[Cerowrt-devel] double_nat_question
Dave Taht
dave.taht at gmail.com
Thu Oct 10 14:10:40 EDT 2013
Your topolology is odd. IF you want cero to provide rate
limiting/AQM/Qos, it has to be next to the adsl router, not where it
is. Assuming you want to keep it where it is....
If your firewall is running a recent linux, the cerowrt's aqm scripts
can also work there.
As for routing, the adsl box needs be configured to forward
192.168.1.0/24 and 172.30.42.0/24 to the firewall box, which needs to
also forward 172.30.42.0/24 to the cerowrt box, and you need to nuke
nat throughout.
Easyest way to do that is to delete all but the top 3 firewall rules
on cerowrt, making them all be "FORWARD", editing
/etc/quagga/babeld.conf to allow ge00 as a babel interface, and
installing babeld on the firewall box. (you'd still need to tell the
dsl router to forward at least those two nets to the firewall box)
On Thu, Oct 10, 2013 at 10:37 AM, Oliver Niesner
<oliver.niesner at gmail.com> wrote:
> Hi Dave,
>
> Hope it's ok to mail you directly
I vastly prefer to solve problems in public.
> If i could solve this i will post my solution if someone is interested.
>
> Unfortunately i didn't solved it now, maybe you have some tips to make it easier
> for me, 'cause i really want fight Bufferbloat and after i know how to do it i
> will show my friends to make their internet experience a better one :-)
>
> Fred Stratton told me to put cerowrt into a DMZ and disable NAT on cerowrt.
> My firewall has three NICs, so this would be possible to do.
>
> I will try this tomorrow.
> Another small question:
> I think it is enough to remove the last line of the zone_wan_postrouting chain
>
>> Chain zone_wan_postrouting (1 references)
>> pkts bytes target prot opt in out source destination
>> 0 0 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for postrouting */
>> 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
>
> to completly disable NAT on cerowrt, or i am wrong?
/etc/config/firewall sets up NAT. In your case, however, with your
topology, I don't see the need for any firewall rules at all.
>
> thx, for helping out
>
> Oliver
>
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Cerowrt-devel
mailing list