Internal Downstream Router

AstLinux is often placed at the network “edge” with a public IP address, one particular benefit is public SIP services are not behind NAT.

While AstLinux offers many firewall and networking features, there are situations where an additional internal downstream router may play into the mix. That router may be pre-existing before AstLinux is added, or a router that offers added value such as subscription based content filtering.

When an additional internal downstream router NAT's the LAN interfaces to the WAN interface, the process is pretty much plug-and-play since AstLinux sees all the downstream traffic as coming from a single IPv4 address on one of its internal interfaces. This practice has a couple negative side effects such as Double-NAT'ing the router's LAN devices to the public Internet, and limiting the upstream AstLinux's ability to filter by IPv4 address.

Provided the additional internal downstream router can disable NAT and “route” the LAN traffic to the upstream AstLinux, AstLinux can be configured to perform NAT to the public interface.

Note: AstLinux 1.2.7 or later is required

Support of this configuration is simple, editing the /mnt/kd/rc.conf.d/user.conf configuration file and /mnt/kd/rc.elocal script.

For example, add a downstream router off the AstLinux 2nd interface (172.30.10.1/24) with router's external IP 172.30.10.2:

Router LAN 1: 192.168.6.0/24 - Office LAN
Router LAN 2: 192.168.7.0/24 - Accounting LAN
Router LAN 3: 10.1.10.0/24 - WiFi

Note -> NAT is disabled on the downstream router, all subnets are 'routed'

On the AstLinux box, add to /mnt/kd/rc.conf.d/user.conf configuration:

NAT_FOREIGN_NETWORK="192.168.6.0/24 192.168.7.0/24 10.1.10.0/24"

On the AstLinux box, add to /mnt/kd/rc.elocal script: