[ previous ] [ next ] [ threads ]
 
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  Molle Bestefich <molle dot bestefich at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Can't NAT on m0n0wall.
 Date:  Thu, 22 Jun 2006 17:31:13 +0200
Molle Bestefich skrev:

> Manuel Kasper wrote:
>
>> Assuming you're doing NAT on the WAN interface, then for outbound
>> packets on WAN, NAT is applied after the packet has passed through
>> the filter - therefore, the filter will see the original, private 
>> source IP address.
>> For inbound packets on WAN, NAT is applied before the filter gets the 
>> packet
>> - therefore, it'll also see the proper private IP address in the 
>> destination field
>
>
> Ok, makes more sense now, thanks for explaining.
> I can see how that scheme would work ;-).
>
> If WAN-specific NAT is performed as a reaction to a packet leaving
> that particular interface, then that implies that it's performed not
> only after the filter, but also after the kernel router.  I guess
> that's ok, since in this case we're translating the source address, so
> the router will have delivered the packet to the correct interface.
> But perhaps it could pose a problem with source-based routing?
>
> Aside from the fact that the current scheme needs to sit in a very
> specific place to work (which might or might not interfere with
> source-based routing or something entirely else), I think it's an
> unnecessarily complicated solution :-).
>
Sometimes simple tings can sound complicated. Almost every firewall and 
router works in this way. Perhaps a picture can help?

http://www.halleforshunden.org/nat-filter.png

/Anders