Chapter 8 – Frequently Asked Questions (FAQs)
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
134
Q11. Is it possible to define a static NAT from the outside to the inside, (e.g., Map external IP a.b.c.d to internal IP
w.x.y.z) in both directions?
A11.
Yes, it is possible to do static NAT, but with limitations:
You can map:
IP/Port => IP/Port
IP/Port-Range => IP/Port
IP-Range/Port => IP/Port
IP-Range/Port-Range => IP/Port
You cannot map:
IP => IP
IP-Range => IP
IP => IP-Range (load balancing)
The way back is done automatically.
NAT is done before the packets pass the packet filter, so you also have to make a rule allowing these IP-Packets to
pass. There are 4 dropdown boxes in
Network Setup > SNAT
. The first two define which IP-Packets will be
translated. The second two define into which IP/Port address they are translated.
Example:
Net1: 212.5.63.4/255.255.255.255 (Box1)
Srv1: 0:65535 TCP 80 (Box2)
Net2: 192.168.100.2/255.255.255.255 (Box3)
Srv2: 0:65535 TCP 81 (Box4)
Explanation
:
If an IP-Packet from a.b.c.d port 34232 is sent to 212.5.63.4 port 80 (www) [a.b.c.d:34232 -> 212.5.63.4:80]
and it reaches the RouteFinder, the destination information will be translated into [a.b.c.d:34232 ->
192.168.100.2:81]. If NAT is done before reaching the packet filter, you have to set the packet filter rules
correctly.
Q12. Is it possible to have multiple IPs assigned to the external interface, and then have multiple internal Web-
servers?
A12.
Yes that is possible. You have to be sure that the request reaches the RouteFinder, and then you can use DNAT to
redirect them to the Web servers. You don't need to bind those IP addresses to the external interface, as long as they
are routed to the RouteFinder. The problem is that the IP packets have to reach the interface. There are 2 ways to
accomplish this:
1. Bind an alias IP to the external interface, so that it answers ARP requests for this IP and the IP packets are sent
to the ARP Address of this NIC card.
(If you're ready to do some hand typing on the console you can make an IP alias on your NIC and make a script
in /etc/rc.d/rc2.d to have it run at each boot (put it at S99 to be sure). Just don't use
ifconfig
to do that, as it is
deprecated in 2.4 kernels.
The command to add the IP 10.0.0.3 on your
eth0
NIC card is:
IP addr add 10.0.0.3/24 broadcast 10.0.0.255 label eth0:0 dev eth0
Note that the label part is not mandatory; it's just there so that ifconfig can list your alias. Moreover, the label
name is free (you can have 'myalias' instead of eth0:0) though you should avoid characters like '-' or '_' : ifconfig
seems to get lost if you use these.)
2. Tell the RouteFinder to send those IP packets directly to the external interface by adding a static routing entry.
You have to do subnetworking; for example, enter the following interface definitions and routes:
OLD:
RouteFinder:
Router Ethernet Interface:
IP: 196.126.228.65
Netmask: 255.255.255.224
Routes: none
Firewall:
RouteFinder Ethernet Interface:
IP: 196.126.228.66
Netmask: 255.255.255.224
Def GW: 196.126.228.65
NEW:
RouteFinder:
Router Ethernet Interface:
IP: 196.126.228.65
Netmask: 255.255.255.252
Routes:
196.126.228.67/255.255.255.252 -> 196.126.228.66
196.126.228.72/255.255.255.248 -> 196.126.228.66
196.126.228.80/255.255.255.240 -> 196.126.228.66
RouteFinder Ethernet Interface:
IP: 196.126.228.66
Netmask: 255.255.255.252
Def GW: 196.126.228.65