On 2008-03-03, kashani <[EMAIL PROTECTED]> wrote: > Grant Edwards wrote: > >> I don't understand why I have to do NAT. Can you explain why? >> (Or point me to docs that explain why?) > > router01.your.network.com > eth0 - 10.11.12.1 > eth1 - 24.1.2.231 - Comcast > eth2 - 64.1.2.132 - Speakeasy > > Naturally RFC 1918 space is useless outside your network so > you have to NAT.
Both of my gateways are on local networks and are doing NAT. > However you need to make sure that you are making your policy > routing decisions at eth0. You don't want traffic marked as > originating from 24.1.2.231 going out eth2 I don't have IP forwarding enabled, so that shouldn't happen. > since Speakeasy could (and should) drop traffic that is not > origination from its IP space. Additionally traffic will be > routing back to your via Comcast connection resulting in > asymmetric routing which can increase the chances of packets > arriving out of order. > > router01.your.network.com > eth0 - 24.2.3.1/29 > eth0 - 64.2.3.1/29 > eth1 - 24.1.2.231 - Comcast > eth2 - 64.1.2.132 - Speakeasy > > Same case with this setup even with real IPs. The chances of convincing > any ISP to accept routes smaller than /24 from you are tiny. And finding > anyone who knows what you even want to do even when you have the IP > space is pretty much non-existent. I know, I've tried. Same thing in > this case, you'll NAT at eth1 and eth2 and policy router at eth0. > > If you are doing this from a single machine with two IP's and no other > networks or interfaces, it should just work. The machine will have different non-routing IPs on the two interfaces where the two NAT/firewall/gateways are. The machine does have interfaces/networks, but since I'm not forwarding packets, they should be irrelevant. > Linux should use the IP of interface the packet leaves from, > but I'd use tcpdump to make sure. Good idea. -- Grant Edwards grante Yow! Hello, GORRY-O!! at I'm a GENIUS from HARVARD!! visi.com -- gentoo-user@lists.gentoo.org mailing list