Ing. Luis Felipe Domínguez Vega
2016-12-21 18:05:57 UTC
Thanks i will go to another place and change the ips
aren't unique and you get broken network configurations.
The simple answer is that within the group of systems you wish to route
traffic between, all IP addresses and subnets must be unique and
non-overlapping. If you have a subnet 10.11.0.0/24 in two places then that
is broken and the answer is to renumber one of them so you have no duplicates.
It may well be that your best solution is to renumber both "Another Place"
and "My Net" to use different address ranges - they must be different
(non-overlapping) between the two sites, and also different
(non-overlapping) with all the subnets used by your VPN and/or internet
providers. It's a real pain to do (I've had to do it a couple of times in
the past for work), but really it's the correct answer.
A workaround is to apply SNAT at Another place and masq all traffic to a
different source address that doesn't clash with Ny Net - but that is
really putting a sticking plaster over a gaping wound. For a network like
that, there is no need for NAT (and everything it breaks) at all - subject
to your VPN provider being capable of adding a couple of static routes into
R1 and R2 to direct traffic to Another Place and My Net.
This is really basic IP addressing stuff.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
---------
| Another |
| Place |-----R1-- (......) (a VPN Provider) --R2 ----- GW (Shorewall
PC) ------ My Net
---------
Into the "Another Place" has 10.11.0.0/24 ips throw R1 connect to my R2
router (10.11.1.1), but my net has 10.11.0.0/24 address too, so when the GW
PC get a packet from the "Another Place" has by example 10.11.0.2 ip, but
in the dmesg command say as martian packet, i think that are because the R2
has 10.11.1.1 address and not do NAT.
Here you have hit a basic problem with using RFC1918 addresses - they| Another |
| Place |-----R1-- (......) (a VPN Provider) --R2 ----- GW (Shorewall
PC) ------ My Net
---------
Into the "Another Place" has 10.11.0.0/24 ips throw R1 connect to my R2
router (10.11.1.1), but my net has 10.11.0.0/24 address too, so when the GW
PC get a packet from the "Another Place" has by example 10.11.0.2 ip, but
in the dmesg command say as martian packet, i think that are because the R2
has 10.11.1.1 address and not do NAT.
aren't unique and you get broken network configurations.
The simple answer is that within the group of systems you wish to route
traffic between, all IP addresses and subnets must be unique and
non-overlapping. If you have a subnet 10.11.0.0/24 in two places then that
is broken and the answer is to renumber one of them so you have no duplicates.
It may well be that your best solution is to renumber both "Another Place"
and "My Net" to use different address ranges - they must be different
(non-overlapping) between the two sites, and also different
(non-overlapping) with all the subnets used by your VPN and/or internet
providers. It's a real pain to do (I've had to do it a couple of times in
the past for work), but really it's the correct answer.
A workaround is to apply SNAT at Another place and masq all traffic to a
different source address that doesn't clash with Ny Net - but that is
really putting a sticking plaster over a gaping wound. For a network like
that, there is no need for NAT (and everything it breaks) at all - subject
to your VPN provider being capable of adding a couple of static routes into
R1 and R2 to direct traffic to Another Place and My Net.
This is really basic IP addressing stuff.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users