> I don't understand your network nor the logic behind it. It seems to me > that either you don't understand networking very well or > just love to design overly complicated networks for S&Gs. NAT was > originally a hack to solve a very specific problem with the scarcity > of IPv4 address space. There are certainly some good reasons for using > NAT such as: > > - Internet load balancing > - Intranet server/workstation load balancing > - Firewall IP masquerading > - Port Forwarding > - Overlapping IP Address space with a VPN* > > From the info you provided, the last one seems to apply. A lot of time > in commercial enviros your stuck w. the ip addr space and so you employ > NAT has a hack. But I don't see any reason why you *have* to do this > with your network. > > If you have routers in your network why use different ip networks in the > private addr space. You have the whole 10 network (10.0.0.0 to > 10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0). > > It's your network so feel free to do whatever you want. But if you'd > like other people to help / advise you, you should consider designing > your network simpler so that it can be easily grokked. If however, your > goal is security by obscurity, carry on... > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug
You understand something about it and this is a very rude comment. The reason I have to consider double nat is that the person I want to connect with is using the same RFC1918 network that I am using. The alternative of course is to reprogram my end so it doesn't overlap the other end, but that is a brutal solution that requires me to go through multiple firewalls, dns servers, and check in other places. The hope is that double nat is a reasonable solution that will be less error prone and easier to pursue than network renumbering. A more helpful comment than I don't understand anything is I don't understand this or that. Frankly, that is the truth. If you couldn't tell from my diagram that the same ip network is in use in 2 networks that are supposed to be connected together, you are blind. Granted, my diagram is crude because it is trying to show a bit more information and like I said I didn't explicity show all connections (but they are labeled). The diagram is also crude because my information about the other end is limited. The reason NAT exists is the scarcity of address space and it also exists to allow one to build isolated networks that have some external connectivity to other networks. Load balancing is a routing issue, not a NAT issue as far as I can tell. Having multiple Net connections and having to pick one is most definitely a routing and not so much a NAT issue. I don't try to create the most convoluted network designs I can come up with thank you very much. The reality is, I have a very real world realistic set up. Network root and growing a network complicate topology rather quickly. I made a bad assumption up front that I should use 192.168.1.0/24 for my network. Network root tends to create loops in networks. What am I supposed to do? Am I supposed to add a dedicated server for network root to avoid creating loops? I have enough servers as it is. One of the reasons my network root servers are on a different network is that I wanted them to be hidden from the Net (for the most part). It's quite simple, the remote site was using the 192.168.1.0/24 network before I was, but I didn't realize this when I initially set up my network. At some point in time, I decided to add a second private network in segments booted off of an existing server. These are the 192.168.4.0/28 and 192.168.4.16/28 networks. There are more segments, but they aren't important to the problem at hand. The only reason I talked about those 2 segments is that the first segment provides an alternate route to 192.168.1.0/24 that I don't want to use. I want to work everything through the routers on the original part of the network. Even if I were to go all out and try to use DIA to create a less crude diagram of my network, I wouldn't be able to post it to this list. Telling the other end, the Minnesota end, that they have to renumber to fit into my private network so that no subnet boundaries have to be crossed is imposing a lot on them. It generally doesn't work that way. _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
