Molle Bestefich skrev:
> Manuel Kasper wrote:
>> Assuming you're doing NAT on the WAN interface, then for outbound
>> packets on WAN, NAT is applied after the packet has passed through
>> the filter - therefore, the filter will see the original, private
>> source IP address.
>> For inbound packets on WAN, NAT is applied before the filter gets the
>> - therefore, it'll also see the proper private IP address in the
>> destination field
> Ok, makes more sense now, thanks for explaining.
> I can see how that scheme would work ;-).
> If WAN-specific NAT is performed as a reaction to a packet leaving
> that particular interface, then that implies that it's performed not
> only after the filter, but also after the kernel router. I guess
> that's ok, since in this case we're translating the source address, so
> the router will have delivered the packet to the correct interface.
> But perhaps it could pose a problem with source-based routing?
> Aside from the fact that the current scheme needs to sit in a very
> specific place to work (which might or might not interfere with
> source-based routing or something entirely else), I think it's an
> unnecessarily complicated solution :-).
Sometimes simple tings can sound complicated. Almost every firewall and
router works in this way. Perhaps a picture can help?