October 13, 2008 at 3:16 pm #41228
I have been using ZS for quite some time with great success – I am very impressed. I have come up against a couple of simple queries – and I was wondering if anyone has a simple answer or suggestion.
I have a ZS in a data centre location. This has access to a high speed Internet connection. I have routed a block of real IP addresses to the ZS box. I have two remote ZS boxes each with 4 DSL lines. On each box they open 4 VPN connections to the main ZS box and use bonding to combine these. It works brilliantly.
I use the central ZS to route a /29 network of real IP addresses down each link for use at the remote ZS boxes. The intention is that they use this as their public IP addresses for the Internet.
If I publish the IP addresses to the local LAN subnet it all works fine and I can use the IP addresses bonded. However until now I have run a NAT/VPN box behind this to provide NAT access for the site LAN and also to provide the VPN to the other site.
I have had the idea to remove the NAT box and do everything on the ZS box. This has led to several queries:
1. Can I provide NAT using Masquerade for the local LAN while also using port mapping of the real IP addresses either into a DMZ or DNAT’d onto the local LAN.
2. Can I enable routing such that MASQ is applied only for traffic leaving to the Internet and not to the other site. Ideally I would arrange all egress traffic to travel to the head-end via the bond tunnel. Traffic to the other site would not NAT and traffic for the Internet would NAT. A route in the head-end ZS would then route traffic for the other site down the bonded tunnel and Internet traffic to transit.
Using vanilla Linux I can do this quite easily. I simply make the MASQ rule more selective and make sure that I do not jump traffic to the MASQ chain when it is from the local LAN interface destined to the IP range in the remote site. However I cannot see any easy way to do this from the GUI on ZS.
BTW I have successfully managed the inter-site and internet firewalling on separate chains. I simply added an inter-site chain and jump forward traffic into this chain based upon source interface and destination IP address. Being able to do something similar for NAT would be ideal.
Any comments or suggestions anyone can make would be most welcome. Thanks in advance for your time and attention.
TuckerOctober 14, 2008 at 10:53 am #47010
You can place custom iptables rules into startup script via menu “Setup” -> “Startup/Cron” -> “NAT and Virtual Servers”
For example I did this for passive mode FTP server behind ZS:
/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -d -j DNAT –destination-port 65400:65500 –to-destination=October 15, 2008 at 8:23 am #47011
Thanks for the reply.
That could be an option. I need to add a rule to look atthe destination IP address and make sure the traffic does not NAT if it is for a remote network via VPN. I will give this a go and report back.
You must be logged in to reply to this topic.