Re: [Shorewall-users] NAT on same network
On 5/20/2021 9:17 AM, Robert Grizilo wrote: > Greetings, > > I've done this once long time ago but can't remeber how and unable to > find some example > > I want to NAT inside same network. > > 192.168.1.2 = shorewall pc > 192.168.1.3 = synology nas > > lan:192.168.1.2:5000 -> lan:192.168.3:5000 > lan:192.168.1.2:5001 -> lan:192.168.3:5001 > lan:192.168.1.2:6690 -> lan:192.168.3:6690 > If you want to forward traffic from the loc zone to a server in the loc zone, please see (1). 1) https://shorewall.org/FAQ.htm#faq2 -- Matt Darfeuille Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?
Hello Alexander, On Thu, May 20, 2021, at 7:33 AM, Alexander Stoll wrote: > When you recieve only a /64 subnet, this gets gets realy complicated and > depends on every involved software which has to support subnets smaller > than /64. > In this situation you may be better off with a NAT solution. Here, with ATT as my upstream, the MODEM, which sits in front of the ROUTER, _serves_ a delegation via DHCP6 via its ROUTER-facing interface. That "IPv6 Addressing Subnet (including length)", apparently configured from upstream, is a /64. THAT is what the ROUTER gets. As far as I tell, that can't be changed. At least not in the UI. Maybe there's a 'hidden' setting you can set via SSH session; I sure haven't found it yet. Internally, the LAN clients get delegated assignments from radvd, using a "prefix ::/64 {" advertisement. I _might_ be able to safely expand that beyond the /64 -- I just am not sure. Since I (1) don't get a /56, and (2) control _none_ of the upstream, sounds like NAT is my best bet. Even if 'ugly'. Thanks! Thad ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?
Am 20.05.2021 um 13:04 schrieb tha...@letterboxes.org: So with this I end up with NAT'd IPv6. Which I thought you weren't supposed to do. yes, this is ugly and something to avoid when ever possible... But I guess if I'm going to have private internal IPv6 addresses, either static &/or delegated, then I have to do this somehow. It depends how ipv6 address space is delegated to you. Her in germany our biggest telco delegates dynamically a /56 subnet which is plenty space for almost everything. Because it is dynamically allocated via dhcp on every new connect, for static service allocation in internal nets we are forced to use ULA address space for internal services and delegate derived subnets from the provider global unicast delegation to clients for internet access. I keep thinking there's a routing solution that solves this, but I can't figure it out. And your NAT suggestion does fix it for now. When you recieve only a /64 subnet, this gets gets realy complicated and depends on every involved software which has to support subnets smaller than /64. In this situation you may be better off with a NAT solution. Best wishes ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] last missing Shorewall6 piece, ping6 from LAN to 'NET ?
Hello, > SNAT([2600:::::53]) [2600:::::]/64 enp2s0 > > with that, you should now see the 'echo reply'. Wow, that worked! I just assumed that since I wasn't seeing DROP/REJECT of packets, that I didn't have a problem like that. Never thought that the packets weren't even getting back. So with this I end up with NAT'd IPv6. Which I thought you weren't supposed to do. But I guess if I'm going to have private internal IPv6 addresses, either static &/or delegated, then I have to do this somehow. I keep thinking there's a routing solution that solves this, but I can't figure it out. And your NAT suggestion does fix it for now. I checked speedtests, and even with the IPv6 NATing like above my IPv6 up/down speeds checked @DESKTOP are ~25% better than IPv4. I'll take that. Thanks! Thad ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] NAT on same network
Greetings, I've done this once long time ago but can't remeber how and unable to find some example I want to NAT inside same network. 192.168.1.2 = shorewall pc 192.168.1.3 = synology nas lan:192.168.1.2:5000 -> lan:192.168.3:5000 lan:192.168.1.2:5001 -> lan:192.168.3:5001 lan:192.168.1.2:6690 -> lan:192.168.3:6690 thnx ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users