Two VLANs, One Subnet
torriem at chem.byu.edu
Thu Mar 8 23:32:29 MST 2007
On Thu, 2007-03-08 at 22:06 -0700, Hans Fugal wrote:
> Absolutely not. NAT is out of the question. NAT always causes more
> problems than it solves, even in enterprise. In enterprise, you have
> full-time sysadmins to go around chasing NAT issues and keeping a
> semblance of normalcy. I know, I used to be one. I will set my network
> up and just let it run. I will not be a slave to NAT.
I disagree. Static one-to-one NAT (think of it as a layer 3 bridge) is
clean and effective. You do just set it up once and let it run. No
one's a slave to anything. Once you introduce dynamic NATing, then,
yes, you will likely have problems. I have never had to chase down NAT
problems. It just works. What problems have you observed?
We use it for our DMZ servers. There are *never* any problems, and we
have the added benefit of firewalling traffic in and out of the DMZ. We
block traffic into our private subnet as well as protect the DMZ from
the internet because of our ability to firewall across the translation
As a side note, many people often mistakenly say "NAT" when they really
mean "PAT." Traditional IP masquarading or even Source NATing is really
PAT or Port-address translation. Before I worked with our Cisco PIX I
didn't really make the distinction myself.
> > You can do this by either creating 4 virtual interfaces on the openwrt
> > box, or using some kind of proxyarp solution.
> Proxy ARP is the magic I needed.
I see from my 5 second skim that the setup described here seems to be
similar to yours.
I'm not quite sure I understand your final setup, though. Would you
care to elaborate for us?
> It's working nearly perfectly. But for some reason the real MAC
> addresses are leaking through the openwrt and getting into the cisco's
> arp cache after a few (randomly distributed) minutes. Just how this is
> happening is a mystery to me. Do you know? The only thing I can think of
> is if my vlan is 'leaking'.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG