* [LARTC] Re[4]: local address routeable?
@ 2003-07-18 6:18 Christian Stuellenberg
0 siblings, 0 replies; only message in thread
From: Christian Stuellenberg @ 2003-07-18 6:18 UTC (permalink / raw)
To: lartc
>>>>> "Christian" = Christian Stuellenberg <christian_stuellenberg@web.de> writes:
>>>>> "Julian" = Julian Anastasov <ja@ssi.bg> writes:
Hello,
Christian> If traffic from zone MASQ is addressed to one of the
Christian> external internet addresses of one of the zone GOOD or
Christian> DMZ, then it will currently get routed directly at
Christian> HOST. It is intended, that this direct routing is not
Christian> done, but instead ALL traffic from zone MASQ becomes
Christian> masqueraded out over the dynamic PPP connection to the
Christian> internet, comes back over the CISCO line to HOST, then
Christian> gets routed to the extern destination IP (in zone GOOD
Christian> or DMZ) and when the reply from there comes back again
Christian> to HOST, it should get routed over the CISCO internet
Christian> connection and then back over the dynamic PPP
Christian> connection, demasqueraded, and at last delivered to the
Christian> original source in zone MASQ.
Christian> This works up to the point, where the reply comes back
Christian> to HOST. Now I'm not able to tell HOST, that this
Christian> reply should again routed out to the internet over the
Christian> CISCO line and only demasqueraded if it comes in over
Christian> the PPP connection (btw. the demasquerading does also
Christian> not occur if the reply gets not routed; I assume, this
Christian> is because the masquerding tables are waiting for a
Christian> packet that comes in over the PPP connection and not on
Christian> IF0 or IF1).
Julian> I think, I understand the setup. I'm still wondering
Julian> what is the end goal. I can only speculate:
Julian> Assumption 1. Hosts from GOOD want to see client from
Julian> DynIP, not from a.b.c.62. The solution: use SNAT with
Julian> saddr=DynIP when talking to GOOD because the default
Julian> masquerade action is to use a.b.c.62 which is recommended
Julian> from the routing. I assume GOOD and DMZ do not care how
Julian> the packet with saddr=DynIP appeared as long as it looks
Julian> as expected?
Julian> 2. For some reason (even by introducing security problems)
Julian> you want packets with saddr=DynIP to walk the external
Julian> path and to reach GOOD. Is it needed? Is there a problem
Julian> with the above solution in #1?
I really want the long path, so that a client in zone MASQ can test,
whether both uplinks to the internet work correctly. Not only to test
the links, but also to provide a way, that a client in zone MASQ looks
like any other (actually masqueraded) client in the world. We
would'nt achieve that, if the routing from a client in zone MASQ takes
directly place on HOST.
Regards,
Christian
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-18 6:18 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-18 6:18 [LARTC] Re[4]: local address routeable? Christian Stuellenberg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox