From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id C2CD721F1C7 for ; Thu, 10 Oct 2013 11:10:42 -0700 (PDT) Received: by mail-we0-f174.google.com with SMTP id u56so2964165wes.5 for ; Thu, 10 Oct 2013 11:10:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=RZKqWSfm/R1fUK9r6/HwM0dqdVnlQgiznpR+kNpHufc=; b=EbSeca3bOsMoBZNs9J15/FvELG1GIAaJZ9/e07La0Ca5Z/snbAWm4uGmhSpV/t7/UX ZzR/0i9L3YWl0pv5EGNXlbignVmGIMj3S2AU9JHyKZ8RVSJZX6vOmQ+I4MgKmLP6xBF2 iThjQ7KfApIfUr+x8mbsHZ5KZ+Gg1FRN8YRVk5x7X+mij6rp1B+84jX9nuoYJuN/FeXv +6w+opPIv0e/HJL2vlpxrV8tF61qjyOtlJ8g5jobgb6xQYj8whiATcvwtjXUeTUxCkma SOpyuC7nvaf0UwY+KqUc5JAFT+6HjbQ+fmml75sCIvQ8QVMfvY/WQ9MPsuL9m4A1OG2I VHCQ== MIME-Version: 1.0 X-Received: by 10.180.89.206 with SMTP id bq14mr8969339wib.56.1381428640651; Thu, 10 Oct 2013 11:10:40 -0700 (PDT) Received: by 10.217.67.202 with HTTP; Thu, 10 Oct 2013 11:10:40 -0700 (PDT) In-Reply-To: <5256E5D8.4000405@gmail.com> References: <5256E5D8.4000405@gmail.com> Date: Thu, 10 Oct 2013 11:10:40 -0700 Message-ID: From: Dave Taht To: Oliver Niesner , "cerowrt-devel@lists.bufferbloat.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] double_nat_question X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Oct 2013 18:10:43 -0000 Your topolology is odd. IF you want cero to provide rate limiting/AQM/Qos, it has to be next to the adsl router, not where it is. Assuming you want to keep it where it is.... If your firewall is running a recent linux, the cerowrt's aqm scripts can also work there. As for routing, the adsl box needs be configured to forward 192.168.1.0/24 and 172.30.42.0/24 to the firewall box, which needs to also forward 172.30.42.0/24 to the cerowrt box, and you need to nuke nat throughout. Easyest way to do that is to delete all but the top 3 firewall rules on cerowrt, making them all be "FORWARD", editing /etc/quagga/babeld.conf to allow ge00 as a babel interface, and installing babeld on the firewall box. (you'd still need to tell the dsl router to forward at least those two nets to the firewall box) On Thu, Oct 10, 2013 at 10:37 AM, Oliver Niesner wrote: > Hi Dave, > > Hope it's ok to mail you directly I vastly prefer to solve problems in public. > If i could solve this i will post my solution if someone is interested. > > Unfortunately i didn't solved it now, maybe you have some tips to make it= easier > for me, 'cause i really want fight Bufferbloat and after i know how to do= it i > will show my friends to make their internet experience a better one :-) > > Fred Stratton told me to put cerowrt into a DMZ and disable NAT on cerowr= t. > My firewall has three NICs, so this would be possible to do. > > I will try this tomorrow. > Another small question: > I think it is enough to remove the last line of the zone_wan_postrouting = chain > >> Chain zone_wan_postrouting (1 references) >> pkts bytes target prot opt in out source dest= ination >> 0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 = 0.0.0.0/0 /* user chain for postrouting */ >> 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0= .0.0/0 > > to completly disable NAT on cerowrt, or i am wrong? /etc/config/firewall sets up NAT. In your case, however, with your topology, I don't see the need for any firewall rules at all. > > thx, for helping out > > Oliver > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html