[PLUG] Comments on double NAT...
Mike Connors
mconnors1 at gmail.com
Sat Dec 19 23:33:00 UTC 2009
Michael Robinson wrote:
> http://www.iptables.org/documentation/HOWTO/netfilter-double-nat-HOWTO.html#toc6
>
> I have a similar situation. One network via a VPN is on the
> 192.168.1.0/24 network and my locally wired network is on the
> 192.168.1.0/24 network as well.
>
>
> Can you see the problem from this diagram? Question is, should I
> renumber to get Bluejay to stop conflicting with the server on the other
> network or should I go the double nat route?
>
> I'm thinking of using 192.168.5.0/28 on Dodo, NAT box 1, and on the
> Minnesota side, NAT box 2 will need to use say 192.168.5.16/28. So I
> can map web to 192.168.5.2, goose to 192.168.5.3, and xerxes to
> 192.168.5.4. On the Minnesota side 192.168.5.18 can be mapped to
> 192.168.1.35. I am not currently source nat'ing on Dodo (except for the
> route to goose) where I am concerned that it might screw things up. I
> want to route from Minnesota through either web or xerxes depending on
> which one I am using at the moment. So I source nat on dodo to either
> 192.168.3.17 or 192.168.3.1. Let's say that the source from Minnesota
> is 192.168.5.1. The source from Scappoose going to Minnesota will be
> say 192.168.5.17. I'll have to check to see if I will be SNATing on the
> Scappoose side from 3.x or 1.x. The problem is, I have more routers
> involved than the double nat HOWTO has.
>
I don't understand your network nor the logic behind it. It seems to me
that either you don't understand networking very well or
just love to design overly complicated networks for S&Gs. NAT was
originally a hack to solve a very specific problem with the scarcity
of IPv4 address space. There are certainly some good reasons for using
NAT such as:
- Internet load balancing
- Intranet server/workstation load balancing
- Firewall IP masquerading
- Port Forwarding
- Overlapping IP Address space with a VPN*
From the info you provided, the last one seems to apply. A lot of time
in commercial enviros your stuck w. the ip addr space and so you employ
NAT has a hack. But I don't see any reason why you *have* to do this
with your network.
If you have routers in your network why use different ip networks in the
private addr space. You have the whole 10 network (10.0.0.0 to
10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0).
It's your network so feel free to do whatever you want. But if you'd
like other people to help / advise you, you should consider designing
your network simpler so that it can be easily grokked. If however, your
goal is security by obscurity, carry on...
More information about the PLUG
mailing list