foreign network routes off the 2nd interface using gateway gwip gwip="172.30.10.2" for x in $NAT_FOREIGN_NETWORK; do ip route add $x via $gwip dev $INT2IF done -- > So you mean you could specify a summary network e.g. > NAT_FOREIGN_NETWORK="10.1.0.0/16" and then specify a > NONAT_NETWORK="10.1.1.0/24"? > So just thinking, if you specified NAT_FOREIGN_NETWORK="0/0" would it NAT > everything? Would there be a problem with this? Looking at the example above, defining only the needed downstream subnets and not a broad summary better documents what is going on. Additionally, NAT'ing only the needed subnets is better practice than NAT'ing a broad range. For the AstLinux use case, adding a single NAT_FOREIGN_NETWORK rc.conf variable to define additional NAT'ed subnets seems like a good solution. Lonnie > > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Sunday, 29 May 2016 at 12:59 PM > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Firewall forwarding > > I understand what you are saying, but NAT_NETWORK seems like "the" > NAT_NETWORK not an "additional" NAT_NETWORK. > > I think a year from now if I saw NAT_FOREIGN_NETWORK defined I would know it > was a subnet outside of AstLinux. Even if it was a broad summarized network > as you suggested, I would know it contained subnets outside of AstLinux. > > I think NAT_FOREIGN_NETWORK is still the one to beat. > > Lonnie > > > On May 28, 2016, at 6:31 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Yes FOREIGN is good although I think it should be standard NAT configuration >> e.g. NAT_NETWORK and put in the notes that you don't need to add this >> parameter for locally connected networks! >> For larger sites with lots of 'FOREIGN' networks, you would want to add this >> as a summarised network e.g. 10.1.0.0/16 which might actually include the >> directly connected networks. I assume this should not be a problem? >> In this case, FOREIGN does not make as much sense. >> >> Regards >> Michael Knill >> >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Sunday, 29 May 2016 at 3:34 AM >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Firewall forwarding >> >> Hi Michael, >> >> Indeed dividing the /24 into two /25's is a hack and should be ignored. >> >> The solution is, as you suggested, to add a rc.conf variable to specify >> routed LAN subnets downstream from AstLinux to be NAT'ed. >> >> I think the route to 'hidden' subnets downstream will still have to be a >> rc.elocal route manually defined. >> >> This is similar to the IPSec XAuth case with rc.conf variables >> IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). >> The "ipsec-xauth-up-down" script automatically handles the routes in the >> IPSec case. >> >> I replicated your Cisco situation in the lab by using a downstream AstLinux >> box with NONAT defined for a LAN interface so it is routed rather than >> NAT'ed. >> >> Michael, off-list I have a AIF custom-rules workaround, but a rc.conf >> variable would be better, possibly using CIDR notation so multiple subnets >> could be specified. >> >> Perhaps... >> >> NAT_FOREIGN_NETWORK="192.168.6.0/24" >> >> a space separated list of network(s) in CIDR notation would be allowed. Is >> that a good name ? >> >> Lonnie > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
