dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
32
aryoba
MVM
join:2002-08-22

aryoba to wxmanmichael

MVM

to wxmanmichael

Re: [Config] Configuration 867VAE-K9 PPPoA CenturyLink

From your description; it sounds like you have an edge machine configured as SNAT/DNAT box, which sits between the 867 router and your local machines (i.e. PC, servers, printers). You may post your network diagram to clarify.

In regards of NAT, I assume you want to keep the edge machine as the SNAT/DNAT box while the 867 router will just route (no NAT/PAT on the router). Am I correct so far?

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael

Premium Member

Yes, aryoba, that's about the gist of it.

I have one xDSL line using POTS carrying ATM that plugs into the POTS port on the ATU-R side of the Cisco 867. That is part of the 5 block of the 208.42.x.x public address leased from the ISP and CenturyLink. That is assigned using PPPoA. The LAN side of the router, then, has two subnetworks: one of them is the private 192.168.0.0 network for the cluster computer and several servers. That is used for numerical weather forecasting, among other things. That private subnetwork is on the back of the edge machine running iptables, dnsmasq, and SNAT/DNAT.

The public network IP addresses remaining should go (at least I hope they can go...) through a different ethernet port on the 867 and then supply a WiFi router, several laptops, cell phones, and other "stuff."

So, in view of that, I'm attempting to configure two networks. The router is essential since I need it as a gateway device between those two subnetworks. Hopefully I'm being clear enough to provide you with essential information. There are undoubtedly different ways to configure the networks, and I'm open to suggestions. Hopefully the work required for the iptables, SNAT/DNAT, dnsmasq will be useful. That's why I wanted to avoid the use of NAT/PAT on the 867.

I'll keep reading. Your suggestion re: TPC MSS was a good one. I'll address that tomorrow and I'll keep reading. One final, simple question: the POTS RJ-11 interface must be the one Cisco knows as "ATM0." Am I right or have I misunderstood something?

Thanks again.
aryoba
MVM
join:2002-08-22

aryoba

MVM

The 192.168.0.0 private network; will it need access to the Internet or will it need to communicate with IP-based machines over the Internet? If yes, then this private network has to use the 208.42.x.x Public address once the traffic leaves your network out to the Internet via NAT/PAT.
aryoba

aryoba to wxmanmichael

MVM

to wxmanmichael
The Public network and the Private network; are they currently communicating with each other? Do you wish to have these two networks not to communicate or to see each other? If yes, then setting up the Public network as DMZ totally separate with the Private network is needed.
aryoba

aryoba to wxmanmichael

MVM

to wxmanmichael
You mentioned that an edge device currently does SNAT/DNAT. Does it mean the device translate the 192.168.0.0 private network into 208.42.x.x or different address? You may need to clarify your network assignment.

wxmanmichael
Premium Member
join:2014-05-15
Minneapolis, MN

wxmanmichael to aryoba

Premium Member

to aryoba
Wow! So much help. Thanks Aryoba. the 192.168.0.0 private network, because it includes the cluster machines communicating with each other while the numerical models are running, needs to communicate with IP-based machines over the Internet. The caveat with these is their need to download (lots of) raw data during the processing cycle (for each of he models). The raw data comes from servers on the East Coast (primarily in Maryland) and sometimes in Europe. After download the data is parsed then runs in the model.

Your point, then, is that NAT/PAT is essential for the packets to leave/enter (or enter/leave) using the 208.42.x.x. public network. iptables was a pain to configure but at least it's similar to NAT/PAT. I guess I'll learn another scripting language!

I'll keep following. Thanks again.
wxmanmichael

wxmanmichael to aryoba

Premium Member

to aryoba
Yeah, I was guessing that was the case. Looking at a graphic copy of the network as it stands now strongly suggests the DMZ layout. The edge machine should be the DMZ, etc. That's reasonable, even for a ip network neophyte like me. And it's the only protection for the entire network since the DMZ acts as its own router.

At least, the DMZ as its own router seems reasonable. If I've got it wrong, let me know.
wxmanmichael

wxmanmichael to aryoba

Premium Member

to aryoba
If I could only have you here in Minneapolis! BTW, I read some of your comments on various fora (or is that now "forums"?). It's very impressive.

That's correct. That is, the edge device doing SNAT/DNAT translates the 192.168.0.0 onto the 208.42.x.x network. Essential it does three functions: it acts as a router between the two subnetworks; it provides local DNS using dnsmasq, and iptables acts as a firewall.

And by "clarifying my network assisgnment" you mean for you, the reader, or for myself, the neophyte? Or, of course, for both us, particularly me!
aryoba
MVM
join:2002-08-22

aryoba to wxmanmichael

MVM

to wxmanmichael
The cluster machines within 192.168.0.0 Private network; how are they communicating with IP-based machines over the Internet? Do they need some GRE tunnel, IPSec tunnel, or a simple clear text (no tunnel and no encryption)?

If some tunnel is needed, then I'm sure the other end (the IP-based machines the clusters communicate to) needs to verify the 208.42.x.x network represents your network over the Internet; in addition to some specific encryption or tunnel setup.
aryoba

1 edit

aryoba to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

Yeah, I was guessing that was the case. Looking at a graphic copy of the network as it stands now strongly suggests the DMZ layout. The edge machine should be the DMZ, etc. That's reasonable, even for a ip network neophyte like me. And it's the only protection for the entire network since the DMZ acts as its own router.

At least, the DMZ as its own router seems reasonable. If I've got it wrong, let me know.

DMZ design is highly suggested since you don't want to mix up Private and Public networks. However it is a little bit challenging setup when you have the DMZ on the 867 router while the edge machine already does SNAT/DNAT to the same 208.42.x.x network.

Should you keep the edge machine to do the SNAT/DNAT, both DMZ and Private network then sit behind the machine. You will then need additional firewall or router to separate the DMZ and Private network; which the firewall also sits behind the edge machine.

Note that you may not need such firewall if the edge machine has firewall feature that can setup DMZ. When this is the case, the Public network can sit in the DMZ while the Private network stay as it is.

If you consider the 867 router to do the NAT/PAT, then you can terminate the DMZ on the router with complicated setup. The edge machine will stop doing SNAT/DNAT but can stay doing other things as existing setup allows. The Private network also can stay behind the edge machine as it is now.
aryoba

aryoba to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

If I could only have you here in Minneapolis!

I'm nowhere near Minneapolis, however some folks here I'm sure live close by
aryoba

aryoba to wxmanmichael

MVM

to wxmanmichael
said by wxmanmichael:

One final, simple question: the POTS RJ-11 interface must be the one Cisco knows as "ATM0." Am I right or have I misunderstood something?

The RJ11 interface is the ATM0 in your case since your router will connect at some point to Centurylink's ATM switch.