* [LARTC] I need some advice.
@ 2001-01-25 17:43 billy
2001-01-26 10:26 ` Arthur
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: billy @ 2001-01-25 17:43 UTC (permalink / raw)
To: lartc
<PRE>Hi, take a look at this
TOPOLOGY:
+--------+ +--------+
| Linux | 202.1.1.1 | Cisco |
| Box |------------------| Router |--- INTERNET
+--------+ +--------+
|
+--------+
| Switch |
+--------+
| | | |
NAT(1) 192.168.101 | | | |
--------------------+ | | |
| | |
NAT(2) 192.168.102 | | |
----------------------+ | |
| |
NAT(3) 192.168.103 | |
------------------------+ |
|
NAT(4) 192.168.104 |
--------------------------+
The linux box should do:
- act as Router
- NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15)
- Traffic control from 32kb to 512kb based on IP address
Each NAT will have in the future about 100-200 hosts.
NOTE: this is for a wireless network so maybe the switch could be
replaced for some wireless cards on the linux box.
I DONT WANT YOU TO DO IT FORE ME !!! Just need to know:
if it is possible to do it with iproute2?
based on yours experience witch are the best or recomended applications to use or combine?
if there are some problems or recomandations I must have to take.
is NAT the solution or is there other options?
Any other advice?
thanks very much
</PRE>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LARTC] I need some advice.
2001-01-25 17:43 [LARTC] I need some advice billy
@ 2001-01-26 10:26 ` Arthur
2001-01-26 18:34 ` billy
2001-01-27 11:15 ` Arthur
2 siblings, 0 replies; 4+ messages in thread
From: Arthur @ 2001-01-26 10:26 UTC (permalink / raw)
To: lartc
<PRE>On Thu, 25 Jan 2001, billy wrote:
><i> Hi, take a look at this
</I>><i>
</I>><i> TOPOLOGY:
</I>
[wow, that pic got screwed up badly... try to think of a linewidth of 78
chars at the most]
><i> The linux box should do:
</I>><i> - act as Router
</I>><i> - NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15)
</I>><i> - Traffic control from 32kb to 512kb based on IP address
</I>><i>
</I>><i> Each NAT will have in the future about 100-200 hosts.
</I>
><i> NOTE: this is for a wireless network so maybe the switch could be
</I>><i> replaced for some wireless cards on the linux box.
</I>
><i> I DONT WANT YOU TO DO IT FORE ME !!! Just need to know:
</I>><i>
</I>><i> if it is possible to do it with iproute2?
</I>
No. Not with *only* iproute2. However, iproute2 in combination with
Linux 2.4 (the kernel...) and iptables *does* make it possible.
><i> if there are some problems or recomandations I must have to take.
</I>
NAT has a bit of a problem with certain protocols such as FTP. These are
mostly handled by the kernel, but there may be cases with new or custom
protocols that are not handled yet. You ought to be aware of that.
Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does,
fortunately.
Doei, Arthur.
--
/\ / | <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A> | Work like you don't need the money
/__\ / | A friend is someone with whom | Love like you have never been hurt
/ \/__ | you can dare to be yourself | Dance like there's nobody watching
</PRE>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LARTC] I need some advice.
2001-01-25 17:43 [LARTC] I need some advice billy
2001-01-26 10:26 ` Arthur
@ 2001-01-26 18:34 ` billy
2001-01-27 11:15 ` Arthur
2 siblings, 0 replies; 4+ messages in thread
From: billy @ 2001-01-26 18:34 UTC (permalink / raw)
To: lartc
<PRE>Thanks fore your answer
I'll try to resol the pic problem, next time.
><i> > Hi, take a look at this
</I>><i> >
</I>><i> > TOPOLOGY:
</I>><i>
</I>><i> [wow, that pic got screwed up badly... try to think of a linewidth of 78
</I>><i> chars at the most]
</I>><i>
</I>><i> > The linux box should do:
</I>><i> > - act as Router
</I>><i> > - NAT 1,2,3,4. In NATs segment I may have public IP (202.1.1.15)
</I>><i> > - Traffic control from 32kb to 512kb based on IP address
</I>><i> >
</I>><i> > Each NAT will have in the future about 100-200 hosts.
</I>><i>
</I>><i> > NOTE: this is for a wireless network so maybe the switch could be
</I>><i> > replaced for some wireless cards on the linux box.
</I>><i>
</I>><i> > I DONT WANT YOU TO DO IT FORE ME !!! Just need to know:
</I>><i> >
</I>><i> > if it is possible to do it with iproute2?
</I>><i>
</I>><i> No. Not with *only* iproute2. However, iproute2 in combination with
</I>><i> Linux 2.4 (the kernel...) and iptables *does* make it possible.
</I>
thanks for this, I'm reading all about packet filtering rigth know !!
><i>
</I>><i> > if there are some problems or recomandations I must have to take.
</I>><i>
</I>><i> NAT has a bit of a problem with certain protocols such as FTP. These are
</I>><i> mostly handled by the kernel, but there may be cases with new or custom
</I>><i> protocols that are not handled yet. You ought to be aware of that.
</I>><i> Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does,
</I>><i> fortunately.
</I>><i>
</I>
Yes I new about the NAT problem, now what about masquerading?
I can't find any diference, but there must be, or there the same thing?
does masquerading have the same problem? I think so.
know what do you refer or meen with IPsec AH-mode and IPsec ESP-mode?
><i> Doei, Arthur.
</I>><i>
</I>><i> --
</I>><i> /\ / | <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A> | Work like you don't need the money
</I>><i> /__\ / | A friend is someone with whom | Love like you have never been hurt
</I>><i> / \/__ | you can dare to be yourself | Dance like there's nobody watching
</I>
Can I drink something first to erase temporary my memory?
</PRE>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LARTC] I need some advice.
2001-01-25 17:43 [LARTC] I need some advice billy
2001-01-26 10:26 ` Arthur
2001-01-26 18:34 ` billy
@ 2001-01-27 11:15 ` Arthur
2 siblings, 0 replies; 4+ messages in thread
From: Arthur @ 2001-01-27 11:15 UTC (permalink / raw)
To: lartc
<PRE>On Fri, 26 Jan 2001, billy wrote:
><i> Thanks fore your answer
</I>
My pleasure.
[snip]
><i> > > if there are some problems or recomandations I must have to take.
</I>><i> >
</I>><i> > NAT has a bit of a problem with certain protocols such as FTP. These are
</I>><i> > mostly handled by the kernel, but there may be cases with new or custom
</I>><i> > protocols that are not handled yet. You ought to be aware of that.
</I>><i> > Furthermore, IPsec AH-mode does not work with NAT. IPsec ESP-mode does,
</I>><i> > fortunately.
</I>
><i> Yes I new about the NAT problem, now what about masquerading?
</I>
Masquerading is NAT with port-translation thrown in. This enables multiple
IP addresses to be mapped to a single IP address. In 2.4 and the netfilter
and iptables documentation (at <A HREF="http://netfilter.kernelnotes.org/">http://netfilter.kernelnotes.org/</A>)
masquerading is also called NAPT, Network Address and Port Translation.
><i> I can't find any diference, but there must be, or there the same thing?
</I>><i> does masquerading have the same problem? I think so.
</I>
Yes, masquerading has the same problems.
><i> know what do you refer or meen with IPsec AH-mode and IPsec ESP-mode?
</I>
Look at the documentation for FreeS/WAN at <A HREF="http://www.freeswan.org/">http://www.freeswan.org/</A>
IPsec is a protocol to do encryption and authentication of packets at the
IP-level. IPsec AH-mode provides only authentication, but authenticates
packet headers as well as their payload. This directly conflicts with NAT,
as NAT changes the packet headers. IPsec ESP-mode provides authentication as
well as encryption, but does not authenticate the outer packet's headers,
and therefore can be used over NAT-ed conections.
Doei, Arthur.
--
/\ / | <A HREF="mailto:arthurvl@sci.kun.nl">arthurvl@sci.kun.nl</A> | Work like you don't need the money
/__\ / | A friend is someone with whom | Love like you have never been hurt
/ \/__ | you can dare to be yourself | Dance like there's nobody watching
</PRE>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2001-01-27 11:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-01-25 17:43 [LARTC] I need some advice billy
2001-01-26 10:26 ` Arthur
2001-01-26 18:34 ` billy
2001-01-27 11:15 ` Arthur
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.