From: Dave Taht <dave.taht@gmail.com>
To: Oliver Niesner <oliver.niesner@gmail.com>,
"cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] double_nat_question
Date: Thu, 10 Oct 2013 11:10:40 -0700 [thread overview]
Message-ID: <CAA93jw5VLATWqwxac2HCn32J0_=L_+LnfASNAhcm2P6Mv+jP1w@mail.gmail.com> (raw)
In-Reply-To: <5256E5D8.4000405@gmail.com>
Your topolology is odd. IF you want cero to provide rate
limiting/AQM/Qos, it has to be next to the adsl router, not where it
is. Assuming you want to keep it where it is....
If your firewall is running a recent linux, the cerowrt's aqm scripts
can also work there.
As for routing, the adsl box needs be configured to forward
192.168.1.0/24 and 172.30.42.0/24 to the firewall box, which needs to
also forward 172.30.42.0/24 to the cerowrt box, and you need to nuke
nat throughout.
Easyest way to do that is to delete all but the top 3 firewall rules
on cerowrt, making them all be "FORWARD", editing
/etc/quagga/babeld.conf to allow ge00 as a babel interface, and
installing babeld on the firewall box. (you'd still need to tell the
dsl router to forward at least those two nets to the firewall box)
On Thu, Oct 10, 2013 at 10:37 AM, Oliver Niesner
<oliver.niesner@gmail.com> wrote:
> Hi Dave,
>
> Hope it's ok to mail you directly
I vastly prefer to solve problems in public.
> If i could solve this i will post my solution if someone is interested.
>
> Unfortunately i didn't solved it now, maybe you have some tips to make it easier
> for me, 'cause i really want fight Bufferbloat and after i know how to do it i
> will show my friends to make their internet experience a better one :-)
>
> Fred Stratton told me to put cerowrt into a DMZ and disable NAT on cerowrt.
> My firewall has three NICs, so this would be possible to do.
>
> I will try this tomorrow.
> Another small question:
> I think it is enough to remove the last line of the zone_wan_postrouting chain
>
>> Chain zone_wan_postrouting (1 references)
>> pkts bytes target prot opt in out source destination
>> 0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
>> 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
>
> to completly disable NAT on cerowrt, or i am wrong?
/etc/config/firewall sets up NAT. In your case, however, with your
topology, I don't see the need for any firewall rules at all.
>
> thx, for helping out
>
> Oliver
>
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next parent reply other threads:[~2013-10-10 18:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5256E5D8.4000405@gmail.com>
2013-10-10 18:10 ` Dave Taht [this message]
2013-08-28 8:44 Oliver Niesner
2013-08-28 8:55 ` Fred Stratton
2013-08-28 9:06 ` Toke Høiland-Jørgensen
-- strict thread matches above, loose matches on Subject: below --
2013-08-27 8:05 [Cerowrt-devel] double_NAT_question Oliver Niesner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw5VLATWqwxac2HCn32J0_=L_+LnfASNAhcm2P6Mv+jP1w@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=oliver.niesner@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox