Firewall Wizards mailing list archives
Re: NAT
From: carl () bl echidna id au
Date: Thu, 27 Apr 2000 08:01:29 +1000 (EST)
You could try pestering your ISP to support IPv6 :)
Mon, 24 Apr 2000 13:53:58 -0600 To: sean.kelly () lanston com Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] NAT From: "Alexandre A. Rodioukov" <simuran () home com> Date: 24 Mar 2000 12:52:05 -0700 sean.kelly () lanston com writes:You don't need your ISP to provide you with a private subnet. The problem you face is one that pretty much everyone in the industry does. The only machine you want to assign a "plain" IP is one you want to be visible to the world -- a web server, etc. There are sets of IP ranges designated for private use. The most commonly used range is the 192.168.x.x C class. Come up with a scheme for your machines using this IP range and get a firewall/proxy server. For small networks, products like SyGate on a spare PC are often sufficient.I'm aware of that fact :) Talking about subnet, i was talking about a routable subnet, where ISP sets it's routing that packets for this subnet (net) are coming through our gate/firewall. Unfortunately in my area (Alberta) most od the xDSL providers just give you 2-8 IP addresses from their IP space and assume that you are going to plug the modem into the hub and/or use hardware firewall.This is indeed NAT.I was hitting my head against the wall trying to come up with NAT rules for such scheme, but i failed. I need your help guys.What rules do you mean? Any of the products out there that do NAT should be able to be set up without too much trouble. It doesn't sound like you're doing anything unusual.I think the thing I'm looking for is static NAT. Unfortunately my first attempts to make NAT working where done on linux system (it seems to me that level of support of NAT in linux is not that great). What i wanted to do is for outsiders to be able to access some machines/services inside the network via real-IPs (machines by themselves are assigned fake addresses). Also it would be kinda great if some outgoing connections from internal net would be seen as they are from mapped to the originator address real IPs. (hope that makes sense). Small diagram: ----- world -----| fw |----- local net ----- 10.x.x.x x.x.x.1 x.x.x.2 real IP addresses aliases on fw ....... x.x.x.n And for some machines in internal net the following mapping will work: 10.x.x.y <-> x.x.x.y (all outgoing connections from 10.x.x.y to outside world would be seen as they were originated from x.x.x.y and all incoming connections x.x.x.y would be forwarded to 10.x.x.y)SeanThanks for your answer, with kind regards, Sasha.