Re: NAT Port Forward problem in a not so simple network

[Fabio De Paolis <fabiodepaolis@naxe.it>]

Grant Taylor ha scritto:
>
>> Yes on my knowledge I know that it can't be done without doubling the 
>> traffic on the net. I was wondering if at yuor knowledge the was 
>> another way. Of course if I could nat a port from A to B it would be 
>> easy and the traffic will me at minimum, but it cant be done. I was 
>> wondering if there was a way to use C only for initial handshake and 
>> not for all packets, but it seems no.
>
> Strictly speaking, on layer 3, no there is not any thing (that I am 
> aware of) that can be done.  However if you are willing to go down to 
> in between layers 2 and 3 or even down to layer 2 there might be 
> something that can be done.
>
>          +---+
>          | Z |
>          +-+-+
>            |
>            :       (INet)
>            |
>          +-+-+
> =========| A |============
>          +-+-+
>            |
>    +---+---+---+   (DMZ)
>    |   |       |
>    | +-+-+   +-+-+
> ===|=| B |===| C |========
>    | +-+-+   +---+
>    |   |           (LAN)
>    | +-+-+
>    +-+ D |
>      +---+
>
> I'm guessing that there are other services on C that prevent you from 
> moving it's IP to B.  Correct?
>
> I'm not sure how well this will work out (read:  I don't know how well 
> the Cisco will play in this game...) but you might be able to 
> establish some sort of tunnel based forwarding from C to D so that 
> inbound requests pass through the tunnel and replies go directly from 
> D back out via A to the client.
>
> Let's say for the sake of discussion that you add a connection from D 
> back in to the DMZ (as above) and have this interface configured to 
> *NOT* respond to ARP requests.  If you do this, you could have the 
> same IP bound to C as well as the new DMZ facing interface on D.  With 
> this type of set up, you could tunnel traffic from C to D via B and 
> have D reply directly back with out passing through B or C.
>
> In short, this is using the IP Tunnel mode of Linux Virtual Server to 
> turn C in to a director for the single node back end.  As such, your 
> client Z would connect to Ae which is port forwarded to Ce which is 
> tunnel to D which processes and replies to the client from the same IP 
> as Ce.  This means that A will send traffic to the IP that is bound to 
> Ce and get replies from the same IP only bound to D's DMZ interface. 
> The only difference that A should see is a different MAC address as 
> the source for the reply traffic.  However, if you spoof the MAC 
> address, this will not be a problem.  If you do spoof the MAC address 
> you will need to do something like GARP to make sure the DMZ switch 
> does not ""learn that the location of the shared MAC address is where 
> D's DMZ interface is connected.
>
Thank you for the lesson.

D is too far from C's switch *sad*
and I think I can't add another cable