[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 (was: Oh yeah, I'm famous)



On Fri, Aug 11, 2000 at 12:10:57PM -0500, Steven Pritchard wrote:
> Charles Menzes said:
> > how will vlan support help this out? -cjm
> 
> You'll probably want to look at those sites I mentioned for more
> information, but basically you can assign a VLAN tag to all traffic
> (for example) on a given interface, then route based on that tag.
> 
> Of course, sooner or later you're going to have to do some NAT or
> something in order to have traffic from the two networks mix, but
> that's fairly easy...

This is great when you control both networks.  It isn't so great when
you only control your side, and the tech on the other side doesn't
know anything about firewalls or security.

> Seriously, if I were going to deal with that problem (two LANs with
> the same address space), I'd use two boxes and NAT between them.  So
> it would look something like this:
> 
> 192.168.1.0/24 -> NAT 10.0.0.0/24 <-> NAT 10.0.1.0/24 <- 192.168.1.0/24
> 
> If that makes any kind of sense...  :-)

That's what I'm planning to do, should the day come for me.
Actually, it'll look like this:

192.168.1.0/24 -> 192.168.0.1 -> 192.168.0.2 ----> 192.168.1.1 -> 192.168.1.2
 My internal        Internal       External   VPN     Their          Target
   network          firewall       firewall          firewall
                    (IPMasq)        (SOCKS)

(Numbers changed to protect the innocent.)

This makes everything work without taking months to train the remote
tech staff in the finer points of IP routing.  From their perspective,
we look like a normal (but very busy) single node.  I think I can even
get away with not having to renumber hosts that use the two external
addresses inside my firewall.  The telnet software will likely be
proprietary as well, and may not support SOCKS, in which case, we'll
likely need to play even more games with masq, transparent proxying,
port forwarding, and the like.

Even in the best of cases, it's still a kludge of epic proportions in
my view.  Having assigned IPs on both networks would be way easier.
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.