VLAN with/and NATD

[Evren Yurtesen]

Hi Pal,

Your email came right in time. I have almost already sorted out the
NAT/VLAN stuff. I figured out that I have a logical problem. Natd doesnt
keep in its table that from which interface it got the packets so if I
have same IP addresses all around it would all get messed up.

About making NAT of NAT to have more external IP addresses. I asked about
multiple external IP addresses because I fear that the NAT translation
table will be full at some point. When I have many clients.

Now, why did your email came right in time? :)
I was just looking some Apple stuff and your email address shows mac.com
I wonder if it is possible to run Mac OS X applications in FreeBSD? :)
or is there any Mac OS X Emulators that you know? (even for windows?)

Evren


On Sat, 26 Jul 2003, Chuck Swiger wrote:

> Evren Yurtesen wrote:
> > Now the problem is that I want to use NAT inside VLANs that, lets say I
> > want to be able to use use 192.168.1.0/24 IP block in every VLAN and in
> > different VLAN's the same IPs should be able to be used.
>  >
> > Does anybody have any suggestion how to do this? I would guess that I need
> > multiple IP addresses in the outside interface but how do I map the VLAN
> > interfaces to use those IPs with NAT?
> 
> I think I understand what you're asking about, but it's important to seperate 
> VLANs (which are used to logically seperate the network at layer-2) and IP 
> netblocks, which are used by layer-3 IP routing.
> 
> You should also be aware that VLAN implementations are not perfect; you may and 
> probably will sometimes get packets leaking from one VLAN to another for reasons 
> which include a failure to tag them with a VLAN id, buggy switches, and who 
> knows what else.  Having IP addresses be unique within the "network you manage" 
> is a really good idea.  [call this an opinion]
> 
> That being said, configure your switches with a VLAN ID 0 where the NAT 
> boxes/routers live and your external Internet connection, and VLAN ID 1, 2, 3 
> will be used for each of your 192.168 networks, network-1, network-2, etc.
> 
> If you've got enough public IPs to give one per network, have NAT-box-1 in VLAN 
> ID 0 and 1 and translate traffic to public-ip-1, etc.  If NAT-box-1 is 
> dual-homed, have one interface be in each VLAN, otherwise you can use an 
> ifconfig's alias and vlan keywords to do this over a single interface.
> 
> Of course, if all of your NAT boxes will be dual-homed, you could simply put one 
> interface onto each network and the other onto another switch and form the 
> "external subnet" I'm talking about that way.  But you asked how to do this via 
> VLANs, so....
> 
> Lather, rinse, repeat for NAT-box-2, network-2, -3, and so forth.
> 
> Configure the external subnet to route traffic via the local Internet 
> connection, and you're done.  Oh, yeah-- if you don't have enough public IPs and 
> you need to coalesce this further, use 10.0.0.0/8 addresses on these NAT boxes, 
> then set up another layer of NAT translation which maps everybody on the 10/8 
> subnet into a single public IP.
> 
> [ NAT sucks.  NAT'ing twice sucks worse: persistent connections don't work very 
> well and tend to have a livetime which is inversely proportional to the amount 
> of network traffic (hence dynamic entries) going by. ]
> 
> -Chuck
> 
> 
>