Date: Sat, 26 Jul 2003 20:01:31 -0400 From: Chuck Swiger <cswiger@mac.com> To: Evren Yurtesen <eyurtese@tekniikka.turkuamk.fi> Cc: freebsd-isp@freebsd.org Subject: Re: VLAN with/and NATD Message-ID: <3F23165B.60303@mac.com> In-Reply-To: <Pine.A41.4.10.10307261333510.20186-100000@bessel.tekniikka.turkuamk.fi> References: <Pine.A41.4.10.10307261333510.20186-100000@bessel.tekniikka.turkuamk.fi>
next in thread | previous in thread | raw e-mail | index | archive | help
Evren Yurtesen wrote: > Now the problem is that I want to use NAT inside VLANs that, lets say I > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in > different VLAN's the same IPs should be able to be used. > > Does anybody have any suggestion how to do this? I would guess that I need > multiple IP addresses in the outside interface but how do I map the VLAN > interfaces to use those IPs with NAT? I think I understand what you're asking about, but it's important to seperate VLANs (which are used to logically seperate the network at layer-2) and IP netblocks, which are used by layer-3 IP routing. You should also be aware that VLAN implementations are not perfect; you may and probably will sometimes get packets leaking from one VLAN to another for reasons which include a failure to tag them with a VLAN id, buggy switches, and who knows what else. Having IP addresses be unique within the "network you manage" is a really good idea. [call this an opinion] That being said, configure your switches with a VLAN ID 0 where the NAT boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3 will be used for each of your 192.168 networks, network-1, network-2, etc. If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN ID 0 and 1 and translate traffic to public-ip-1, etc. If NAT-box-1 is dual-homed, have one interface be in each VLAN, otherwise you can use an ifconfig's alias and vlan keywords to do this over a single interface. Of course, if all of your NAT boxes will be dual-homed, you could simply put one interface onto each network and the other onto another switch and form the "external subnet" I'm talking about that way. But you asked how to do this via VLANs, so.... Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth. Configure the external subnet to route traffic via the local Internet connection, and you're done. Oh, yeah-- if you don't have enough public IPs and you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes, then set up another layer of NAT translation which maps everybody on the 10/8 subnet into a single public IP. [ NAT sucks. NAT'ing twice sucks worse: persistent connections don't work very well and tend to have a livetime which is inversely proportional to the amount of network traffic (hence dynamic entries) going by. ] -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F23165B.60303>