Luis Felipe Dominguez Vega <luis.doming...@mtz.desoft.cu> wrote: > Well here i am again.... I have a problem with IPs, see this: > > --------- > | Another | > | Place |-----R1-- (......) (a VPN Provider) --R2 ----- GW (Shorewall PC) > ------ My Net > --------- > > Into the "Another Place" has 10.11.0.0/24 ips throw R1 connect to my R2 > router (10.11.1.1), but my net has 10.11.0.0/24 address too, so when the GW > PC get a packet from the "Another Place" has by example 10.11.0.2 ip, but in > the dmesg command say as martian packet, i think that are because the R2 has > 10.11.1.1 address and not do NAT.
Here you have hit a basic problem with using RFC1918 addresses - they aren't unique and you get broken network configurations. The simple answer is that within the group of systems you wish to route traffic between, all IP addresses and subnets must be unique and non-overlapping. If you have a subnet 10.11.0.0/24 in two places then that is broken and the answer is to renumber one of them so you have no duplicates. It may well be that your best solution is to renumber both "Another Place" and "My Net" to use different address ranges - they must be different (non-overlapping) between the two sites, and also different (non-overlapping) with all the subnets used by your VPN and/or internet providers. It's a real pain to do (I've had to do it a couple of times in the past for work), but really it's the correct answer. A workaround is to apply SNAT at Another place and masq all traffic to a different source address that doesn't clash with Ny Net - but that is really putting a sticking plaster over a gaping wound. For a network like that, there is no need for NAT (and everything it breaks) at all - subject to your VPN provider being capable of adding a couple of static routes into R1 and R2 to direct traffic to Another Place and My Net. This is really basic IP addressing stuff. ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
