Other Nat of not directly connected networks

[kerya]

Hi everyone. Does anybody knows how to make NAT of a subnet not directly connected to NAT router. For example:

192.168.10.0/24 <----- router1 ------> 192.168.5.0/24 <----- NAT router2 -----> Inet

I have tried to do this with PF
nat on $inet_if from 192.168.5.0/24 to any -> ($inet_if)
and ipnat
map fxp0 172.27.8.0/24 -> 0/32
with no result.

The question is: How to make NAT working for 192.168.10.0/24 on the router2 ? Which firewall to use is not principal.

 

[SirDice]

How to make NAT working for 192.168.10.0/24 on the router2 ?

Why?

I believe you're trying to solve a problem the wrong way. What exactly are you trying to accomplish?

 

[kerya]

Why?

I believe you're trying to solve a problem the wrong way. What exactly are you trying to accomplish?

I was sure I described my situation quite clear. May I answer your question right after you tell me what exactly do you consider being wrong?

 

[SirDice]

I was sure I described my situation quite clear.

No, you described what you believe to be a solution to a problem. You never told us what the actual problem is you're trying to solve. Prevent an XY Problem.

May I answer your question right after you tell me what exactly do you consider being wrong?

Just the fact you're asking how to do something that shouldn't be done.

 

[kerya]

Just the fact you're asking how to do something that shouldn't be done.

Why do you think so?

No, you described what you believe to be a solution to a problem. You never told us what the actual problem is you're trying to solve. Prevent an XY Problem.

My actual problem is exatly what I described. I just wanted to know does anybody tried to do this before, and how exatly was it solved.

Ok, I can try to explain widely. I have router1 and router2 in my exmple being internet gateways, connected to different ISP, users connecting via vpn. I am trying to do a failover configuration in case if one of ISP disconnected I can route traffic to another router. Then I need to make NAT working as described before.

 

[SirDice]

Ok, I can try to explain widely. I have router1 and router2 in my exmple being internet gateways, connected to different ISP, users connecting via vpn. I am trying to do a failover configuration in case if one of ISP disconnected I can route traffic to another router. Then I need to make NAT working as described before.

Use carp(4) and lagg(4) for this.

 

[D-FENS]

Why do you think so?


My actual problem is exatly what I described. I just wanted to know does anybody tried to do this before, and how exatly was it solved.

Ok, I can try to explain widely. I have router1 and router2 in my exmple being internet gateways, connected to different ISP, users connecting via vpn. I am trying to do a failover configuration in case if one of ISP disconnected I can route traffic to another router. Then I need to make NAT working as described before.

Just to expand on SirDice's suggestion here. What you need is a failover and using two NATs will not solve your problem. Instead of this, you need an aggregation of multiple external connections and this can be done with carp and lagg described by SirDice.
A case in which you might want two nested NAT gateways would be if you have multiple LANs attached to an external Internet connection and you need to isolate them from one another.

 

[kerya]

Use carp(4) and lagg(4) for this.

I can use it in case of one server. In my case I have both servers working simultaneously. Users connecting and using both servers.
You did not answer my question, why do you think

Just the fact you're asking how to do something that shouldn't be done.

I prefer to look for another solution when I will be absolutely sure there no way to do what I was asking about.

 

[kerya]

Just to expand on SirDice's suggestion here. What you need is a failover and using two NATs will not solve your problem. Instead of this, you need an aggregation of multiple external connections and this can be done with carp and lagg described by SirDice.
A case in which you might want two nested NAT gateways would be if you have multiple LANs attached to an external Internet connection and you need to isolate them from one another.

I will consider using it in future of course.
In fact 2 nats are solving my problem. But now, when one link on one of the servers fail, I have to use double nat, once on one router and one more time on another. So I decided to ask if anybody have something similar.
First of all I would like to know is this possible in general.

 

[D-FENS]

You have not explained exactly what are you trying to accomplish. Initially I hought you want an Internet connection failover, i.e. using one Internet connection for main and another for fallback. As you wrote about NAT, I assumed you want connection redundancy.
Now you're writing about 2 servers that need to be redundant. This is something completely different, so you can scrap my advice above.
If you want server redundancy (and I suppose you are trying to implement it with a DNAT, i.e. port forwarding), again I don't think that nesting two NATs is what would solve your problem.

See what SirDice has suggested - what you need is exactly CARP: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html

The Common Address Redundancy Protocol (CARP) allows multiple hosts to share the same IP address and Virtual Host ID (VHID) in order to provide high availability for one or more services.

Follow the instructions there and you don't need a nested NAT for this.
Combine this with lagg to use both Internet connections on the servers.

 

[kerya]

You have not explained exactly what are you trying to accomplish. Initially I hought you want an Internet connection failover, i.e. using one Internet connection for main and another for fallback. As you wrote about NAT, I assumed you want connection redundancy.
Now you're writing about 2 servers that need to be redundant. This is something completely different, so you can scrap my advice above.
If you want server redundancy (and I suppose you are trying to implement it with a DNAT, i.e. port forwarding), again I don't think that nesting two NATs is what would solve your problem.

See what SirDice has suggested - what you need is exactly CARP: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html


Follow the instructions there and you don't need a nested NAT for this.
Combine this with lagg to use both Internet connections on the servers.

Please, read my first post carefuly, pay more attention, I explained exactly what I am trying to accomplish. This is not DNAT related. I f you want me to clarify any details I will be glad to do it.

Redundancy may have different configurations and may be achieved by many different ways, and yes carp and lagg are created for redundancy in case of 1 server or switch. I have working solution which is solving my problem, but I have double NAT and I am here asking any help to find out how to avoid this double NAT, because if I use simpe configuration of pf and ipnat in my first post, for a subnet behind another router, it doesn't work.

I wish I could describe everything to be clear as much as possible from the beginning. I was sure I did.
I can try to ask same question different ways. Maybe while doing this I will find the right formulation to be clear for everybody.
My question is: how to avoid double NAT when I need to nat a subnet behind another router, subnet not directly connected to NAT router? Is this possible? I described example of configuration directives in configs in my first post.

Don't get me wrong, but please, stop proposing carp and lagg, it is definitely not the solution in my case in current configuration and topology, and is not what I want to know about. Yes, I know about them, and yes it could be an option, but I am asking not about them.

Thanks everyone in advance.

 

[PMc]

While it is not clear to me what is actually supposed to be achived, the initially mentioned task should be no problem at all. One can route any flow from any place to any place through any NAT at any place, as long as the routing allows it.

The way is to have a precise topology, to have description of the intended flows, and to have a logical verification that the whole thing is feasible and can work as intended. The finally a configuration can be generated that does the intended things.
This is not a firewall issue; the firewall rules are only generated as required at the end of the process after the configuration has been properly designed.

 

[D-FENS]

Please, read my first post carefuly, pay more attention, I explained exactly what I am trying to accomplish. This is not DNAT related. I f you want me to clarify any details I will be glad to do it.

Redundancy may have different configurations and may be achieved by many different ways, and yes carp and lagg are created for redundancy in case of 1 server or switch. I have working solution which is solving my problem, but I have double NAT and I am here asking any help to find out how to avoid this double NAT, because if I use simpe configuration of pf and ipnat in my first post, for a subnet behind another router, it doesn't work.

I wish I could describe everything to be clear as much as possible from the beginning. I was sure I did.
I can try to ask same question different ways. Maybe while doing this I will find the right formulation to be clear for everybody.
My question is: how to avoid double NAT when I need to nat a subnet behind another router, subnet not directly connected to NAT router? Is this possible? I described example of configuration directives in configs in my first post.

Don't get me wrong, but please, stop proposing carp and lagg, it is definitely not the solution in my case in current configuration and topology, and is not what I want to know about. Yes, I know about them, and yes it could be an option, but I am asking not about them.

Thanks everyone in advance.

Option 1: If you want to avoid double NAT, simply don't do NAT. You have to set the proper routes in both subnets - every host needs to have a routing entry for the subnet it's not in. This can be centralized in your local DHCP server. On your internal gateway, enable IP forwarding and disable the firewall. No double NAT.
Option 2: Set the second router in "bridge mode". This will make both your routers part of the same subnet and you don't need to do NAT or routing.

However, I am not completely sure that's what you want? I really cannot understand.

 

[tman904]

how to make NAT of a subnet not directly connected to NAT router

More often then not the subnet of addresses is
1. Directly connected to the router eg private to public (SNAT)
2. Directly connected to the router eg public to private (DNAT)

If you need another solution, my question would be why do you need double/cascading NAT? Is this some kind of stub management network that's using rfc1918 addresses or something similar? Where you would have to use NAT to get in and out of it.

Maybe you could use a VPN connection to tunnel into the network. That way the VPN would alleviate the need for NAT workarounds on the routers/firewalls.