[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and NAT

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: NAT and NAT
From: Hack Kampbjorn <obsd-misc_(_at_)_hack_(_dot_)_kampbjorn_(_dot_)_com>
Date: Tue, 17 Dec 2002 19:42:32 +0100

Aaron Crandall wrote:

Quick question.  Let's say I have the following setup:
Internet <--> RouterA + NAT for 192.168.1.x <--> RouterB + NAT for 10.x.x.x
Yes you can, but why would you? It's not like you have exhausted all the RFC1918 private IP-space. Any reason RouterB shouldn't just route between the two nets?
After reading a quaint article about various network topology designs, I decided to go with exactly what the orginal poster is thinking of doing. I have 1 ip address, but all too many computers. Some computers are workstations, some are servers. If the server needs to be accessable from the outside world, either directly or indirectly, it goes behind the first NAT. If the computer is a workstation, which all too often is vulnerable to the latest & greatest security flaws, it goes behind the second NAT.

The second NAT does not allow for any type of incoming connections. The first NAT does port forwarding for servers. All together this generates a style of network called a "DMZ" De-Militarized Zone, at least according to the particular article that I read. So far it has worked beautifully.

Replace your second NAT with a stateful firewall (just the pf ruleset, as this is about OpenBSD) and you have a classical DMZ with two firewalls. You don't get the internal LAN address hiding from the DMZ that NAT provide, but you have a simpler solution without the complexity of the second NAT.

Remember that NAT is *evil*, a bad solution to the IPv4 address exhaustion (the right solution is of course IPv6). It should only be used when there is a shortage of available IPv4 public addresses. There is not point in NAT'ing between two public nets or two private nets (unless you have exhausted the IP address space which is not the case). I've meet several otherwise technical savy people that forgot it's possible to route between two private nets (also called as non-routable), hence my question.

Yes, I could have put 3 NICs in the first NAT and run a server leg and a workstation leg to achieve some of the same effects. Since this generated some weird routing and DNS issues I decided to use a second pizzabox 486 and make my life simpler.

I personally prefer the two FW DMZ solution if the extra resources are not a problem (2 hosts + 4 nics vs 1 host + 3 nics).


  --Aaron

--
Med venlig hilsen / Kind regards

Hack Kampbjørn

Follow-Ups:
- Re: NAT and NAT
  - From: Henning Brauer

Prev by Date: Re: "FD_SET() has a hidden limit of 256 descriptors" qmail big-concurrency issue
Next by Date: binat rule?
Previous by thread: Re: NAT and NAT
Next by thread: Re: NAT and NAT
Index(es):
- Date
- Thread

Visit your host, monkey.org