[Cerowrt-devel] double_nat_question

[Cerowrt-devel] double_nat_question

[Oliver Niesner]

Hi all,

I hope someone could help me, it seems that i doesn't get it or misinterpret
something :-/

I want to get rid of double NAT in my small network at home, but it seems it
only works, if i use an extra iptables MASQUERADE rule on my pc which does all
the firewalling dhcp etc..

My setup:	^
		|internet
		|					
 -------------------------			------------------------
|			 |			| firewall pc		|
| dsl-router		 |			|dhcp, small		|
|(NAT, no CEROwrt!	 |----------eth0--------|webserver etc.		|
|ip, static=192.168.0.199|	192.168.0.1	|---------------|--------
|------------------------					|
								|
								eth1,
								192.168.1.1
								|
								|
				--------------------------------|
				|	WAN=192.168.1.86	|
		WLAN------------|	CEROwrt			|
				---------------------------------


This setup works fine, but only when i do MASQUERADE on eth0, on my firewall pc!
I thought it must be possible, that only my dsl-router is doing the NAT and
everything else is routed inside the private net!
(the necessary routes are set, every machine could ping each other)
What i'm missing?

thx,

Oliver

Re: [Cerowrt-devel] double_nat_question

[Fred Stratton]

The cerowrt box should be after the ADSL gateway. Use the cerowrt firewall. Bridge the ADSL gateway, or, if the ISP prohibits that, create a DMZ with cerowrt as the item in it.


On 28 Aug 2013, at 09:44, Oliver Niesner <oliver.niesner@gmail.com> wrote:

> 
> 
> Hi all,
> 
> I hope someone could help me, it seems that i doesn't get it or misinterpret
> something :-/
> 
> I want to get rid of double NAT in my small network at home, but it seems it
> only works, if i use an extra iptables MASQUERADE rule on my pc which does all
> the firewalling dhcp etc..
> 
> My setup:	^
> 		|internet
> 		|					
> -------------------------			------------------------
> |			 |			| firewall pc		|
> | dsl-router		 |			|dhcp, small		|
> |(NAT, no CEROwrt!	 |----------eth0--------|webserver etc.		|
> |ip, static=192.168.0.199|	192.168.0.1	|---------------|--------
> |------------------------					|
> 								|
> 								eth1,
> 								192.168.1.1
> 								|
> 								|
> 				--------------------------------|
> 				|	WAN=192.168.1.86	|
> 		WLAN------------|	CEROwrt			|
> 				---------------------------------
> 
> 
> This setup works fine, but only when i do MASQUERADE on eth0, on my firewall pc!
> I thought it must be possible, that only my dsl-router is doing the NAT and
> everything else is routed inside the private net!
> (the necessary routes are set, every machine could ping each other)
> What i'm missing?
> 
> thx,
> 
> Oliver
> 
> 
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel

Re: [Cerowrt-devel] double_nat_question

[Toke Høiland-Jørgensen]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

Oliver Niesner <oliver.niesner@gmail.com> writes:

> This setup works fine, but only when i do MASQUERADE on eth0, on my firewall pc!
> I thought it must be possible, that only my dsl-router is doing the NAT and
> everything else is routed inside the private net!
> (the necessary routes are set, every machine could ping each other)
> What i'm missing?

My guess would be that you're missing routes? I.e. that either your
cerowrt box doesn't know how to find 192.168.0.x, or (more likely), your
DSL modem doesn't know how to find 192.168.1.x? You can try running
tcpdump on eth0 of your firewall pc while you do a ping, and see if you
have ICMP packets in one direction only. If so, that might be an
indication of missing routes. :)

-Toke

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]

Re: [Cerowrt-devel] double_nat_question

[Dave Taht]

Your topolology is odd. IF you want cero to provide rate
limiting/AQM/Qos, it has to be next to the adsl router, not where it
is. Assuming you want to keep it where it is....

If your firewall is running a recent linux, the cerowrt's aqm scripts
can also work there.

As for routing, the adsl box needs be configured to forward
192.168.1.0/24 and 172.30.42.0/24 to the firewall box, which needs to
also forward 172.30.42.0/24 to the cerowrt box, and you need to nuke
nat throughout.

Easyest way to do that is to delete all but the top 3 firewall rules
on cerowrt, making them all be "FORWARD", editing
/etc/quagga/babeld.conf to allow ge00 as a babel interface, and
installing babeld on the firewall box. (you'd still need to tell the
dsl router to forward at least those two nets to the firewall box)



On Thu, Oct 10, 2013 at 10:37 AM, Oliver Niesner
<oliver.niesner@gmail.com> wrote:
> Hi Dave,
>
> Hope it's ok to mail you directly

I vastly prefer to solve problems in public.

> If i could solve this i will post my solution if someone is interested.
>
> Unfortunately i didn't solved it now, maybe you have some tips to make it easier
> for me, 'cause i really want fight Bufferbloat and after i know how to do it i
> will show my friends to make their internet experience a better one :-)
>
> Fred Stratton told me to put cerowrt into a DMZ and disable NAT on cerowrt.
> My firewall has three NICs, so this would be possible to do.
>
> I will try this tomorrow.
> Another small question:
> I think it is enough to remove the last line of the zone_wan_postrouting chain
>
>> Chain zone_wan_postrouting (1 references)
>>  pkts bytes target     prot opt in     out     source               destination
>>     0     0 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
>>     0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
>
> to completly disable NAT on cerowrt, or i am wrong?

/etc/config/firewall sets up NAT. In your case, however, with your
topology, I don't see the need for any firewall rules at all.

>
> thx, for helping out
>
> Oliver
>



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

[Cerowrt-devel] double_NAT_question

[Oliver Niesner]

Hi all,

I hope someone could help me, it seems that i doesn't get it or misinterpret
something :-/

I want to get rid of double NAT in my small network at home, but it seems it
only works, if i use an extra iptables MASQUERADE rule on my pc which does all
the firewalling dhcp etc..

My setup:	^
		|internet
		|					
 -------------------------			------------------------
|			 |			| firewall pc		|
| dsl-router		 |			|dhcp, small		|
|(NAT, no CEROwrt!	 |----------eth0--------|webserver etc.		|
|ip, static=192.168.0.199|	192.168.0.1	|---------------|--------
|------------------------					|
								|
								eth1,
								192.168.1.1
								|
								|
				--------------------------------|
				|	WAN=192.168.1.86	|
				|	CEROwrt			|
				---------------------------------


This setup works fine, but only when i do MASQUERADE on eth0, on my firewall pc!
I thought it must be possible, that only my dsl-router is doing the NAT and
everything else is routed inside the private net!
What I'am missing?

thx,

Oliver