Joe Lagreca wrote:
>I have a /29 network with 5 useable external IP addresses. I want to
>share my connection with others. However I expect more than 5 other
>people wanting to share my connection, so I will need some sort of NAT
>incorporated into my design. I am using m0n0wall as my main gateway,
>and off the shelf wireless routers at each users location.
>While laying out my network, I repeatedly ended up with a NAT behind a
>NAT design. I wasn't sure if that was an acceptable or poor design.
>I've read of others doing this (that doesnt necesarily make it
>correct) and was wondering what others thought about it.
>If I do use it in my design, what sort of problems should I expect and
>how can I overcome them?
It will certainly work, but one of the problems you can expect would be
issues with IPSec connections. They don't work well with NAT unless
there are modules in place to allow them to pass through. That's sort
of a kludge which has been accepted and works OK, but when you end up
with more than 1 level it doesn't work anymore. That isn't normally
much of a problem unless you wind up with someone who's trying to
connect to a VPN which happens to use IPSec.