Hi, take a look at this
TOPOLOGY:
+--------+
+--------+
| Linux | 202.1.1.1
| Cisco |
| Box
|------------------| Router |--- INTERNET
+--------+
+--------+
|
+--------+
| Switch |
+--------+
| | | |
NAT(1) 192.168.101 | | | |
--------------------+ | | |
| | |
NAT(2) 192.168.102 | | |
----------------------+ | |
| |
NAT(3) 192.168.103 | |
------------------------+ |
|
NAT(4) 192.168.104 |
--------------------------+
The linux box should do:
- act as Router
- NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15)
- Traffic control from 32kb to 512kb based on IP address
Each NAT will have in the future about 100-200 hosts.
NOTE: this is for a wireless network so maybe the switch could be
replaced for some wireless cards on the linux box.
I DONT WANT YOU TO DO IT FORE ME !!! Just need to know:
if it is possible to do it with iproute2?
based on yours experience witch are the best or recomended applications to use
or combine?
if there are some problems or recomandations I must have to take.
is NAT the solution or is there other options?
Any other advice?
thanks very much
On Thu, 25 Jan 2001, billy wrote:> Hi, take a look at this > > TOPOLOGY:[wow, that pic got screwed up badly... try to think of a linewidth of 78 chars at the most]> The linux box should do: > - act as Router > - NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15) > - Traffic control from 32kb to 512kb based on IP address > > Each NAT will have in the future about 100-200 hosts.> NOTE: this is for a wireless network so maybe the switch could be > replaced for some wireless cards on the linux box.> I DONT WANT YOU TO DO IT FORE ME !!! Just need to know: > > if it is possible to do it with iproute2?No. Not with *only* iproute2. However, iproute2 in combination with Linux 2.4 (the kernel...) and iptables *does* make it possible.> if there are some problems or recomandations I must have to take.NAT has a bit of a problem with certain protocols such as FTP. These are mostly handled by the kernel, but there may be cases with new or custom protocols that are not handled yet. You ought to be aware of that. Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does, fortunately. Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching
Thanks fore your answer I''ll try to resol the pic problem, next time.> > Hi, take a look at this > > > > TOPOLOGY: > > [wow, that pic got screwed up badly... try to think of a linewidth of 78 > chars at the most] > > > The linux box should do: > > - act as Router > > - NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15) > > - Traffic control from 32kb to 512kb based on IP address > > > > Each NAT will have in the future about 100-200 hosts. > > > NOTE: this is for a wireless network so maybe the switch could be > > replaced for some wireless cards on the linux box. > > > I DONT WANT YOU TO DO IT FORE ME !!! Just need to know: > > > > if it is possible to do it with iproute2? > > No. Not with *only* iproute2. However, iproute2 in combination with > Linux 2.4 (the kernel...) and iptables *does* make it possible.thanks for this, I''m reading all about packet filtering rigth know !!> > > if there are some problems or recomandations I must have to take. > > NAT has a bit of a problem with certain protocols such as FTP. These are > mostly handled by the kernel, but there may be cases with new or custom > protocols that are not handled yet. You ought to be aware of that. > Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does, > fortunately. >Yes I new about the NAT problem, now what about masquerading? I can''t find any diference, but there must be, or there the same thing? does masquerading have the same problem? I think so. know what do you refer or meen with IPsec AH-mode and IPsec ESP-mode?> Doei, Arthur. > > -- > /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money > /__\ / | A friend is someone with whom | Love like you have never been hurt > / \/__ | you can dare to be yourself | Dance like there''s nobody watchingCan I drink something first to erase temporary my memory?
On Fri, 26 Jan 2001, billy wrote:> Thanks fore your answerMy pleasure. [snip]> > > if there are some problems or recomandations I must have to take. > > > > NAT has a bit of a problem with certain protocols such as FTP. These are > > mostly handled by the kernel, but there may be cases with new or custom > > protocols that are not handled yet. You ought to be aware of that. > > Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does, > > fortunately.> Yes I new about the NAT problem, now what about masquerading?Masquerading is NAT with port-translation thrown in. This enables multiple IP addresses to be mapped to a single IP address. In 2.4 and the netfilter and iptables documentation (at http://netfilter.kernelnotes.org/) masquerading is also called NAPT, Network Address and Port Translation.> I can''t find any diference, but there must be, or there the same thing? > does masquerading have the same problem? I think so.Yes, masquerading has the same problems.> know what do you refer or meen with IPsec AH-mode and IPsec ESP-mode?Look at the documentation for FreeS/WAN at http://www.freeswan.org/ IPsec is a protocol to do encryption and authentication of packets at the IP-level. IPsec AH-mode provides only authentication, but authenticates packet headers as well as their payload. This directly conflicts with NAT, as NAT changes the packet headers. IPsec ESP-mode provides authentication as well as encryption, but does not authenticate the outer packet''s headers, and therefore can be used over NAT-ed conections. Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don''t need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there''s nobody watching