[ previous ] [ next ] [ threads ]
 From:  Melvin Backus <mbackus at bellsouth dot net>
 Cc:  Monowall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Nat behind a NAT a bad idea?
 Date:  Fri, 06 Aug 2004 14:14:23 -0400
Joe Lagreca wrote:

>I have a /29 network with 5 useable external IP addresses.  I want to
>share my connection with others.  However I expect more than 5 other
>people wanting to share my connection, so I will need some sort of NAT
>incorporated into my design.  I am using m0n0wall as my main gateway,
>and off the shelf wireless routers at each users location.
>While laying out my network, I repeatedly ended up with a NAT behind a
>NAT design.  I wasn't sure if that was an acceptable or poor design.
>I've read of others doing this (that doesnt necesarily make it
>correct) and was wondering what others thought about it.
>If I do use it in my design, what sort of problems should I expect and
>how can I overcome them?
It will certainly work, but one of the problems you can expect would be 
issues with IPSec connections.  They don't work well with NAT unless 
there are modules in place to allow them to pass through.  That's sort 
of a kludge which has been accepted and works OK, but when you end up 
with more than 1 level it doesn't work anymore.  That isn't normally 
much of a problem unless you wind up with someone who's trying to 
connect to a VPN which happens to use IPSec.