Firewall Wizards mailing list archives
RE: NAT
From: sean.kelly () lanston com
Date: Wed, 12 Apr 2000 11:00:54 -0400
My knowledge of NAT is not deep enough, therefore I'm asking for your help. Our ISP denied to provide us with private routable subnet, giving us only the plain range of IP addresses. It sucks since we need to plug our DSL modem to the hub and live the whole network without any protection <big grin>.
You don't need your ISP to provide you with a private subnet. The problem you face is one that pretty much everyone in the industry does. The only machine you want to assign a "plain" IP is one you want to be visible to the world -- a web server, etc. There are sets of IP ranges designated for private use. The most commonly used range is the 192.168.x.x C class. Come up with a scheme for your machines using this IP range and get a firewall/proxy server. For small networks, products like SyGate on a spare PC are often sufficient.
One of the solutions was to put a hardware firewall in between the network and DSL modem, but for some reasons we can't do that. The solution that I was thinking of is to set up all the IPs given to us as aliases on external interface on our router (Linux or *BSD box) and set up NAT in following matter: (all the workstations in local network are getting local no-routable addresses)
ie. the 192.168.x.x ones
For each outgoing packet source address (local) is replaced by one of the aliases mapped to this address. For each incoming packet each destination address (external alias) is mapped to local address. So it looks like fancy masquerading, even though instead of ports we are playing with aliases on external interface of the router.
This is indeed NAT.
I was hitting my head against the wall trying to come up with NAT rules for such scheme, but i failed. I need your help guys.
What rules do you mean? Any of the products out there that do NAT should be able to be set up without too much trouble. It doesn't sound like you're doing anything unusual. Sean