Re: VLAN with/and NATD
From: Evren Yurtesen (eyurtese_at_tekniikka.turkuamk.fi)
Date: 07/27/03
- Previous message: Chuck Swiger: "Re: VLAN with/and NATD"
- In reply to: Chuck Swiger: "Re: VLAN with/and NATD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 27 Jul 2003 05:26:08 +0300 (WET) To: Chuck Swiger <cswiger@mac.com>
Hi Pal,
Your email came right in time. I have almost already sorted out the
NAT/VLAN stuff. I figured out that I have a logical problem. Natd doesnt
keep in its table that from which interface it got the packets so if I
have same IP addresses all around it would all get messed up.
About making NAT of NAT to have more external IP addresses. I asked about
multiple external IP addresses because I fear that the NAT translation
table will be full at some point. When I have many clients.
Now, why did your email came right in time? :)
I was just looking some Apple stuff and your email address shows mac.com
I wonder if it is possible to run Mac OS X applications in FreeBSD? :)
or is there any Mac OS X Emulators that you know? (even for windows?)
Evren
On Sat, 26 Jul 2003, Chuck Swiger wrote:
> Evren Yurtesen wrote:
> > Now the problem is that I want to use NAT inside VLANs that, lets say I
> > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in
> > different VLAN's the same IPs should be able to be used.
> >
> > Does anybody have any suggestion how to do this? I would guess that I need
> > multiple IP addresses in the outside interface but how do I map the VLAN
> > interfaces to use those IPs with NAT?
>
> I think I understand what you're asking about, but it's important to seperate
> VLANs (which are used to logically seperate the network at layer-2) and IP
> netblocks, which are used by layer-3 IP routing.
>
> You should also be aware that VLAN implementations are not perfect; you may and
> probably will sometimes get packets leaking from one VLAN to another for reasons
> which include a failure to tag them with a VLAN id, buggy switches, and who
> knows what else. Having IP addresses be unique within the "network you manage"
> is a really good idea. [call this an opinion]
>
> That being said, configure your switches with a VLAN ID 0 where the NAT
> boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3
> will be used for each of your 192.168 networks, network-1, network-2, etc.
>
> If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN
> ID 0 and 1 and translate traffic to public-ip-1, etc. If NAT-box-1 is
> dual-homed, have one interface be in each VLAN, otherwise you can use an
> ifconfig's alias and vlan keywords to do this over a single interface.
>
> Of course, if all of your NAT boxes will be dual-homed, you could simply put one
> interface onto each network and the other onto another switch and form the
> "external subnet" I'm talking about that way. But you asked how to do this via
> VLANs, so....
>
> Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth.
>
> Configure the external subnet to route traffic via the local Internet
> connection, and you're done. Oh, yeah-- if you don't have enough public IPs and
> you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes,
> then set up another layer of NAT translation which maps everybody on the 10/8
> subnet into a single public IP.
>
> [ NAT sucks. NAT'ing twice sucks worse: persistent connections don't work very
> well and tend to have a livetime which is inversely proportional to the amount
> of network traffic (hence dynamic entries) going by. ]
>
> -Chuck
>
>
>
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Chuck Swiger: "Re: VLAN with/and NATD"
- In reply to: Chuck Swiger: "Re: VLAN with/and NATD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
