Two VLANs, One Subnet

Michael Torrie torriem at
Sat Mar 10 19:29:32 MST 2007

On Sat, 2007-03-10 at 17:21 -0700, Andy Bradford wrote:
> Hogwash. There  is nothing inherently  more secure, easier to  secure or
> simpler about NAT (or  PAT if you will) than using real  IPs with a real
> firewall. Sure there are differences, but  that doesn't mean that NAT is
> king in this area. I would much rather prefer a firewall with a deny all
> policy using real IPs than worry  about NAT. Both methods block anything
> not explicitly allowed, but using real IPs offers a lot more flexibility
> in my opinion.

I'm not sure you really read what I said.  I did not say that private IP
addresses are more secure.

Also, let me make this very clear.  I AM NOT TALKING ABOUT PAT.  I'm
talking about one-to-one IP address translation.  Why do you insist on
bringing up PAT?  I'm sorry to sound a bit short, but it seems like many
people on the list are not reading what I have said and are just
knee-jerk reacting to it because I use the term "NAT."  Which term most
people associate with way their routers put traffic from a private
subnet out onto the internet.  While what your linksys does can be
called "NAT," it is not the primary purpose of NAT and in fact is NAPT
or PAT.

I'm not saying Hans should forward a port.  I'm saying that there should
be a mapping done of one public ip address to *one* private address.
This is not masquerading.  Translation is something that is very common
in the enterprise.  It is used in a situation where you have a
confluence of public and private IP addresses and you wish to make a
One important original purpose of NAT is to allow hosts to appear to be
on two different subnets simultaneously, in a clean fashion.  In fact,
NAT in the past, before the proliferation of home networks, typically
involved no private IPs at all.  

Having said that, you are right about using real IP addresses.  In fact,
NATting a subnet in the way I have suggested is almost exactly the same
as using real IP addresses.  The only difference here is that the DMZ
hosts wish to appear on two different subnets at one time.  That adds
routing complexities and a greater chance of allowing a host to do
something it shouldn't do.  In effect you have to have twice as many
firewall rules.

Hans, for one, understood what I was suggesting, and stated his reasons
for not doing it.  He has had problems in the past where the IP address
(the public ip) was encoded in the packet, causing issues when the IP
address is translated.


> Andy

More information about the PLUG mailing list