Re: [PLUG] Comments on double NAT...
On Sat, 2009-12-19 at 18:47 -0800, Mike Connors wrote: Michael Robinson wrote: Web, Goose, and Xerxes are gateway, mail server/proxy, gateway respectively. This is the original network's means of accessing the Net. I think this piece is complicating matters. It seems you've got multiple NICs these boxes on different networks? Which in the absence of a router and switch/hub I understand. But if you could centralize your routing it would make this a lot less painful. In a nutshell, I want to be able to route from the original network in Scappoose, it uses black lines in the DIA diagram, to a host on the other side of the VPN tunnel implemented by the FVX 538. Yes, I have multiple links where the diagram if the plug list hadn't screwed it up shows that. You can count the links in the diagram and that shows the number of networks that machine is hooked to ( treat the Net as one network ) which equals the number of interfaces in that machine. Original network is 192.168.0.0 / 24? There is also the problem of making 192.168.0.x and 192.168.1.x link together ( Scappoose side both networks ). How do you mean? A router has a leg into both networks so hosts can communicate across net boundaries? Or do you mean by putting them on the same network by making the subnet smaller such as 192.168.0.x / 22 192.168.0.x/24 network was implemented by my brother for the Office which was split off of the original network. Dodo is acting as a router. Dodo has one leg in the 192.168.0.x/24 (or theoretically it will have a leg to there) and two other legs to three other networks. 192.168.3.0/28 and 192.168.3.16/28 are accessible through one leg and 192.168.4.0/24, the network dodo boots over, is available on a third leg. The diagram would help as it shows all of the switches, the FVX 538, the Linksys WAP11 between web/xerxes and dodo, and the DSL modem. The diagram also differentiates the links in different networks by color. My brother's network is the FVX 538, a Netgear switch/802.11g appliance, my other brother's computer in the Office, and a printer in the office. The link from the Office to the server room, a wired line, was taken off of the original network to create this isolated network. The routing is not centralized and that is confusing, but it can't be helped. The Office network has to be reliable because it is being used by a business. I just want to be able to go to the business VPN from the original network and I want to be able to instant message computers in the office from the original network. I think that the FVX has the only static address in the 192.168.0.x network and that everything else in the office network is assigned by it randomly. This could be a problem because how do I instant someone on a computer that has a random IP address? In some ways it would be nice to say let's start over and go from a parallel routing situation to a singular routing infrastructure, but I don't think that's an option. To some degree, the business network has to operate independently of the original network. This is why my goal is to only allow instant messaging between Office computers and original private network computers, at least initially. I am going to put the DIA diagram on my global ftp servers because it appears to be one of the only ways that I can get it out to people reading the plug list that want to study it: ftp://ftp.robinson-west.com/pub/robinson-west_com.dia or: ftp://ftp2.robinson-west.com/pub/robinson-west_com.dia The hardest part of making a diagram, finding the right tool to diagram with and learning what to diagram. I don't diagram every single host, only the servers/routers and maybe a printer. ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
Michael Robinson wrote: I am going to put the DIA diagram on my global ftp servers because it appears to be one of the only ways that I can get it out to people reading the plug list that want to study it: ftp://ftp.robinson-west.com/pub/robinson-west_com.dia or: ftp://ftp2.robinson-west.com/pub/robinson-west_com.dia The hardest part of making a diagram, finding the right tool to diagram with and learning what to diagram. I don't diagram every single host, only the servers/routers and maybe a printer. Okay, I'll take a look at it and see if I can offer up some useful advice keeping in mind all your connectivity requirements. I must say, this is the 1st time I tried to do a network diagram w. Dia and it was extremely painful compared to Visio... One of the great things about diagramming networks is that you can play around with different ideas and design the network to be meet your reqs, be flexible, scalabe, reliable, fast, easy to troubleshoot, etc. And then you can come up w. an implementation plan. It's too bad you live so far out and don't come to PLUG events, because it would be great to have a whiteboard brainstorming session w. you. I really dig this kind of stuff, alot! :-) ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
Michael Robinson wrote: http://www.iptables.org/documentation/HOWTO/netfilter-double-nat-HOWTO.html#toc6 I have a similar situation. One network via a VPN is on the 192.168.1.0/24 network and my locally wired network is on the 192.168.1.0/24 network as well. Can you see the problem from this diagram? Question is, should I renumber to get Bluejay to stop conflicting with the server on the other network or should I go the double nat route? I'm thinking of using 192.168.5.0/28 on Dodo, NAT box 1, and on the Minnesota side, NAT box 2 will need to use say 192.168.5.16/28. So I can map web to 192.168.5.2, goose to 192.168.5.3, and xerxes to 192.168.5.4. On the Minnesota side 192.168.5.18 can be mapped to 192.168.1.35. I am not currently source nat'ing on Dodo (except for the route to goose) where I am concerned that it might screw things up. I want to route from Minnesota through either web or xerxes depending on which one I am using at the moment. So I source nat on dodo to either 192.168.3.17 or 192.168.3.1. Let's say that the source from Minnesota is 192.168.5.1. The source from Scappoose going to Minnesota will be say 192.168.5.17. I'll have to check to see if I will be SNATing on the Scappoose side from 3.x or 1.x. The problem is, I have more routers involved than the double nat HOWTO has. I don't understand your network nor the logic behind it. It seems to me that either you don't understand networking very well or just love to design overly complicated networks for SGs. NAT was originally a hack to solve a very specific problem with the scarcity of IPv4 address space. There are certainly some good reasons for using NAT such as: - Internet load balancing - Intranet server/workstation load balancing - Firewall IP masquerading - Port Forwarding - Overlapping IP Address space with a VPN* From the info you provided, the last one seems to apply. A lot of time in commercial enviros your stuck w. the ip addr space and so you employ NAT has a hack. But I don't see any reason why you *have* to do this with your network. If you have routers in your network why use different ip networks in the private addr space. You have the whole 10 network (10.0.0.0 to 10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0). It's your network so feel free to do whatever you want. But if you'd like other people to help / advise you, you should consider designing your network simpler so that it can be easily grokked. If however, your goal is security by obscurity, carry on... ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
I don't understand your network nor the logic behind it. It seems to me that either you don't understand networking very well or just love to design overly complicated networks for SGs. NAT was originally a hack to solve a very specific problem with the scarcity of IPv4 address space. There are certainly some good reasons for using NAT such as: - Internet load balancing - Intranet server/workstation load balancing - Firewall IP masquerading - Port Forwarding - Overlapping IP Address space with a VPN* From the info you provided, the last one seems to apply. A lot of time in commercial enviros your stuck w. the ip addr space and so you employ NAT has a hack. But I don't see any reason why you *have* to do this with your network. If you have routers in your network why use different ip networks in the private addr space. You have the whole 10 network (10.0.0.0 to 10.255.255.255) and also the 172.16. network (172.16.0.0 to 172.31.0.0). It's your network so feel free to do whatever you want. But if you'd like other people to help / advise you, you should consider designing your network simpler so that it can be easily grokked. If however, your goal is security by obscurity, carry on... ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug You understand something about it and this is a very rude comment. The reason I have to consider double nat is that the person I want to connect with is using the same RFC1918 network that I am using. The alternative of course is to reprogram my end so it doesn't overlap the other end, but that is a brutal solution that requires me to go through multiple firewalls, dns servers, and check in other places. The hope is that double nat is a reasonable solution that will be less error prone and easier to pursue than network renumbering. A more helpful comment than I don't understand anything is I don't understand this or that. Frankly, that is the truth. If you couldn't tell from my diagram that the same ip network is in use in 2 networks that are supposed to be connected together, you are blind. Granted, my diagram is crude because it is trying to show a bit more information and like I said I didn't explicity show all connections (but they are labeled). The diagram is also crude because my information about the other end is limited. The reason NAT exists is the scarcity of address space and it also exists to allow one to build isolated networks that have some external connectivity to other networks. Load balancing is a routing issue, not a NAT issue as far as I can tell. Having multiple Net connections and having to pick one is most definitely a routing and not so much a NAT issue. I don't try to create the most convoluted network designs I can come up with thank you very much. The reality is, I have a very real world realistic set up. Network root and growing a network complicate topology rather quickly. I made a bad assumption up front that I should use 192.168.1.0/24 for my network. Network root tends to create loops in networks. What am I supposed to do? Am I supposed to add a dedicated server for network root to avoid creating loops? I have enough servers as it is. One of the reasons my network root servers are on a different network is that I wanted them to be hidden from the Net (for the most part). It's quite simple, the remote site was using the 192.168.1.0/24 network before I was, but I didn't realize this when I initially set up my network. At some point in time, I decided to add a second private network in segments booted off of an existing server. These are the 192.168.4.0/28 and 192.168.4.16/28 networks. There are more segments, but they aren't important to the problem at hand. The only reason I talked about those 2 segments is that the first segment provides an alternate route to 192.168.1.0/24 that I don't want to use. I want to work everything through the routers on the original part of the network. Even if I were to go all out and try to use DIA to create a less crude diagram of my network, I wouldn't be able to post it to this list. Telling the other end, the Minnesota end, that they have to renumber to fit into my private network so that no subnet boundaries have to be crossed is imposing a lot on them. It generally doesn't work that way. ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
Michael Robinson wrote: It's quite simple, the remote site was using the 192.168.1.0/24 network before I was, but I didn't realize this when I initially set up my network. At some point in time, I decided to add a second private network in segments booted off of an existing server. These are the 192.168.4.0/28 and 192.168.4.16/28 networks. There are more segments, but they aren't important to the problem at hand. The only reason I talked about those 2 segments is that the first segment provides an alternate route to 192.168.1.0/24 that I don't want to use. I want to work everything through the routers on the original part of the network. Even if I were to go all out and try to use DIA to create a less crude diagram of my network, I wouldn't be able to post it to this list. Telling the other end, the Minnesota end, that they have to renumber to fit into my private network so that no subnet boundaries have to be crossed is imposing a lot on them. It generally doesn't work that way. Yes, my initial comments were rude and not helpful. I apologize for that. But I've designed, implemented, and supported large networks with switching, routing, vlans, vpns, firewalls, and wan circuits they were never has hard to grok as yours. Maybe it's the diagram. There's a lot of extraneous info in your diagram that makes digesting the info difficult. Physical boundaries, individual host names and ip addresses aren't all that useful. However, including the vpn link with network endpoints would be very useful. Providing which devices route traffic for which networks would be useful. If I were diagramming this network I would do it from the view point of the network and not by the host or physical location because the interesting info is how traffic goes from 1 network to another network. Not where things are physically and what the physical connections are. Routing happens between networks, this is what you want to know. You could always create a better diagram in Dia and send it as a file attachment. I don't think file attachments are banned on the PLUG list? Here's what's not clear to me: 1. I only see 1 router (Netgear) and I don't know what it's route table looks like. 2. I'm not sure how all the servers see the network. Are they all just pointing at the Netgear via a default route? My other 2 cents: 1. Troubleshooting network problems w. NAT or double NAT can be a real pain when trying to keep track of the NAT'd and local ip addr. 2. I'm going to attempt to diagram this network myself so that it makes more sense to me. ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
Okay, a couple of points: 1) The FVX 538 is implementing a parallel and independent way to access the Internet through a shared DSL modem on a bridged subnet. 2) Web, Goose, and Xerxes are gateway, mail server/proxy, gateway respectively. This is the original network's means of accessing the Net. 3) 216.151.30.105 is the gateway at the ISP, Opus. 4) 216.151.30.111 is the broadcast for the global subnet. 5) 216.151.30.104 is the network address for the global subnet. 6) 216.151.30.110 is currently not used. 7) The FVX 538 is connected to a 192.168.0.x class C subnet that serves one of the rooms in the house in Scappoose. I want the original network to be able to instant message at least with that subnet. 8) The FVX 538 is implementing a VPN tunnel to Minnesota and presumably there is a similar router on the other end taking caring of the far end of the tunnel. 9) I don't want the non 192.168.0.x clients excluding dodo to access the Net through the FVX 538 period. These hosts should only be allowed to go through the tunnel. 10) I am going to try to link a DIA diagram that should help. In a nutshell, I want to be able to route from the original network in Scappoose, it uses black lines in the DIA diagram, to a host on the other side of the VPN tunnel implemented by the FVX 538. Green lines denote Internet subnet links. A dotted black line indicates a link from Dodo to the FVX 538. A blue line indicates a 192.168.3.0/28 or 192.168.3.16/28 link. So, out of the tunnel through the dotted black line cross a blue line and from one the gateway machines on the original network go where you need to go. I am planning on exposing goose, web, and xerxes. Possibly more hosts in the future, but not now. There is also the problem of making 192.168.0.x and 192.168.1.x link together ( Scappoose side both networks ). This problem makes my head hurt. Renumbering my side may not be such a bad idea after all. I detect a few errors in the HOWTO I mentioned by the way. The hardest part to figure out for double nat is what the source nat rule needs to be. Okay, so the DIA diagram only deals with relevant machines on the Scappoose side and does NOT cover the Minnesota side at all. Right now, that side is a black box to me. ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Comments on double NAT...
Michael Robinson wrote: Web, Goose, and Xerxes are gateway, mail server/proxy, gateway respectively. This is the original network's means of accessing the Net. I think this piece is complicating matters. It seems you've got multiple NICs these boxes on different networks? Which in the absence of a router and switch/hub I understand. But if you could centralize your routing it would make this a lot less painful. In a nutshell, I want to be able to route from the original network in Scappoose, it uses black lines in the DIA diagram, to a host on the other side of the VPN tunnel implemented by the FVX 538. Original network is 192.168.0.0 / 24? There is also the problem of making 192.168.0.x and 192.168.1.x link together ( Scappoose side both networks ). How do you mean? A router has a leg into both networks so hosts can communicate across net boundaries? Or do you mean by putting them on the same network by making the subnet smaller such as 192.168.0.x / 22 This problem makes my head hurt. Renumbering my side may not be such a bad idea after all. I detect a few errors in the HOWTO I mentioned by the way. The hardest part to figure out for double nat is what the source nat rule needs to be. Okay, so the DIA diagram only deals with relevant machines on the Scappoose side and does NOT cover the Minnesota side at all. Right now, that side is a black box to me. Okay, so the picture is getting a lot clearer. Thanks! Unfortunately, I can't seem to open the attachment. When I attempt to open my box sees it as an ASC file? I tried to rename it to DIA file. Dia the sees it as a supported file type but errors when trying to open it. ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug