Re: [PLUG] Comments on double NAT...

[Michael Robinson]

On Sat, 2009-12-19 at 18:47 -0800, Mike Connors wrote:
 Michael Robinson wrote:
 
 Web, Goose, and Xerxes are gateway, mail server/proxy, gateway
 respectively. This is the original network's means of accessing
 the Net.
 
 I think this piece is complicating matters. It seems you've got multiple 
 NICs these boxes
 on different networks? Which in the absence of a router and switch/hub I 
 understand. But if you could
 centralize your routing it would make this a lot less painful.
  In a nutshell, I want to be able to route from the original 
  network in Scappoose, it uses black lines in the DIA diagram, 
  to a host on the other side of the VPN tunnel implemented by
  the FVX 538.  

Yes, I have multiple links where the diagram if the plug list
hadn't screwed it up shows that.  You can count the links
in the diagram and that shows the number of networks that machine
is hooked to ( treat the Net as one network ) which equals the
number of interfaces in that machine.

 Original network is 192.168.0.0 / 24?
  There is also the problem of making 192.168.0.x and 192.168.1.x
  link together ( Scappoose side both networks ).

 How do you mean?
 A router has a leg into both networks so hosts can communicate
 across net boundaries?
 Or do you mean by putting them on the same network by making the
 subnet smaller such as 192.168.0.x / 22

192.168.0.x/24 network was implemented by my brother for the Office
which was split off of the original network.  Dodo is acting as a
router.  Dodo has one leg in the 192.168.0.x/24 (or theoretically
it will have a leg to there) and two other legs to three other 
networks.  192.168.3.0/28 and 192.168.3.16/28 are accessible 
through one leg and 192.168.4.0/24, the network dodo boots over, 
is available on a third leg.  The diagram would help as it 
shows all of the switches, the FVX 538, the Linksys WAP11 between
web/xerxes and dodo, and the DSL modem.  The diagram also 
differentiates the links in different networks by color.

My brother's network is the FVX 538, a Netgear switch/802.11g
appliance, my other brother's computer in the Office, and a 
printer in the office.  The link from the Office to the server 
room, a wired line, was taken off of the original network to 
create this isolated network.  The routing is not centralized 
and that is confusing, but it can't be helped.  The Office 
network has to be reliable because it is being used by a 
business.  I just want to be able to go to the business VPN 
from the original network and I want to be able to instant 
message computers in the office from the original network.
I think that the FVX has the only static address in the 
192.168.0.x network and that everything else in the office
network is assigned by it randomly.  This could be a problem
because how do I instant someone on a computer that has a
random IP address?

In some ways it would be nice to say let's start over and go from
a parallel routing situation to a singular routing infrastructure,
but I don't think that's an option.  To some degree, the business
network has to operate independently of the original network.  This
is why my goal is to only allow instant messaging between Office
computers and original private network computers, at least initially.

I am going to put the DIA diagram on my global ftp servers because it
appears to be one of the only ways that I can get it out to people
reading the plug list that want to study it:

ftp://ftp.robinson-west.com/pub/robinson-west_com.dia

   or:

ftp://ftp2.robinson-west.com/pub/robinson-west_com.dia

The hardest part of making a diagram, finding the right
tool to diagram with and learning what to diagram.  I
don't diagram every single host, only the servers/routers
and maybe a printer.

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Mike Connors]

Michael Robinson wrote:
 I am going to put the DIA diagram on my global ftp servers because it
 appears to be one of the only ways that I can get it out to people
 reading the plug list that want to study it:

 ftp://ftp.robinson-west.com/pub/robinson-west_com.dia

or:

 ftp://ftp2.robinson-west.com/pub/robinson-west_com.dia

 The hardest part of making a diagram, finding the right
 tool to diagram with and learning what to diagram.  I
 don't diagram every single host, only the servers/routers
 and maybe a printer.

   
Okay, I'll take a look at it and see if I can offer up some useful
advice keeping in mind all your connectivity requirements. I must say,
this is the 1st time I tried to do a network diagram w. Dia and it was
extremely painful compared to Visio...

One of the great things about diagramming networks is that
you can play around with different ideas and design the network
to be meet your reqs, be flexible, scalabe, reliable, fast, easy
to troubleshoot, etc.

And then you can come up w. an implementation plan.

It's too bad you live so far out and don't come to PLUG events, because
it would be great to have a whiteboard brainstorming session w. you. I 
really
dig this kind of stuff, alot! :-)
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Mike Connors]

Michael Robinson wrote:
 http://www.iptables.org/documentation/HOWTO/netfilter-double-nat-HOWTO.html#toc6

 I have a similar situation.  One network via a VPN is on the
 192.168.1.0/24 network and my locally wired network is on the
 192.168.1.0/24 network as well.


 Can you see the problem from this diagram?  Question is, should I
 renumber to get Bluejay to stop conflicting with the server on the other
 network or should I go the double nat route?  

 I'm thinking of using 192.168.5.0/28 on Dodo, NAT box 1, and on the
 Minnesota side, NAT box 2 will need to use say 192.168.5.16/28.  So I
 can map web to 192.168.5.2, goose to 192.168.5.3, and xerxes to
 192.168.5.4.  On the Minnesota side 192.168.5.18 can be mapped to
 192.168.1.35.  I am not currently source nat'ing on Dodo (except for the
 route to goose) where I am concerned that it might screw things up.  I
 want to route from Minnesota through either web or xerxes depending on
 which one I am using at the moment.  So I source nat on dodo to either
 192.168.3.17 or 192.168.3.1.  Let's say that the source from Minnesota
 is 192.168.5.1.  The source from Scappoose going to Minnesota will be
 say 192.168.5.17.  I'll have to check to see if I will be SNATing on the
 Scappoose side from 3.x or 1.x.  The problem is, I have more routers
 involved than the double nat HOWTO has.
   
I don't understand your network nor the logic behind it. It seems to me 
that either you don't understand networking very well or
just love to design overly complicated networks for SGs. NAT was 
originally a hack to solve a very specific problem with the scarcity
of IPv4 address space. There are certainly some good reasons for using 
NAT such as:

- Internet load balancing
- Intranet server/workstation load balancing
- Firewall IP masquerading
- Port Forwarding
- Overlapping IP Address space with a VPN*

 From the info you provided, the last one seems to apply. A lot of time 
in commercial enviros your stuck w. the ip addr space and so you employ 
NAT has a hack. But I don't see any reason why you *have* to do this 
with your network.

If you have routers in your network why use different ip networks in the 
private addr space. You have the whole 10 network (10.0.0.0 to 
10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0).

It's your network so feel free to do whatever you want. But if you'd 
like other people to help / advise you, you should consider designing
your network simpler so that it can be easily grokked. If however, your 
goal is security by obscurity, carry on...
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Michael Robinson]

 I don't understand your network nor the logic behind it. It seems to me 
 that either you don't understand networking very well or
 just love to design overly complicated networks for SGs. NAT was 
 originally a hack to solve a very specific problem with the scarcity
 of IPv4 address space. There are certainly some good reasons for using 
 NAT such as:
 
 - Internet load balancing
 - Intranet server/workstation load balancing
 - Firewall IP masquerading
 - Port Forwarding
 - Overlapping IP Address space with a VPN*
 
  From the info you provided, the last one seems to apply. A lot of time 
 in commercial enviros your stuck w. the ip addr space and so you employ 
 NAT has a hack. But I don't see any reason why you *have* to do this 
 with your network.
 
 If you have routers in your network why use different ip networks in the 
 private addr space. You have the whole 10 network (10.0.0.0 to 
 10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0).
 
 It's your network so feel free to do whatever you want. But if you'd 
 like other people to help / advise you, you should consider designing
 your network simpler so that it can be easily grokked. If however, your 
 goal is security by obscurity, carry on...
 ___
 PLUG mailing list
 PLUG@lists.pdxlinux.org
 http://lists.pdxlinux.org/mailman/listinfo/plug

You understand something about it and this is a very rude comment.

The reason I have to consider double nat is that the person I want
to connect with is using the same RFC1918 network that I am using.
The alternative of course is to reprogram my end so it doesn't
overlap the other end, but that is a brutal solution that requires
me to go through multiple firewalls, dns servers, and check in 
other places.  The hope is that double nat is a reasonable solution 
that will be less error prone and easier to pursue than network
renumbering.

A more helpful comment than I don't understand anything is I
don't understand this or that.  Frankly, that is the truth.
If you couldn't tell from my diagram that the same ip network
is in use in 2 networks that are supposed to be connected
together, you are blind.  Granted, my diagram is crude because
it is trying to show a bit more information and like I said I
didn't explicity show all connections (but they are labeled).
The diagram is also crude because my information about the
other end is limited.

The reason NAT exists is the scarcity of address space and it
also exists to allow one to build isolated networks that have
some external connectivity to other networks.  Load balancing
is a routing issue, not a NAT issue as far as I can tell.
Having multiple Net connections and having to pick one is
most definitely a routing and not so much a NAT issue.

I don't try to create the most convoluted network designs I can
come up with thank you very much.  The reality is, I have a very
real world realistic set up.  Network root and growing a network 
complicate topology rather quickly.  I made a bad assumption up
front that I should use 192.168.1.0/24 for my network.  Network
root tends to create loops in networks.  What am I supposed to
do?  Am I supposed to add a dedicated server for network root
to avoid creating loops?  I have enough servers as it is.  One
of the reasons my network root servers are on a different network
is that I wanted them to be hidden from the Net (for the most
part).

It's quite simple, the remote site was using the 192.168.1.0/24 network
before I was, but I didn't realize this when I initially set up my
network.  At some point in time, I decided to add a second private
network in segments booted off of an existing server.  These are the
192.168.4.0/28 and 192.168.4.16/28 networks.  There are more segments,
but they aren't important to the problem at hand.  The only reason
I talked about those 2 segments is that the first segment provides
an alternate route to 192.168.1.0/24 that I don't want to use.  I
want to work everything through the routers on the original part
of the network.

Even if I were to go all out and try to use DIA to create a less crude
diagram of my network, I wouldn't be able to post it to this list.

Telling the other end, the Minnesota end, that they have to renumber to
fit into my private network so that no subnet boundaries have to be 
crossed is imposing a lot on them.  It generally doesn't work that way.

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Mike Connors]

Michael Robinson wrote:
 It's quite simple, the remote site was using the 192.168.1.0/24 network
 before I was, but I didn't realize this when I initially set up my
 network.  At some point in time, I decided to add a second private
 network in segments booted off of an existing server.  These are the
 192.168.4.0/28 and 192.168.4.16/28 networks.  There are more segments,
 but they aren't important to the problem at hand.  The only reason
 I talked about those 2 segments is that the first segment provides
 an alternate route to 192.168.1.0/24 that I don't want to use.  I
 want to work everything through the routers on the original part
 of the network.

 Even if I were to go all out and try to use DIA to create a less crude
 diagram of my network, I wouldn't be able to post it to this list.

 Telling the other end, the Minnesota end, that they have to renumber to
 fit into my private network so that no subnet boundaries have to be 
 crossed is imposing a lot on them.  It generally doesn't work that way.

   
Yes, my initial comments were rude and not helpful. I apologize for that.

But I've designed, implemented, and supported large networks with 
switching, routing, vlans, vpns, firewalls, and wan circuits they were 
never has hard to grok as yours.

Maybe it's the diagram. There's a lot of extraneous info in your diagram 
that makes digesting the info difficult. Physical boundaries, individual 
host names and ip addresses aren't all that useful. However, including 
the vpn link with network endpoints would be very useful. Providing 
which devices route traffic for which networks would be useful.

If I were diagramming this network I would do it from the view point of 
the network and not by the host or physical location because the 
interesting info is how traffic goes from 1 network to another network. 
Not where things are physically and what the physical connections are. 
Routing happens between networks, this is what you want to know.

You could always create a better diagram in Dia and send it as a file 
attachment. I don't think file attachments are banned on the PLUG list?

Here's what's not clear to me:
1. I only see 1 router (Netgear) and I don't know what it's route table 
looks like.
2. I'm not sure how all the servers see the network. Are they all just 
pointing at the Netgear via a default route?

My other 2 cents:
1. Troubleshooting network problems w. NAT or double NAT can be a real 
pain when trying to keep track of the NAT'd and local ip addr.
2. I'm going to attempt to diagram this network myself so that it makes 
more sense to me.


___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Michael Robinson]

Okay, a couple of points:

1) The FVX 538 is implementing a parallel and independent way to 
   access the Internet through a shared DSL modem on a bridged 
   subnet.

2) Web, Goose, and Xerxes are gateway, mail server/proxy, gateway 
   respectively.  This is the original network's means of accessing
   the Net.

3) 216.151.30.105 is the gateway at the ISP, Opus.

4) 216.151.30.111 is the broadcast for the global subnet.

5) 216.151.30.104 is the network address for the global subnet.

6) 216.151.30.110 is currently not used.

7) The FVX 538 is connected to a 192.168.0.x class C subnet that
   serves one of the rooms in the house in Scappoose.  I want the
   original network to be able to instant message at least with
   that subnet.

8) The FVX 538 is implementing a VPN tunnel to Minnesota and
   presumably there is a similar router on the other end taking
   caring of the far end of the tunnel.

9)  I don't want the non 192.168.0.x clients excluding dodo to
access the Net through the FVX 538 period.  These hosts
should only be allowed to go through the tunnel.

10) I am going to try to link a DIA diagram that should help.

In a nutshell, I want to be able to route from the original 
network in Scappoose, it uses black lines in the DIA diagram, 
to a host on the other side of the VPN tunnel implemented by
the FVX 538.  Green lines denote Internet subnet links.  A
dotted black line indicates a link from Dodo to the FVX 538.
A blue line indicates a 192.168.3.0/28 or 192.168.3.16/28 
link.  So, out of the tunnel through the dotted black line
cross a blue line and from one the gateway machines on the
original network go where you need to go.  I am planning on
exposing goose, web, and xerxes.  Possibly more hosts in the
future, but not now.

There is also the problem of making 192.168.0.x and 192.168.1.x
link together ( Scappoose side both networks ).

This problem makes my head hurt.  Renumbering my side may not be
such a bad idea after all.  I detect a few errors in the HOWTO
I mentioned by the way.  The hardest part to figure out for
double nat is what the source nat rule needs to be.

Okay, so the DIA diagram only deals with relevant machines on
the Scappoose side and does NOT cover the Minnesota side at all.
Right now, that side is a black box to me.
___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Comments on double NAT...

[Mike Connors]

Michael Robinson wrote:

Web, Goose, and Xerxes are gateway, mail server/proxy, gateway
respectively. This is the original network's means of accessing
the Net.

I think this piece is complicating matters. It seems you've got multiple 
NICs these boxes
on different networks? Which in the absence of a router and switch/hub I 
understand. But if you could
centralize your routing it would make this a lot less painful.
 In a nutshell, I want to be able to route from the original 
 network in Scappoose, it uses black lines in the DIA diagram, 
 to a host on the other side of the VPN tunnel implemented by
 the FVX 538.  
   
Original network is 192.168.0.0 / 24?
 There is also the problem of making 192.168.0.x and 192.168.1.x
 link together ( Scappoose side both networks ).
   
How do you mean?
A router has a leg into both networks so hosts can communicate
across net boundaries?
Or do you mean by putting them on the same network by making the
subnet smaller such as 192.168.0.x / 22
 This problem makes my head hurt.  Renumbering my side may not be
 such a bad idea after all.  I detect a few errors in the HOWTO
 I mentioned by the way.  The hardest part to figure out for
 double nat is what the source nat rule needs to be.

 Okay, so the DIA diagram only deals with relevant machines on
 the Scappoose side and does NOT cover the Minnesota side at all.
 Right now, that side is a black box to me.
Okay, so the picture is getting a lot clearer. Thanks!
Unfortunately, I can't seem to open the attachment.
When I attempt to open my box sees it as an ASC file?
I tried to rename it to DIA file.  Dia the sees it as a supported file
type but errors when trying to open it.

___
PLUG mailing list
PLUG@lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug