[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  KnightMB <knightmb at knightmb dot dyndns dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help on which NAT to choose
 Date:  Mon, 13 Mar 2006 07:18:50 -0500
From the docs:

For networks with *multiple public IP addresses*, the best choice is 
either 1:1 NAT, or Server and Inbound NAT, or a combination of both. If 
you have more servers than public IP addresses, you will need to use 
Server and Inbound NAT, or 1:1 NAT combined with Server and Inbound NAT. 
If you have sufficient public IP addresses for all of your servers, you 
should use 1:1 NAT for them all.

The exact opposite is true of what is stated below.  1:1 NAT preserves 
the IP for outbound traffic, not server NAT.  If you have enough IPs, 
using 1:1 NAT is certainly the easiest, and best way to go.  You do not 
need Advanced Outbound NAT to ensure 2 way flow to the WAN address, 1:1 
takes care of that for you.

Chris


KnightMB wrote:

> If they use 1:1 NAT then the outbound connections will still show up 
> as the main WAN of m0n0wall.  If you need the outbound connection IP 
> to match the inbound connection IP you'll have to use the Advanced 
> Outbound NAT features to ensure 2 way flow to the WAN address.  That 
> snagged me on 1:1 a while ago when I wanted a machine to behave like 
> it was alone on the Internet with a WAN address.
>
> Lee Sharp wrote:
>
>> From: "Andrea Gangini" <a dot gangini at mimesi dot com>
>>
>>> I've tested monowall in a simple configuration and I found it very 
>>> complete and robust; so I want to migrate the firewall (ipcop based) 
>>> of our company to monowall.
>>> However I could'nt understand how to replicate a simple ipcop 
>>> feature, which is that the firewall must have multiple WAN ips, each 
>>> with its own port forward rules. In ipcop this feature is called 
>>> "network alias". The internal network is NATted on a single WAN ip 
>>> (all outbound requests originate from the same IP).
>>
>>
>> You need 1:1 NAT and Proxy Arp.  
>> http://192.168.1.1/firewall_nat_1to1.php and 
>> http://192.168.1.1/services_proxyarp.php  The first does the NAT, and 
>> the second allows the m0n0wall to advertise the IP address.
>>
>>                        Lee
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>