=?utf-8?Q?RE=C2=A0=3A_=5Bm0n0wall=5D_NAT_on_LAN

From:	"Philippe Lang" <philippe dot lang at attiksystem dot ch>
To:	"Kerem Erciyes" <k underscore erciyes at zegnaermenegildo dot it>
Cc:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	=?utf-8?Q?RE=C2=A0=3A_=5Bm0n0wall=5D_NAT_on_LAN_inter?= =?utf-8?Q?face?=
Date:	Tue, 30 Aug 2005 20:29:55 +0200

Hi,
 
I posted a message a few days ago, which explained what I'm trying to do here, with an IPSEC VPN,
and why I would need NAT on the LAN interface. Here it is:
 
----
 
Hi,

I'm trying to replace my actual Lightning firewall with a Soekris 4801
(m0n0wall 1.11), and I have a small problem:

My network is 10.0.0.0/8, and the remote network is 172.26.26.0/24.

The problem is that the remote network already has a VPN with another
10.0.0.0/8 network.

My solution with the Lightning was to map my 10.0.0.0/8 to the
172.31.1.0/24 network, and create a VPN between 172.26.26.0/24 and
172.31.1.0/24 networks, with a "mapto/source" and a "mapto/destination"
on my Lightning, like:

Source           Destination       Cmd     Translation    Type
----------------------------------------------------------------
10.0.0.111/32    172.26.26.0/24    mapto   172.31.1.111   Source
172.26.26.0/24   172.31.1.111/32   mapto   10.0.0.111     Destination

This permits 10.0.0.111 to access the 172.26.26.0/24 network without
interfering with the other 10.0.0.0/8 network.


What would be the equivalent setting on the M0n0wall? I have tried
playing with the NAT 1:1, but I couldn't make it work. Do you have an
idea?
 
---
 
Lightning Firewalls can NAT on all interfaces, and have also a special "Global NAT", which is very
handy in specific situations like this one.

	-------- Message d'origine-------- 
	De: Kerem Erciyes [mailto:k underscore erciyes at zegnaermenegildo dot it] 
	Date: mar. 30/08/2005 18:24 
	À: Philippe Lang 
	Cc: m0n0wall at lists dot m0n0 dot ch 
	Objet: Re: [m0n0wall] NAT on LAN interface
	
	

	Hello Philippe, 

	I don't think NAT is the answer for what you are trying to do. If you 
	can elaborate some on what you are trying to do there might be some 
	answers for that. And what type of VPN are you talking about. IPSEC, 
	OpenVPN, PPTP or what? 

	As for PPTP using CMAK (Connection Manager Administration Kit) I created 
	PPTP connection setups for Windows XP clients and can give them special 
	default rules etc... 

	As for others I need to think a little. 

	Kerem 

	Philippe Lang wrote: 

	>Hello, 
	> 
	>NAT/NAT1:1 on LAN interface are disabled, even on 1.2b9. Don't you think 
	>it would be a good idea to enable it too? I need to change the IP 
	>address of some computers on the LAN before entering a VPN, and back to 
	>their original value when going out of the VPN. 
	> 
	>I'm not sure in which order rules are being applied, and if NAT on WAN 
	>is being applied on packets that are routed inside a VPN. 
	> 
	>---------------------------------- 
	>Philippe Lang 
	>Attik System 
	>rte de la Fonderie 2 
	>1700 Fribourg 
	>Switzerland 
	>http://www.attiksystem.ch 
	> 
	>Tel:   +41 (26) 422 13 75 
	>Fax:   +41 (26) 422 13 76 
	>GSM:   +41 (79) 351 49 94 
	>Email: philippe dot lang at attiksystem dot ch 
	>Skype: philippe.lang 
	> 
	>--------------------------------------------------------------------- 
	>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
	>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
	> 
	> 
	>  
	>