[ previous ] [ next ] [ threads ]
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  Melvin Backus <mbackus at bellsouth dot net>
 Cc:  Monowall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Nat behind a NAT a bad idea?
 Date:  Fri, 6 Aug 2004 11:53:28 -0700
If I set each router to pass IPSEC traffic, will that solve the problem?  

I don't see this being a big problems, as most users will probably not
use an IPSEC VPN.  However I'm not positive they won't use it, and
would like to have everything setup so they can do pretty much
anything without a hitch.



On Fri, 06 Aug 2004 14:14:23 -0400, Melvin Backus <mbackus at bellsouth dot net> wrote:
> Joe Lagreca wrote:
> >I have a /29 network with 5 useable external IP addresses.  I want to
> >share my connection with others.  However I expect more than 5 other
> >people wanting to share my connection, so I will need some sort of NAT
> >incorporated into my design.  I am using m0n0wall as my main gateway,
> >and off the shelf wireless routers at each users location.
> >
> >While laying out my network, I repeatedly ended up with a NAT behind a
> >NAT design.  I wasn't sure if that was an acceptable or poor design.
> >I've read of others doing this (that doesnt necesarily make it
> >correct) and was wondering what others thought about it.
> >
> >If I do use it in my design, what sort of problems should I expect and
> >how can I overcome them?
> >
> >Joe
> >
> >
> It will certainly work, but one of the problems you can expect would be
> issues with IPSec connections.  They don't work well with NAT unless
> there are modules in place to allow them to pass through.  That's sort
> of a kludge which has been accepted and works OK, but when you end up
> with more than 1 level it doesn't work anymore.  That isn't normally
> much of a problem unless you wind up with someone who's trying to
> connect to a VPN which happens to use IPSec.
> Melvin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch