Re: [m0n0wall] Re: Can't NAT on m0n0wall.

From:	Bjoern Euler <lists at edain dot de>
To:	Molle Bestefich <molle dot bestefich at gmail dot com>
Cc:	Manuel Kasper <mk at neon1 dot net>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Re: Can't NAT on m0n0wall.
Date:	Fri, 23 Jun 2006 09:16:59 +0200

Molle Bestefich wrote:
>> Yes it does - now you'd only have to add the traffic shaper as an
>> additional shell between the filter and the kernel, and you'd have a
>> nice and simple diagram that illustrates what happens to packets as
>> they pass in or out of m0n0wall's WAN interface.
> 
> It mentions nothing about the WAN or indeed any other interface, which
> makes it a bad representation of the very interface-centric NAT
> processing in m0n0wall.
> 
> The kernel IP router, a major component, is missing from the diagram.
> 
> All in all, I retain that it's a very simplistic diagram which does
> nothing to explain how things work in m0n0wall, beyond the extreme
> basics.

Replacing Inbound with "WAN" and Outbound with "WAN" on the diagram will 
give you the representation needed for m0n0wall. You just could replace 
the directions with any interface of m0n0wall.

m0n0wall simplifies the work to bring NAT in place by restricting 
configuration to the WAN interface just because people will need it 
there 99% of the time. Also this helps to do some NAT automatically, 
like outbound NAT for all connected LAN or other networks.

The underlying component IP NAT (which is a function in IP Filter) is 
able to do NAT on _every_ interface. This is not often needed and can be 
more confusing than it can help.

See here for more info of the NAT in m0n0wall:
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_29
http://netbsd.gw.com/cgi-bin/man-cgi?ipnat+5+NetBSD-current

-Bjoern