[ previous ] [ next ] [ threads ]
 From:  "David Burgess" <apt dot get at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1:1 NAT or M0n0 in bridge ?
 Date:  Tue, 4 Sep 2007 20:01:26 -0600
Apart from the need for an extra NIC in your monowall, I can't think of a
reason to prefer 1:1 over bridging in this case. NAT has potentially more
snags; some services such as vpn can have issues over NAT. Granted, since
your customer has his own router, he will be dealing with NAT issues anyway,
but why involve yourself in that? Furthermore, a double-NAT setup such as
this can have complications of its own, as mentioned recently somewhere on
this list or in the forum. NAT makes your monowall a harder than bridging
and will lower your throughput potential.

The only reasons I can think of to prefer NAT over bridging are for
increased security (customer is using a NAT router anyway, so moot point),
and firewall control (mono lets you do that in bridge mode too). Unless you
need captive portal on this monowall, and if it has or can have a third NIC,
I can't think of a reason to use 1:1 in your situation as I understand it.


On 9/4/07, Christopher M. Iarocci <iarocci at eastendsc dot com> wrote:
> Do you have the ability to route public addresses?  If so, you could
> route a small subnet to your customer through your m0n0wall and be done
> with it.  It is my experience that customers don't want you
> administering their IP, they just want it.  Of course you would need to
> watch the traffic and block things accordingly (like when he becomes
> infected with some virus and starts sending out 1Million emails a day).
> If you have customers I have to assume you are already monitoring their
> traffic.
> Chris
> Bob Young wrote:
> > Let's say I have the following setup, and a customer, who wants a public
> > static IP, is connected to M0n0wall, by a PTP wireless system.
> >
> > Internet > M0n0wall (with 1:1 NATing) > PTP wireless system > customer
> > router (NATed with private static IP on wan) > switch > rest of customer
> > network
> >
> > Just think of the bridged wireless system, as a long Ethernet cable.
> >
> > I understand that with 1:1 NATing, the customer would have a private
> static
> > IP address on the WAN port of his router.and I would have to configure a
> > public static IP in the 1:1 NATing section of my M0n0wall.
> >
> > Wouldn't this 1:1 NATing allow the customer to remote into his network,
> just
> > the same as if the my M0n0wall was in bridge mode and the customer had a
> > public static IP address on the WAN port of his router?
> >
> > But, I have heard that some applications on the customer's computer
> (that he
> > might try to access remotely.maybe via VPN), may not work properly,
> unless
> > the WAN port of the customer's router actually had a public static IP
> > address. I'm not sure how true that is.   I hope it isn't true, since it
> > seems that 1:1 NAT would be better then operating my M0n0wall in bridge
> > mode.
> >
> > So I could use some comments on this.
> >
> > I would think that 1:1 NATing would even have some advantages, such as
> the
> > inherent security of NAT.
> >
> > Thanks for any comments on this.
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch