userdoc:tt-internal-downstream-router

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
userdoc:tt-internal-downstream-router [2016/05/30 17:30] – [NAT Foreign Network(s)] abelbeckuserdoc:tt-internal-downstream-router [2016/05/30 21:21] (current) – [Internal Downstream Router] abelbeck
Line 5: Line 5:
 While AstLinux offers many firewall and networking features, there are situations where an additional internal downstream router may play into the mix.  That router may be pre-existing before AstLinux is added, or a router that offers added value such as subscription based content filtering. While AstLinux offers many firewall and networking features, there are situations where an additional internal downstream router may play into the mix.  That router may be pre-existing before AstLinux is added, or a router that offers added value such as subscription based content filtering.
  
-When an additional internal downstream router NAT's the LAN interfaces to the WAN interface, the process is pretty much plug-and-play since AstLinux sees all the downstream traffic as coming from a single IPv4 address on one of its internal interfaces.  This practice has a couple negative side effects such as Double-NAT'ing the router's LAN devices to the public Internet, and limiting the upstream AstLinux's ability to filter by IPv4 address.+When the additional internal downstream router NAT's the LAN interfaces to its external interface, the process is pretty much plug-and-play since AstLinux sees all the downstream traffic as coming from a single IPv4 address on one of its internal interfaces.  This practice has a couple negative side effects such as Double-NAT of the internal router's LAN devices to the public Internet, and limiting AstLinux's ability to filter the router's traffic by IPv4 address.
  
-Provided the additional internal downstream router can disable NAT and "route" the LAN traffic to the upstream AstLinux, AstLinux can be configured to perform NAT to the public interface.+Provided the additional internal downstream router can disable NAT and "route" the LAN traffic to the upstream AstLinux, AstLinux can be configured to perform NAT for the internal router to the public Internet.
  
 !!Note: AstLinux 1.2.7 or later is required!! !!Note: AstLinux 1.2.7 or later is required!!
- 
 ===== NAT Foreign Network(s) ===== ===== NAT Foreign Network(s) =====
  
 Support of this configuration is simple, editing the ''/mnt/kd/rc.conf.d/user.conf'' configuration file and ''/mnt/kd/rc.elocal'' script. Support of this configuration is simple, editing the ''/mnt/kd/rc.conf.d/user.conf'' configuration file and ''/mnt/kd/rc.elocal'' script.
  
-For example, add a downstream router off the AstLinux 2nd interface (172.30.10.1/24) with router's external IP 172.30.10.2:+For example, add a downstream router off the AstLinux 2nd internal interface (172.30.10.1/24) with router's external IP 172.30.10.2:
  
 Router LAN 1: 192.168.6.0/24 - Office LAN\\ Router LAN 1: 192.168.6.0/24 - Office LAN\\
Line 22: Line 21:
  
 !!Note ->!!  NAT is disabled on the downstream router, all subnets are 'routed' !!Note ->!!  NAT is disabled on the downstream router, all subnets are 'routed'
 +
 +On the AstLinux box, add to ''/mnt/kd/rc.conf.d/user.conf'' configuration:
 +
 +  NAT_FOREIGN_NETWORK="192.168.6.0/24 192.168.7.0/24 10.1.10.0/24"
 +
 +On the AstLinux box, add to ''/mnt/kd/rc.elocal'' script:
 +
 +  #!/bin/sh
 +  
 +  . /etc/rc.conf
 +  
 +  ## Add foreign network routes off the 2nd internal interface using gateway gwip
 +  gwip="172.30.10.2"
 +  
 +  for x in $NAT_FOREIGN_NETWORK; do
 +    ip route add $x via $gwip dev $INT2IF
 +  done
  
  
-  
  • userdoc/tt-internal-downstream-router.1464629407.txt.gz
  • Last modified: 2016/05/30 17:30
  • by abelbeck