Thanks i will go to another place and change the ips
El 21 de diciembre de 2016 13:10:24 Simon Hobson <li...@thehobsons.co.uk> escribio: > Luis Felipe Dominguez Vega <luis.doming...@mtz.desoft.cu> wrote: > >> Well here i am again.... I have a problem with IPs, see this: >> >> --------- >> | Another | >> | Place |-----R1-- (......) (a VPN Provider) --R2 ----- GW (Shorewall >> PC) ------ My Net >> --------- >> >> Into the "Another Place" has 10.11.0.0/24 ips throw R1 connect to my R2 >> router (10.11.1.1), but my net has 10.11.0.0/24 address too, so when the GW >> PC get a packet from the "Another Place" has by example 10.11.0.2 ip, but >> in the dmesg command say as martian packet, i think that are because the R2 >> has 10.11.1.1 address and not do NAT. > > Here you have hit a basic problem with using RFC1918 addresses - they > aren't unique and you get broken network configurations. > > The simple answer is that within the group of systems you wish to route > traffic between, all IP addresses and subnets must be unique and > non-overlapping. If you have a subnet 10.11.0.0/24 in two places then that > is broken and the answer is to renumber one of them so you have no duplicates. > It may well be that your best solution is to renumber both "Another Place" > and "My Net" to use different address ranges - they must be different > (non-overlapping) between the two sites, and also different > (non-overlapping) with all the subnets used by your VPN and/or internet > providers. It's a real pain to do (I've had to do it a couple of times in > the past for work), but really it's the correct answer. > > A workaround is to apply SNAT at Another place and masq all traffic to a > different source address that doesn't clash with Ny Net - but that is > really putting a sticking plaster over a gaping wound. For a network like > that, there is no need for NAT (and everything it breaks) at all - subject > to your VPN provider being capable of adding a couple of static routes into > R1 and R2 to direct traffic to Another Place and My Net. > > This is really basic IP addressing stuff. > > > ------------------------------------------------------------------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/intel > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users