On May 28, 2016, at 2:12 PM, Michael Keuter <li...@mksolutions.info> wrote:
> > > Sent from my iPad > > Michael > >> Am 28.05.2016 um 18:34 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: >> >> Hi Michael, >> >> Indeed dividing the /24 into two /25's is a hack and should be ignored. >> >> The solution is, as you suggested, to add a rc.conf variable to specify >> routed LAN subnets downstream from AstLinux to be NAT'ed. >> >> I think the route to 'hidden' subnets downstream will still have to be a >> rc.elocal route manually defined. >> >> This is similar to the IPSec XAuth case with rc.conf variables >> IPSECM_XAUTH_POOLBASE and IPSECM_XAUTH_POOLMASK (part of the web interface). >> The "ipsec-xauth-up-down" script automatically handles the routes in the >> IPSec case. >> >> I replicated your Cisco situation in the lab by using a downstream AstLinux >> box with NONAT defined for a LAN interface so it is routed rather than >> NAT'ed. >> >> Michael, off-list I have a AIF custom-rules workaround, but a rc.conf >> variable would be better, possibly using CIDR notation so multiple subnets >> could be specified. >> >> Perhaps... >> >> NAT_FOREIGN_NETWORK="192.168.6.0/24" > > I don't think "foreign" is intuitive, but I do not have a better idea yet. I considered "downstream", "hidden", "remote"... "foreign" seems to fit without extra connotations. > > Was there not a way that Kristian always used with Astlinux in front of the > customers router on the DMZ (or was it Darrick)? You are thinking of the "dmz-dnat" firewall plugin where the WAN interface of a pre-existing router could be NAT'ed to. Kristian used that idea at one point years ago. (AU) Michael's use case is similar, but his solution is more elegant than using "dmz-dnat" and does not do double-NAT. Lonnie ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
