[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and NAT
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: NAT and NAT
- From: Hack Kampbjorn <obsd-misc_(_at_)_hack_(_dot_)_kampbjorn_(_dot_)_com>
- Date: Tue, 17 Dec 2002 19:42:32 +0100
Aaron Crandall wrote:
Quick question. Let's say I have the following setup:
Internet <--> RouterA + NAT for 192.168.1.x <--> RouterB + NAT for 10.x.x.x
Yes you can, but why would you?
It's not like you have exhausted all the RFC1918 private IP-space. Any
reason RouterB shouldn't just route between the two nets?
After reading a quaint article about various network topology designs, I
decided to go with exactly what the orginal poster is thinking of doing.
I have 1 ip address, but all too many computers. Some computers are
workstations, some are servers. If the server needs to be accessable from
the outside world, either directly or indirectly, it goes behind the first
NAT. If the computer is a workstation, which all too often is vulnerable
to the latest & greatest security flaws, it goes behind the second NAT.
The second NAT does not allow for any type of incoming connections. The
first NAT does port forwarding for servers. All together this
generates a style of network called a "DMZ" De-Militarized Zone, at least
according to the particular article that I read. So far it has worked
Replace your second NAT with a stateful firewall (just the pf ruleset,
as this is about OpenBSD) and you have a classical DMZ with two
firewalls. You don't get the internal LAN address hiding from the DMZ
that NAT provide, but you have a simpler solution without the complexity
of the second NAT.
Remember that NAT is *evil*, a bad solution to the IPv4 address
exhaustion (the right solution is of course IPv6). It should only be
used when there is a shortage of available IPv4 public addresses. There
is not point in NAT'ing between two public nets or two private nets
(unless you have exhausted the IP address space which is not the case).
I've meet several otherwise technical savy people that forgot it's
possible to route between two private nets (also called as
non-routable), hence my question.
Yes, I could have put 3 NICs in the first NAT and run a server leg and a
workstation leg to achieve some of the same effects. Since this generated
some weird routing and DNS issues I decided to use a second pizzabox 486
and make my life simpler.
I personally prefer the two FW DMZ solution if the extra resources are
not a problem (2 hosts + 4 nics vs 1 host + 3 nics).
Med venlig hilsen / Kind regards