Re: which interface for NAT?

Tue, 06 Feb 2007 16:06:29 -0800 

Joachim Schipper wrote:
> On Tue, Feb 06, 2007 at 01:07:33PM +0100, Mitja wrote:
>> Hello,
>>
>> I have problems configuring NAT. I've built a VPN from router2 to
>> default route. I have access to internet from router2. Now I am stuck
>> with NAT. How should I do NATting? What interface to use?
>>
>> # NETWORK SETUP:
>>
>> 192.168.1.0/24
>>    |
>>    |
>>    |
>> router 2-[172.16.16.6] --VPN-- [172.16.15.6]- router 1--Internet
>>    |  |                                       |
>>    |   --- VPN: public IP range -> default ---
>>    |
>> 193.x.x.x/27
>>
>>
>> # netstat -rnf encap
>> Routing tables
>>
>> Encap:
>> Source             Port  Destination        Port  Proto
>> SA(Address/Proto/Type/Direction)
>> 172.16.15.6/32     0     172.16.16.6/32     0     0
>> 172.16.15.6/esp/use/in
>> 172.16.16.6/32     0     172.16.15.6/32     0     0
>> 172.16.15.6/esp/require/out
>> default            0     193.x.x.x/27 0     0     172.16.15.6/esp/use/in
>> 193.x.x.x/27 0     default            0     0
>> 172.16.15.6/esp/require/out
> 
> I don't really understand. Given that 193.x.x.x/27 is
> internet-addressable space, is it *really* your intention to use that?

Yes, Router2 is located at different phisical location than router1 and
there is need for internet addressable space.

> If so, review your assumptions. If not, and you intended to use some
> private space like 192.168.2.0/24 for the second subnet, and am I
> correct in assuming that your internet access from router2 is via the
> VPN tunnel to router1? And, perhaps as importantly, that leaving router1
> to do this stuff is not viable?

Yes, my internet access from router2 is via VPN to router1 and is
working well.

> Provided that the assumptions are correct, I assume that 'nat on enc0
> from { $int_if1:network $int_if2:network } -> $ext_if:0' would work, but
> you'll have to forgive me for not testing it - it's a bit of a mess
> here, and I don't want to set up the laptop right now.

Hmmm...if I understand your suggestion correctly I shuold try something
like this:

# pfctl -s all
TRANSLATION RULES:
nat on enc0 inet from 192.168.1.0/24 to any -> (bge0:0)

FILTER RULES:
pass in quick all keep state
pass out quick all keep state

# ifconfig bge0
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:30:48:5b:04:1c
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 172.16.16.6 netmask 0xfffffffc broadcast 172.16.16.7

I also changed bge0 to em1 (193.x.x.x), to have my source IP set to
addressable space?

Neither of those ideas worked here. Any other ideas?


Mitja

Reply via email to