Date: Sun, 27 Jul 2003 05:26:08 +0300 (WET) From: Evren Yurtesen <eyurtese@tekniikka.turkuamk.fi> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-isp@freebsd.org Subject: Re: VLAN with/and NATD Message-ID: <Pine.A41.4.10.10307270515190.21786-100000@bessel.tekniikka.turkuamk.fi> In-Reply-To: <3F23165B.60303@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Pal, Your email came right in time. I have almost already sorted out the NAT/VLAN stuff. I figured out that I have a logical problem. Natd doesnt keep in its table that from which interface it got the packets so if I have same IP addresses all around it would all get messed up. About making NAT of NAT to have more external IP addresses. I asked about multiple external IP addresses because I fear that the NAT translation table will be full at some point. When I have many clients. Now, why did your email came right in time? :) I was just looking some Apple stuff and your email address shows mac.com I wonder if it is possible to run Mac OS X applications in FreeBSD? :) or is there any Mac OS X Emulators that you know? (even for windows?) Evren On Sat, 26 Jul 2003, Chuck Swiger wrote: > Evren Yurtesen wrote: > > Now the problem is that I want to use NAT inside VLANs that, lets say I > > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in > > different VLAN's the same IPs should be able to be used. > > > > Does anybody have any suggestion how to do this? I would guess that I need > > multiple IP addresses in the outside interface but how do I map the VLAN > > interfaces to use those IPs with NAT? > > I think I understand what you're asking about, but it's important to seperate > VLANs (which are used to logically seperate the network at layer-2) and IP > netblocks, which are used by layer-3 IP routing. > > You should also be aware that VLAN implementations are not perfect; you may and > probably will sometimes get packets leaking from one VLAN to another for reasons > which include a failure to tag them with a VLAN id, buggy switches, and who > knows what else. Having IP addresses be unique within the "network you manage" > is a really good idea. [call this an opinion] > > That being said, configure your switches with a VLAN ID 0 where the NAT > boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3 > will be used for each of your 192.168 networks, network-1, network-2, etc. > > If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN > ID 0 and 1 and translate traffic to public-ip-1, etc. If NAT-box-1 is > dual-homed, have one interface be in each VLAN, otherwise you can use an > ifconfig's alias and vlan keywords to do this over a single interface. > > Of course, if all of your NAT boxes will be dual-homed, you could simply put one > interface onto each network and the other onto another switch and form the > "external subnet" I'm talking about that way. But you asked how to do this via > VLANs, so.... > > Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth. > > Configure the external subnet to route traffic via the local Internet > connection, and you're done. Oh, yeah-- if you don't have enough public IPs and > you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes, > then set up another layer of NAT translation which maps everybody on the 10/8 > subnet into a single public IP. > > [ NAT sucks. NAT'ing twice sucks worse: persistent connections don't work very > well and tend to have a livetime which is inversely proportional to the amount > of network traffic (hence dynamic entries) going by. ] > > -Chuck > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.4.10.10307270515190.21786-100000>