Re: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Daren,
The translation-type masquerade is wrong. Use translation-type static.
rule 5 {
type: destination
translation-type: masquerade === This is wrong. Change
it to static
Thanks
Srinivas
_
From: Daren Tay [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 7:35 PM
To: Srinivaas Kamath; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Srinivaas,
I am currently testing it out, while it still doesn't work, but it feels
close
my entire test setup can route to the internet successfully currently, but
the 'Destination NAT' is still not working.
My NAT rule for this is as follows:
The setup is still done in lab, so all are private IPs
192.168.1.x represents the public network
192.168.4.x represents the VIP on the load balancer
rule 5 {
type: destination
translation-type: masquerade
inbound-interface: eth0
source {
network: 0.0.0.0/0
}
destination {
address: 192.168.1.204
}
inside-address {
address: 192.168.4.100
}
}
eth0: public port of the router, to 192.168.1.x
eth1: private port, connects to load balancer via 192.168.3.x/30 -- all
pingable
My idea is to map the 'public ip' of 192.168.1.204 to the load balancer
VIP 192.168.4.100
The above doesn't work, and I have been toying with the rule here and
there but no luck still.
But it feels near... you able to point me in the correct direction?
Thanks!
Daren
-Original Message-
From: Srinivaas Kamath [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 22 August 2007 19:36
To: 'Daren Tay'; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Daren,
NAT stands for Network Address Translation - a mechanism to provide
modification of the addresses and/or ports of packets as they pass through
a computer or network device. Destination NAT in particular refers to the
translation of the destination address (destination IP address). This
means that you can substitute the destination IP address in a packet with
another IP address. The router will do that for you automatically on the
forward path to the Loadbalancer. On the return path the router will
reverse the change by substituting the Source IP address back with the
original IP address. The router will keep track of all address
substitutions it makes in the forward path to the loadbalancer so that it
can reverse the changes in the reply packet. So from the clients
perspective it is still talking to the public VIP.
Example: If your public VIP is 203.55.86.87, the router can change this to
say 192.168.86.87 in the packet that is headed for the loadbalancer.
Therefore on the loadbalancer you have to configure 192.168.86.87 as your
VIP and not 203.55.86.87. But on the Vyatta router you have to configure
destination NAT to map 203.55.86.87 to 192.168.86.87. i.e. there is a
one-to-one mapping between the Public side VIP and the Private side VIP.
The vyatta router will simply substitute the destination IP address. It
won't do any load balancing.
On the Vyatta router you have to define rules to do Destination NAT.
Please read the Vyatta configuration for further details.
Regards
Srinivas
_
From: Daren Tay [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 22, 2007 8:33 PM
To: [EMAIL PROTECTED]
Cc: Srinivaas Kamath
Subject: FW: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Srinvias,
what's Destination NAT? -- Sorry, I guess I'm not quite 'there' with my
network know-hows...
but judging from what you say... if my VIPs are on the private network,
the idea is to have the actual public IPs to be VIPs on the router side,
then route it to the load balancer?
How should I do that?
Basically, I am dealing with web content...
Thanks!
Daren
-Original Message-
From: Srinivaas Kamath [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 22 August 2007 11:54
To: 'Daren Tay'; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi,
Is there anything that stops you from using Destination NAT on the Vyatta
router? If you use DNAT, then the Link between the router and the
Loadbalancer can be on a private subnet and that goes for the VIPs as
well. So VLAN3, VLAN2 and the VIPs will all be on private subnets. You can
have a 1-to-1 correspondence between the VIP on the public side and the
VIP on the private subnet. The Vyatta router will do DNAT first and then
route the packet. So the scheme has to work.
Thanks
Srinivas
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daren Tay
Sent: Wednesday, August 22, 2007 12:58 PM
To: [EMAIL PROTECTED]
Subject: [Vyatta-users] Allowing ports to bridge using vyatta
Hi everyone,
I'm currently sourcing open
Re: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Srinivas
what's the difference between using masquerading and static?
And just to update... I realise what was my problem!
Big boo boo! I didn't set the ip address 192.168.1.204 on the eth0!
Hahaha, it works now!
But another question is: can I enable ftp services for Vyatata OS? Don't see
services like VSFTP in it...
Thanks man!
Happy Daren
-Original Message-
From: Srinivaas Kamath [mailto:[EMAIL PROTECTED]
Sent: Thursday, 23 August 2007 17:46
To: 'Daren Tay'; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Daren,
The translation-type masquerade is wrong. Use translation-type static.
rule 5 {
type: destination
translation-type: masquerade === This is wrong. Change
it to static
Thanks
Srinivas
--
From: Daren Tay [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 23, 2007 7:35 PM
To: Srinivaas Kamath; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Srinivaas,
I am currently testing it out, while it still doesn't work, but it feels
close
my entire test setup can route to the internet successfully currently, but
the 'Destination NAT' is still not working.
My NAT rule for this is as follows:
The setup is still done in lab, so all are private IPs
192.168.1.x represents the public network
192.168.4.x represents the VIP on the load balancer
rule 5 {
type: destination
translation-type: masquerade
inbound-interface: eth0
source {
network: 0.0.0.0/0
}
destination {
address: 192.168.1.204
}
inside-address {
address: 192.168.4.100
}
}
eth0: public port of the router, to 192.168.1.x
eth1: private port, connects to load balancer via 192.168.3.x/30 -- all
pingable
My idea is to map the 'public ip' of 192.168.1.204 to the load balancer
VIP 192.168.4.100
The above doesn't work, and I have been toying with the rule here and
there but no luck still.
But it feels near... you able to point me in the correct direction?
Thanks!
Daren
-Original Message-
From: Srinivaas Kamath [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 22 August 2007 19:36
To: 'Daren Tay'; [EMAIL PROTECTED]
Subject: RE: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Daren,
NAT stands for Network Address Translation - a mechanism to provide
modification of the addresses and/or ports of packets as they pass through a
computer or network device. Destination NAT in particular refers to the
translation of the destination address (destination IP address). This means
that you can substitute the destination IP address in a packet with another
IP address. The router will do that for you automatically on the forward
path to the Loadbalancer. On the return path the router will reverse the
change by substituting the Source IP address back with the original IP
address. The router will keep track of all address substitutions it makes in
the forward path to the loadbalancer so that it can reverse the changes in
the reply packet. So from the clients perspective it is still talking to the
public VIP.
Example: If your public VIP is 203.55.86.87, the router can change this
to say 192.168.86.87 in the packet that is headed for the loadbalancer.
Therefore on the loadbalancer you have to configure 192.168.86.87 as your
VIP and not 203.55.86.87. But on the Vyatta router you have to configure
destination NAT to map 203.55.86.87 to 192.168.86.87. i.e. there is a
one-to-one mapping between the Public side VIP and the Private side VIP.
The vyatta router will simply substitute the destination IP address. It won'
t do any load balancing.
On the Vyatta router you have to define rules to do Destination NAT.
Please read the Vyatta configuration for further details.
Regards
Srinivas
From: Daren Tay [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 22, 2007 8:33 PM
To: [EMAIL PROTECTED]
Cc: Srinivaas Kamath
Subject: FW: [Vyatta-users] Allowing ports to bridge using vyatta
Hi Srinvias,
what's Destination NAT? -- Sorry, I guess I'm not quite 'there' with my
network know-hows...
but judging from what you say... if my VIPs are on the private network,
the idea is to have the actual public IPs to be VIPs on the router side,
then route it to the load balancer?
How should I do that?
Basically, I am dealing with web content...
Thanks!
Daren
-Original Message-
From: Srinivaas Kamath [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 22 August
