> > But then since the problem* came to light that's triggered this, >> management have finally suggested we review our network setup. So >> it's just possible I might be able to move to a routed setup >> internally :-) >> >> * It turns out that if two people attempt to access an SMB share via >> many-to-one NAT, each connection attempt results in all other users >> sharing the same IPv4 address to have their sessions terminated. It >> only happens with Windows servers and clients which have enhanced >> security turned on. It's been driving the web developers in the other >> office nuts :D >> http://www.nynaeve.net/?p=93 >> Brilliant protocol design, and something else that NAT breaks :-/ >> > >I feel your pain.
OK, they've now asked me to do this. 3 networks, Int, Ext, Back Border router R Gateway G R connects Ext (public class C, Pub) to the internet G connects all 3 networks Routing on G is fairly simple - R is the default gateway, the 3 networks are locally connected. I believe I need to change masq from: Ext Int Back Int to just : Ext:!Pub/24 Int As I read the man page, this means NAT will be applied to connections outside of our public subnet, but not to connections to our own hosts. plus turn off routefilter on Ext. And on R, add a static route to Int via G plus turn on routeback on it's interface in Ext Obviously I'll also need to set the policies and rules to suit. If I have that right, connections between the office network and hosts single homed on the back end network "just work" - they'll have their default gateway pointed to G. For hosts on the public network, return packets will go via R first which will redirect them via G. For hosts that are dual homed on the Ext and Back networks, connections to their backend addresses will go out direct but the return packets will go via R as the default router for those hosts. Thus needing routefilter turned off on G. Most hosts won't have a static route added to the internal network - hence the routing via R. Does that look about right ? I've done most of this before, but not with Shorewall or Linux boxes. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
