[ previous ] [ next ] [ threads ]
 From:  "Roland Giesler" <roland at thegreentree dot za dot net>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Two m0n0walls that connect LAN via WAN? (Resolved)
 Date:  Thu, 15 Nov 2007 10:47:30 +0200
On 11/14/07, Chris Buechler <cbuechler at gmail dot com> wrote:
> I've done it with and without VPN, works fine. I haven't closely
> followed this thread, but glancing at the archive I don't see where
> you've said you disabled NAT (see FAQ).
Ah, now I have read the FAQ a few times, but never noticed this.  I
wasn't thinking straight it seems, since I'm acually using private ip
addresses like one would public addresses.  Something I find strange
though is that "Advanced outbound NAT" is actually disabling NAT?  But
then the description is quote clear!

<quote>If advanced outbound NAT is enabled, no outbound NAT rules will
be automatically generated anymore. Instead, only the mappings you
specify below will be used. With advanced outbound NAT disabled, a
mapping is automatically created for each interface's subnet (except
WAN) and any mappings specified below will be ignored. If you use
target addresses other than the WAN interface's IP address, then
depending on the way your WAN connection is setup, you may also need
proxy ARP.</quote>

> In an environment where you
> have a Windows network on both sides of a router, you can't NAT, it'll
> break things required for Windows networking to function reliably.
> Aside from that, there's nothing to it. Routing misconfiguration and
> incorrect firewall rules are the two things next most likely to go
> wrong.
I also found another error.  The ISP was also still NATting on one of
their VPN router devices.  Once they disabled that it could create an
IPSec tunnel and it works 100%

I will now try the straight routing without VPN again.

Am I understanding this correctly: If I enable advanced outbound NAT I
have to create a NAT rule for all users who don't have live IP
addresses on the LAN?  Or will m0n0wall actually route the packets?
After all the LAN addresses are directly connected to m0n0wall, so
m0n0wall should know what to do with the packets.
Or do I have this all wrong?

> -Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Roland Giesler
Green Tree Systems cc, Stellenbosch, South Africa
Mobile: 072-450-2817   http://www.thegreentree.za.net

Shop online at http://www.digitalplanet.co.za/?AID=497