Re: [m0n0wall] Nat behind a NAT a bad idea?

From:	Eric Collins <eric at tawifi dot com>
To:	Monowall List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Nat behind a NAT a bad idea?
Date:	Fri, 06 Aug 2004 12:04:55 -0700
NAT behind NAT works pretty good for us in most cases, one thing I have 
noticed is that FTP states get a little weird sometimes, nothing a quick 
reboot won't fix.

-Eric

At 11:53 AM 8/6/2004 -0700, Joe Lagreca wrote:

>If I set each router to pass IPSEC traffic, will that solve the problem?
>
>I don't see this being a big problems, as most users will probably not
>use an IPSEC VPN.  However I'm not positive they won't use it, and
>would like to have everything setup so they can do pretty much
>anything without a hitch.
>
>Thanks.
>
>Joe
>
>
>On Fri, 06 Aug 2004 14:14:23 -0400, Melvin Backus <mbackus at bellsouth dot net> 
>wrote:
> >
> >
> > Joe Lagreca wrote:
> >
> > >I have a /29 network with 5 useable external IP addresses.  I want to
> > >share my connection with others.  However I expect more than 5 other
> > >people wanting to share my connection, so I will need some sort of NAT
> > >incorporated into my design.  I am using m0n0wall as my main gateway,
> > >and off the shelf wireless routers at each users location.
> > >
> > >While laying out my network, I repeatedly ended up with a NAT behind a
> > >NAT design.  I wasn't sure if that was an acceptable or poor design.
> > >I've read of others doing this (that doesnt necesarily make it
> > >correct) and was wondering what others thought about it.
> > >
> > >If I do use it in my design, what sort of problems should I expect and
> > >how can I overcome them?
> > >
> > >Joe
> > >
> > >
> > It will certainly work, but one of the problems you can expect would be
> > issues with IPSec connections.  They don't work well with NAT unless
> > there are modules in place to allow them to pass through.  That's sort
> > of a kludge which has been accepted and works OK, but when you end up
> > with more than 1 level it doesn't work anymore.  That isn't normally
> > much of a problem unless you wind up with someone who's trying to
> > connect to a VPN which happens to use IPSec.
> >
> > Melvin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch