thr3ads.net - Shorewall users - NAT Doubts and question [Aug 2005]

If this information is useful, please help other people find it:
Share via:

Charrua

2005-Aug-16 18:16 UTC

NAT Doubts and question

Hi,

My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224)

I need to configure the external interface of the router with: 200.58.129.34 /
255.255.255.252 / Defaul Gw. 200.58.129.33

A few users will be assigned public IPs(with Proxy ARP), the rest of the users
will be assigned private IPs, and their traffic will go out using NAT(SNAT and
DNAT).

The gateway of the subnet 200.58.129.0/27 is 200.58.129.1

I like to use SNAT with the private subnet 192.168.1.0/24 and use for this NAT,
the public address 200.58.129.13
I like to use SNAT with the private subnet 192.168.20.0/24 and use for this NAT,
the public address 200.58.129.10

Then I configure:

eth0        200.58.129.34 / 255.255.255.252

eth1        200.58.129.1 / 255.255.255.224
eth1:0     192.168.1.1 / 255.255.255.0
eth1:1     192.168.20.1 / 255.255.255.0

/etc/shorewall/masq/

eth0        192.168.1.0/24    200.58.129.13
eth0        192.168.20.0/24  200.58.129.10

Here is where start my doubts.

1. Do I have to assign 200.58.129.10 and 200.58.129.13  to eth0, that
configuration is correct?

2. Or, do I assign 200.58.129.1, 200.58.129.10 and 200.58.129.13 to eth0? Wich I
don''t know if it''s correct, because in eth0 already is
assigned the ip 200.58.129.34.

If I use this configuration (Number 2), what is the gateway for the
Pc''s that have assigned a public ip? 200.58.129.1 or 200.58.129.34?
      
I am confused about as to configure it

Thanks

Andrés

Tom Eastep

2005-Aug-16 18:39 UTC

head link

Re: NAT Doubts and question

Charrua wrote:> Hi,
>
> My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224)
>
> I need to configure the external interface of the router with:
> 200.58.129.34 / 255.255.255.252 / Defaul Gw. 200.58.129.33
>
> A few users will be assigned public IPs(with Proxy ARP), the rest of the
> users will be assigned private IPs, and their traffic will go out using
> NAT(SNAT and DNAT).
>
> The gateway of the subnet 200.58.129.0/27 is 200.58.129.1
I would doubt that Proxy ARP is applicable in your case. If you have a /27
internally and a /30 externally and the two networks are disjoint!!!

gateway:/etc/test# shorewall ipcalc 200.58.129.34 255.255.255.252
   CIDR=200.58.129.34/30
   NETMASK=255.255.255.252
   NETWORK=200.58.129.32
   BROADCAST=200.58.129.35
gateway:/etc/test# shorewall ipcalc 200.58.129.0/27
   CIDR=200.58.129.0/27
   NETMASK=255.255.255.224
   NETWORK=200.58.129.0
   BROADCAST=200.58.129.31
gateway:/etc/test#

I suspect that your ISP is routing 200.58.129.0/27 via 200.58.129.34.
>
> I like to use SNAT with the private subnet 192.168.1.0/24 and use for
> this NAT, the public address 200.58.129.13
> I like to use SNAT with the private subnet 192.168.20.0/24 and use for
> this NAT, the public address 200.58.129.10
>
> Then I configure:
>
> eth0        200.58.129.34 / 255.255.255.252
>
> eth1        200.58.129.1 / 255.255.255.224
> eth1:0     192.168.1.1 / 255.255.255.0
> eth1:1     192.168.20.1 / 255.255.255.0
>
> /etc/shorewall/masq/
>
> eth0        192.168.1.0/24    200.58.129.13
> eth0        192.168.20.0/24  200.58.129.10
>
> Here is where start my doubts.
>
> 1. Do I have to assign 200.58.129.10 and 200.58.129.13  to eth0, that
> configuration is correct?
Given that your ISP is routing the /27, you don''t have to assign them
to any
interface.
>
> 2. Or, do I assign 200.58.129.1, 200.58.129.10 and 200.58.129.13 to
> eth0? Wich I don''t know if it''s correct, because in eth0
already is
> assigned the ip 200.58.129.34.
>
> If I use this configuration (Number 2), what is the gateway for the
> Pc''s that have assigned a public ip? 200.58.129.1 or
200.58.129.34?
It can''t be 200.58.129.34 -- that''s not even in their
subnetwork!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-Aug-16 18:46 UTC

head link

Re: NAT Doubts and question

Tom Eastep wrote:
>>
>>Here is where start my doubts.
>>
>>1. Do I have to assign 200.58.129.10 and 200.58.129.13  to eth0, that
>>configuration is correct?
>
> Given that your ISP is routing the /27, you don''t have to assign
them to any
> interface.
Although if you want the firewall to be able to answer pings to those IP
addresses then you may want to assign them to eth1. Also, I see you are
using the dreaded "eth1:0" notation so be sure to read
http://www1.shorewall.net/Shorewall_and_Aliased_Interfaces.html

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Charrua

2005-Aug-16 19:42 UTC

head link

Re: NAT Doubts and question

Ok, thanks, but I don''t fully understand.

If I assign 200.58.129.10 and 200.58.129.13 to eth1, the nat works on eth0?

eth0        192.168.1.0/24    200.58.129.13
eth0        192.168.20.0/24  200.58.129.10


If I can''t use Proxy ARP, what can I to use to assign publics
IP''s to some
clients PC''s? One to One NAT?

The idea is to replace a router CISCO, that complies this function.

Thanks,

Andrés

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, August 16, 2005 3:39 PM
Subject: Re: [Shorewall-users] NAT Doubts and question


Charrua wrote:
> Hi,
>
> My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224)
>
> I need to configure the external interface of the router with:
> 200.58.129.34 / 255.255.255.252 / Defaul Gw. 200.58.129.33
>
> A few users will be assigned public IPs(with Proxy ARP), the rest of the
> users will be assigned private IPs, and their traffic will go out using
> NAT(SNAT and DNAT).
>
> The gateway of the subnet 200.58.129.0/27 is 200.58.129.1
I would doubt that Proxy ARP is applicable in your case. If you have a /27

internally and a /30 externally and the two networks are disjoint!!!

gateway:/etc/test# shorewall ipcalc 200.58.129.34 255.255.255.252

CIDR=200.58.129.34/30

NETMASK=255.255.255.252

NETWORK=200.58.129.32

BROADCAST=200.58.129.35

gateway:/etc/test# shorewall ipcalc 200.58.129.0/27

CIDR=200.58.129.0/27

NETMASK=255.255.255.224

NETWORK=200.58.129.0

BROADCAST=200.58.129.31

gateway:/etc/test#

I suspect that your ISP is routing 200.58.129.0/27 via 200.58.129.34.
>
> I like to use SNAT with the private subnet 192.168.1.0/24 and use for
> this NAT, the public address 200.58.129.13
> I like to use SNAT with the private subnet 192.168.20.0/24 and use for
> this NAT, the public address 200.58.129.10
>
> Then I configure:
>
> eth0 200.58.129.34 / 255.255.255.252
>
> eth1 200.58.129.1 / 255.255.255.224
> eth1:0 192.168.1.1 / 255.255.255.0
> eth1:1 192.168.20.1 / 255.255.255.0
>
> /etc/shorewall/masq/
>
> eth0 192.168.1.0/24 200.58.129.13
> eth0 192.168.20.0/24 200.58.129.10
>
> Here is where start my doubts.
>
> 1. Do I have to assign 200.58.129.10 and 200.58.129.13 to eth0, that
> configuration is correct?
Given that your ISP is routing the /27, you don''t have to assign them
to any

interface.
>
> 2. Or, do I assign 200.58.129.1, 200.58.129.10 and 200.58.129.13 to
> eth0? Wich I don''t know if it''s correct, because in eth0
already is
> assigned the ip 200.58.129.34.
>
> If I use this configuration (Number 2), what is the gateway for the
> Pc''s that have assigned a public ip? 200.58.129.1 or
200.58.129.34?
It can''t be 200.58.129.34 -- that''s not even in their
subnetwork!

-Tom

--

Tom Eastep \ Nothing is foolproof to a sufficiently talented fool

Shoreline, \ http://shorewall.net

Washington USA \ teastep@shorewall.net

PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Tom Eastep

2005-Aug-16 19:49 UTC

head link

Re: NAT Doubts and question

Charrua wrote:> Ok, thanks, but I don''t fully understand.
>
> If I assign 200.58.129.10 and 200.58.129.13 to eth1, the nat works on eth0?
>
> eth0        192.168.1.0/24    200.58.129.13
> eth0        192.168.20.0/24  200.58.129.10
>
Yes.
>
> If I can''t use Proxy ARP, what can I to use to assign publics
IP''s to
> some clients PC''s? One to One NAT?
>
You don''t have to do anything -- if you define your addresses and
subnets
the way that you described *it will work* because your ISP is routing all
traffic to your /27 though your Shorewall box.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Charrua

2005-Aug-16 19:57 UTC

head link

Re: NAT Doubts and question

Thanks very much.

Andrés
----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, August 16, 2005 4:49 PM
Subject: Re: [Shorewall-users] NAT Doubts and question




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Shorewall users - Aug 2005 - NAT Doubts and question

NAT Doubts and question

Re: NAT Doubts and question

Re: NAT Doubts and question

Re: NAT Doubts and question

Re: NAT Doubts and question

Re: NAT Doubts and question