From owner-freebsd-isp@FreeBSD.ORG Sat Jul 26 17:01:32 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79DB437B401 for ; Sat, 26 Jul 2003 17:01:32 -0700 (PDT) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B68C43F75 for ; Sat, 26 Jul 2003 17:01:31 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by out005.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030727000130.QVYR20032.out005.verizon.net@mac.com>; Sat, 26 Jul 2003 19:01:30 -0500 Message-ID: <3F23165B.60303@mac.com> Date: Sat, 26 Jul 2003 20:01:31 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Evren Yurtesen References: In-Reply-To: X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [141.149.47.46] at Sat, 26 Jul 2003 19:01:30 -0500 cc: freebsd-isp@freebsd.org Subject: Re: VLAN with/and NATD X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 00:01:32 -0000 Evren Yurtesen wrote: > Now the problem is that I want to use NAT inside VLANs that, lets say I > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in > different VLAN's the same IPs should be able to be used. > > Does anybody have any suggestion how to do this? I would guess that I need > multiple IP addresses in the outside interface but how do I map the VLAN > interfaces to use those IPs with NAT? I think I understand what you're asking about, but it's important to seperate VLANs (which are used to logically seperate the network at layer-2) and IP netblocks, which are used by layer-3 IP routing. You should also be aware that VLAN implementations are not perfect; you may and probably will sometimes get packets leaking from one VLAN to another for reasons which include a failure to tag them with a VLAN id, buggy switches, and who knows what else. Having IP addresses be unique within the "network you manage" is a really good idea. [call this an opinion] That being said, configure your switches with a VLAN ID 0 where the NAT boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3 will be used for each of your 192.168 networks, network-1, network-2, etc. If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN ID 0 and 1 and translate traffic to public-ip-1, etc. If NAT-box-1 is dual-homed, have one interface be in each VLAN, otherwise you can use an ifconfig's alias and vlan keywords to do this over a single interface. Of course, if all of your NAT boxes will be dual-homed, you could simply put one interface onto each network and the other onto another switch and form the "external subnet" I'm talking about that way. But you asked how to do this via VLANs, so.... Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth. Configure the external subnet to route traffic via the local Internet connection, and you're done. Oh, yeah-- if you don't have enough public IPs and you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes, then set up another layer of NAT translation which maps everybody on the 10/8 subnet into a single public IP. [ NAT sucks. NAT'ing twice sucks worse: persistent connections don't work very well and tend to have a livetime which is inversely proportional to the amount of network traffic (hence dynamic entries) going by. ] -Chuck