Op 17 jul 2012, om 04:56 heeft Grant Ridder het volgende geschreven: > If you are running an HA pair, why would you care which box it went back > through?
Because it could be/is a stateful firewall and the backup will drop the traffic. (FreeBSD CARP) Cheers, Seth > > -Grant > > On Monday, July 16, 2012, Mark Andrews wrote: > >> >> In message <CAD8GWsswFwnPKTfxt= >> squumzofs3_-yrihy8o4gt3w9+x6f...@mail.gmail.com <javascript:;>>, Lee >> writes: >>> On 7/16/12, Owen DeLong <o...@delong.com <javascript:;>> wrote: >>>> >>>> Why would you want NAT66? ICK!!! One of the best benefits of IPv6 is >> being >>>> able to eliminate NAT. NAT was a necessary evil for IPv4 address >>>> conservation. It has no good use in IPv6. >>> >>> NAT is good for getting the return traffic to the right firewall. How >>> else do you deal with multiple firewalls & asymmetric routing? >> >> Traffic goes where the routing protocols direct it. NAT doesn't >> help this and may actually hinder as the source address cannot be >> used internally to direct traffic to the correct egress point. >> >> Instead you need internal routers that have to try to track traffic >> flows rather than making simple decisions based on source and >> destination addresess. >> >> Applications that use multiple connections may not always end up >> with consistent external source addresses. >> >>> Yes, it's possible to get traffic back to the right place without NAT. >>> But is it as easy as just NATing the outbound traffic at the >>> firewall? >> >> It can be and it can be easier to debug without NAT mangling >> addresses. >> >> The only thing helpful NAT66 does is delay the externally visible >> source address selection until the packet passes the NAT66 box. >> >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org<javascript:;> >> >>