[PLUG] Comments on double NAT...

Michael Robinson plug_1 at robinson-west.com
Sun Dec 20 02:03:37 UTC 2009 

Okay, a couple of points:

1) The FVX 538 is implementing a parallel and independent way to 
   access the Internet through a shared DSL modem on a bridged 
   subnet.

2) Web, Goose, and Xerxes are gateway, mail server/proxy, gateway 
   respectively.  This is the original network's means of accessing
   the Net.

3) 216.151.30.105 is the gateway at the ISP, Opus.

4) 216.151.30.111 is the broadcast for the global subnet.

5) 216.151.30.104 is the network address for the global subnet.

6) 216.151.30.110 is currently not used.

7) The FVX 538 is connected to a 192.168.0.x class C subnet that
   serves one of the rooms in the house in Scappoose.  I want the
   original network to be able to instant message at least with
   that subnet.

8) The FVX 538 is implementing a VPN tunnel to Minnesota and
   presumably there is a similar router on the other end taking
   caring of the far end of the tunnel.

9)  I don't want the non 192.168.0.x clients excluding dodo to
    access the Net through the FVX 538 period.  These hosts
    should only be allowed to go through the tunnel.

10) I am going to try to link a DIA diagram that should help.

In a nutshell, I want to be able to route from the original 
network in Scappoose, it uses black lines in the DIA diagram, 
to a host on the other side of the VPN tunnel implemented by
the FVX 538.  Green lines denote Internet subnet links.  A
dotted black line indicates a link from Dodo to the FVX 538.
A blue line indicates a 192.168.3.0/28 or 192.168.3.16/28 
link.  So, out of the tunnel through the dotted black line
cross a blue line and from one the gateway machines on the
original network go where you need to go.  I am planning on
exposing goose, web, and xerxes.  Possibly more hosts in the
future, but not now.

There is also the problem of making 192.168.0.x and 192.168.1.x
link together ( Scappoose side both networks ).

This problem makes my head hurt.  Renumbering my side may not be
such a bad idea after all.  I detect a few errors in the HOWTO
I mentioned by the way.  The hardest part to figure out for
double nat is what the source nat rule needs to be.

Okay, so the DIA diagram only deals with relevant machines on
the Scappoose side and does NOT cover the Minnesota side at all.
Right now, that side is a black box to me.

More information about the PLUG mailing list