From owner-freebsd-isp@FreeBSD.ORG  Sat Jul 26 20:21:13 2003
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7314F37B404
	for <freebsd-isp@freebsd.org>; Sat, 26 Jul 2003 20:21:13 -0700 (PDT)
Received: from bessel.tekniikka.turkuamk.fi (bessel.tekniikka.turkuamk.fi
	[193.166.133.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E4F2143F93
	for <freebsd-isp@freebsd.org>; Sat, 26 Jul 2003 20:21:11 -0700 (PDT)
	(envelope-from eyurtese@bessel.tekniikka.turkuamk.fi)
Received: from localhost (eyurtese@localhost)
	by bessel.tekniikka.turkuamk.fi (8.9.2/8.9.2) with ESMTP id FAA19336;
	Sun, 27 Jul 2003 05:26:09 +0300
Date: Sun, 27 Jul 2003 05:26:08 +0300 (WET)
From: Evren Yurtesen <eyurtese@tekniikka.turkuamk.fi>
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <3F23165B.60303@mac.com>
Message-ID: <Pine.A41.4.10.10307270515190.21786-100000@bessel.tekniikka.turkuamk.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-isp@freebsd.org
Subject: Re: VLAN with/and NATD
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2003 03:21:13 -0000

Hi Pal,

Your email came right in time. I have almost already sorted out the
NAT/VLAN stuff. I figured out that I have a logical problem. Natd doesnt
keep in its table that from which interface it got the packets so if I
have same IP addresses all around it would all get messed up.

About making NAT of NAT to have more external IP addresses. I asked about
multiple external IP addresses because I fear that the NAT translation
table will be full at some point. When I have many clients.

Now, why did your email came right in time? :)
I was just looking some Apple stuff and your email address shows mac.com
I wonder if it is possible to run Mac OS X applications in FreeBSD? :)
or is there any Mac OS X Emulators that you know? (even for windows?)

Evren


On Sat, 26 Jul 2003, Chuck Swiger wrote:

> Evren Yurtesen wrote:
> > Now the problem is that I want to use NAT inside VLANs that, lets say I
> > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in
> > different VLAN's the same IPs should be able to be used.
>  >
> > Does anybody have any suggestion how to do this? I would guess that I need
> > multiple IP addresses in the outside interface but how do I map the VLAN
> > interfaces to use those IPs with NAT?
> 
> I think I understand what you're asking about, but it's important to seperate 
> VLANs (which are used to logically seperate the network at layer-2) and IP 
> netblocks, which are used by layer-3 IP routing.
> 
> You should also be aware that VLAN implementations are not perfect; you may and 
> probably will sometimes get packets leaking from one VLAN to another for reasons 
> which include a failure to tag them with a VLAN id, buggy switches, and who 
> knows what else.  Having IP addresses be unique within the "network you manage" 
> is a really good idea.  [call this an opinion]
> 
> That being said, configure your switches with a VLAN ID 0 where the NAT 
> boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3 
> will be used for each of your 192.168 networks, network-1, network-2, etc.
> 
> If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN 
> ID 0 and 1 and translate traffic to public-ip-1, etc.  If NAT-box-1 is 
> dual-homed, have one interface be in each VLAN, otherwise you can use an 
> ifconfig's alias and vlan keywords to do this over a single interface.
> 
> Of course, if all of your NAT boxes will be dual-homed, you could simply put one 
> interface onto each network and the other onto another switch and form the 
> "external subnet" I'm talking about that way.  But you asked how to do this via 
> VLANs, so....
> 
> Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth.
> 
> Configure the external subnet to route traffic via the local Internet 
> connection, and you're done.  Oh, yeah-- if you don't have enough public IPs and 
> you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes, 
> then set up another layer of NAT translation which maps everybody on the 10/8 
> subnet into a single public IP.
> 
> [ NAT sucks.  NAT'ing twice sucks worse: persistent connections don't work very 
> well and tend to have a livetime which is inversely proportional to the amount 
> of network traffic (hence dynamic entries) going by. ]
> 
> -Chuck
> 
> 
>