On 2008-03-03, kashani <[EMAIL PROTECTED]> wrote:
> Grant Edwards wrote:
>
>> I don't understand why I have to do NAT. Can you explain why?
>> (Or point me to docs that explain why?)
>
> router01.your.network.com
> eth0 - 10.11.12.1
> eth1 - 24.1.2.231 - Comcast
> eth2 - 64.1.2.132 - Speakeasy
>
> Naturally RFC 1918 space is useless outside your network so
> you have to NAT.
Both of my gateways are on local networks and are doing NAT.
> However you need to make sure that you are making your policy
> routing decisions at eth0. You don't want traffic marked as
> originating from 24.1.2.231 going out eth2
I don't have IP forwarding enabled, so that shouldn't happen.
> since Speakeasy could (and should) drop traffic that is not
> origination from its IP space. Additionally traffic will be
> routing back to your via Comcast connection resulting in
> asymmetric routing which can increase the chances of packets
> arriving out of order.
>
> router01.your.network.com
> eth0 - 24.2.3.1/29
> eth0 - 64.2.3.1/29
> eth1 - 24.1.2.231 - Comcast
> eth2 - 64.1.2.132 - Speakeasy
>
> Same case with this setup even with real IPs. The chances of convincing
> any ISP to accept routes smaller than /24 from you are tiny. And finding
> anyone who knows what you even want to do even when you have the IP
> space is pretty much non-existent. I know, I've tried. Same thing in
> this case, you'll NAT at eth1 and eth2 and policy router at eth0.
>
> If you are doing this from a single machine with two IP's and no other
> networks or interfaces, it should just work.
The machine will have different non-routing IPs on the two
interfaces where the two NAT/firewall/gateways are. The
machine does have interfaces/networks, but since I'm not
forwarding packets, they should be irrelevant.
> Linux should use the IP of interface the packet leaves from,
> but I'd use tcpdump to make sure.
Good idea.
--
Grant Edwards grante Yow! Hello, GORRY-O!!
at I'm a GENIUS from HARVARD!!
visi.com
--
gentoo-user@lists.gentoo.org mailing list
