VLAN with/and NATD
Chuck Swiger
cswiger at mac.com
Sat Jul 26 17:01:32 PDT 2003
Evren Yurtesen wrote:
> Now the problem is that I want to use NAT inside VLANs that, lets say I
> want to be able to use use 192.168.1.0/24 IP block in every VLAN and in
> different VLAN's the same IPs should be able to be used.
>
> Does anybody have any suggestion how to do this? I would guess that I need
> multiple IP addresses in the outside interface but how do I map the VLAN
> interfaces to use those IPs with NAT?
I think I understand what you're asking about, but it's important to seperate
VLANs (which are used to logically seperate the network at layer-2) and IP
netblocks, which are used by layer-3 IP routing.
You should also be aware that VLAN implementations are not perfect; you may and
probably will sometimes get packets leaking from one VLAN to another for reasons
which include a failure to tag them with a VLAN id, buggy switches, and who
knows what else. Having IP addresses be unique within the "network you manage"
is a really good idea. [call this an opinion]
That being said, configure your switches with a VLAN ID 0 where the NAT
boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3
will be used for each of your 192.168 networks, network-1, network-2, etc.
If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN
ID 0 and 1 and translate traffic to public-ip-1, etc. If NAT-box-1 is
dual-homed, have one interface be in each VLAN, otherwise you can use an
ifconfig's alias and vlan keywords to do this over a single interface.
Of course, if all of your NAT boxes will be dual-homed, you could simply put one
interface onto each network and the other onto another switch and form the
"external subnet" I'm talking about that way. But you asked how to do this via
VLANs, so....
Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth.
Configure the external subnet to route traffic via the local Internet
connection, and you're done. Oh, yeah-- if you don't have enough public IPs and
you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes,
then set up another layer of NAT translation which maps everybody on the 10/8
subnet into a single public IP.
[ NAT sucks. NAT'ing twice sucks worse: persistent connections don't work very
well and tend to have a livetime which is inversely proportional to the amount
of network traffic (hence dynamic entries) going by. ]
-Chuck
More information about the freebsd-isp
mailing list