On Thu, 8 Mar 2007 at 23:32 -0700, Michael Torrie wrote: > On Thu, 2007-03-08 at 22:06 -0700, Hans Fugal wrote: > > Absolutely not. NAT is out of the question. NAT always causes more > > problems than it solves, even in enterprise. In enterprise, you have > > full-time sysadmins to go around chasing NAT issues and keeping a > > semblance of normalcy. I know, I used to be one. I will set my network > > up and just let it run. I will not be a slave to NAT. > > I disagree. Static one-to-one NAT (think of it as a layer 3 bridge) is > clean and effective. You do just set it up once and let it run. No > one's a slave to anything. Once you introduce dynamic NATing, then, > yes, you will likely have problems. I have never had to chase down NAT > problems. It just works. What problems have you observed?
VOIP and bittorrent come to mind. Broken but widespread protocols, like SIP, that embed IP information inside the protocol. > > > You can do this by either creating 4 virtual interfaces on the openwrt > > > box, or using some kind of proxyarp solution. > > > > Proxy ARP is the magic I needed. > > http://www.sjdjweis.com/linux/proxyarp/ > > I see from my 5 second skim that the setup described here seems to be > similar to yours. > > I'm not quite sure I understand your final setup, though. Would you > care to elaborate for us? Sure. openwrt has two interfaces of interest. vlan1 is the port that cisco is connected to, and has a public address (27.109). br0 is the ports that everything else is connected to, and has a private address (0.2). I did try it with br0 having the same address as vlan1, as outlined in that article, and it worked fine also (same problem in the end though). Then I set up the routing as follows: openwrt# ip route 216.31.27.105 dev vlan1 scope link 216.31.27.104/29 dev br0 scope link 172.17.0.0/24 dev br0 proto kernel scope link src 172.17.0.2 default via 216.31.27.105 dev vlan1 I turn on proxy arp in /proc/sys/net/ipv4/conf/{vlan1,br0}/proxy_arp, and set /proc/sys/net/ipv4/conf/{all,default}/proxy_ignore to 0 (it's apparently 1 by default on openwrt). Finally I remove vlan1 from br0. When I type "show arp" on the cisco, it gives me what I expect - everyone has the same MAC address (the address of openwrt), until one of those ping replies flies out with the real MAC address still embedded and cisco updates the cache for that host. -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach
signature.asc
Description: Digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
