[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridging + NAT question



On Thu, Mar 15, 2001 at 10:33:29AM -0000, Sam Mason wrote:
> I probably should have posted my thoughts earlier. . .
> 
> > No, attempting to do layer 3 NAT in a layer 2 device is only one
> > more way ton make a convoluted and difficult to maintain network
> > in my opinion.  Tillman's message in this thread gives a nice example
> > that does not rely on it and provides all of the same features.
> > 
> > From Tillman's message (slightly modified):
> > 
> >        Internet
> >           |
> >   Transparent Bridge - DMZ machines (Mail Server, etc)
> >           |
> >        NAT box
> >           |
> >     Various Boxen
> 
> I have been thinking about this, how does the "NAT box" work, the NAT
> traffic is easy, just do the NAT, but I need to send some non-NAT'ed traffic
> to the "Various Boxen", and vice-versa to the DMZ network.
> 
> What I need to do is NAT some traffic that was destined for one mail server
> to another mail server I also need to allow some normal (non NAT) traffic
> through to both servers (+ various other servers).
> 
> Therefore the network above would be impossible, the bridge would have to
> have some hellish IPF rules redirecting (block on eth0 to eth1) then when
> the traffic got to the "NAT box" it would effectively have to do bridging
> and NAT to do the NAT and allow the non-NAT traffic through. This is the
> same problem I had originally but now it has a lot more to go wrong.
> 
> Am I missing something here, If it was a properly designed network then I
> would happily use the above or something similar, however life is never that
> simple and as far as I can see I NEED to do transparent bridging and NAT on
> the same box.

Yup, you're missing something here. I think you're confused about how a bridge
works. The easiest thing to do is pretend that it's not there; just forget
that it exists. Then it becomes apparent that you can have more than one box
attached to your bandwidth via a switch or hub, just like you could if there
was no transparent firewall in place. The only difference, conceptually, is
that you can think of your bandwidth as being filtered automagically. IOW, the
internal NIC on yoru transparent bandwidth is conceptually equivalent to the
incoming bandwidth.

Here's an idea to work around your problem:
(note that the NAT box does redirecting to your mail server etc)

        Internet
           |
   Transparent Bridge
           |
          hub
          /	\
   NAT box   Various Boxen
      |
Various Boxen

And yet another way to do it requires an extra NIC on the transparent
firewall, letting you seperate public hosts from your NAT network, which can
be nice if you want to apply different filters to them on the firewall (and
you want to prevent them from talking directly to each other without having to
go through the firewall). It looks somewhat like this:

        Internet
           |
   Transparent Bridge - hub - DMZ machines (Various Boxen)
           |
        NAT box
           |
     Various Boxen

- Tillman

-- 
Delusions are often functional. A mother's opinions about her children's
beauty, intelligence, goodness, et cetera ad nauseam, keep her from
drowning them at birth.
	Robert Heinlein