Page 1 of 1

NAT solution space

Posted: Sat Nov 02, 2002 10:07 am
by BDKR
Hey,

Well, this is the misc section and this is what I'm considering at the present time at work.

I designed our data center to have no single point of failure. So, if one thing fails, there is a backup to take over, or it's part of a load balanced cluster anyways. At the front are multiple firewalls. 1 primary and two backups. Now to get the cluster managers to route traffic back to the backups (the primary is the default gateway for the cluster managers), I used static routes that route all packets on a given network to one of the backups. Those "given networks" are NAT addresses assigned by the firewalls to outside traffic heading into the system.

Anyways, everything works great, the sun is shining, the business is picking up, and the 7up is good.

However, there is one little problem that needs to be fixed before our client mark reaches a point beyond the number 254. Take a look at this line from one of my backup firewalls.

Code: Select all

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.50.1-192.168.50.254
What this means is that once we go over 254 agencies, we run out of available NAT space. Double Plus Ungood!

Does anybody know of a way to increase the solution space?

Oh,... err, I'm using Floppy Firewall and IPTables.

Cheers,
BDKR

Posted: Sat Nov 02, 2002 11:12 am
by mydimension
im not to familiar with networking and the systems they entail and the configuration needed to run them, but to me it would be logical if this worked:

Code: Select all

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.50.1-192.168.51.254
this would make two ranges: 192.168.50.1-192.168.50.254 AND 192.168.51.1-192.168.51.254.
again, im not at all familiar with networking but to me that would make sense. if it dosen't work then chock it up to me not knowing what im talking about. ;)

Posted: Sat Nov 02, 2002 11:26 am
by BDKR
this would make two ranges: 192.168.50.1-192.168.50.254 AND 192.168.51.1-192.168.51.254.
again, im not at all familiar with networking but to me that would make sense. if it dosen't work then chock it up to me not knowing what im talking about. icon_wink.gif
If it doesn't work, that's cool.

Anyways, I didn't consider that as the documentation didn't seem to give an option as such. The iptables documentation does talk about creating ranges, but doing so with a ":" . However, you never know. I'm going to give that a try anyways.

Thanx,
BDKR

Posted: Sat Nov 02, 2002 11:51 am
by BDKR
After looking at the documentation, I noticed that it talks about creating ranges of ports using ":", ranges of IP's using "-". So, I tried this...

Code: Select all

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 192.168.50.1-192.168.75.254
Now the machine booted and this seems to be working fine. There are static routes that need to be added to the Cluster managers, but so what. If this is doing what I think, then the solution space provided above is 25x254.

Cheers,
BDKR

Posted: Sat Nov 02, 2002 5:09 pm
by mydimension
so im guessing my "solution" will work. just dumb luck on my part i guess. or i understand networking better than i thought. glad i could be of service.

Posted: Sun Nov 03, 2002 6:29 pm
by BDKR
Yeah MyDimension, you were right on with that one!

Cheers,
BDKR

Posted: Sun Nov 03, 2002 8:44 pm
by mydimension
dumb luck, like i said. sometimes it takes those with a simplar view on your matter to show you the solution. glad i could be your "simple" mind ;)

Posted: Sun Nov 03, 2002 11:22 pm
by BDKR
Don't put yourself down. Sometimes the solution is the obvious one. Perhaps I need to stop looking for the esotiric hidden bits and take a simple view from time to time. Besides, you were the one that got me to go back and take a look at the range stuff based on what you said.

Cheers,
BDKR