[LARTC] Re[2]: local address routeable?

[Julian Anastasov]

	Hello,

On Thu, 17 Jul 2003, Christian Stuellenberg wrote:

> If traffic from zone MASQ is addressed to one of the external internet
> addresses of one of the zone GOOD or DMZ, then it will currently get
> routed directly at HOST.  It is intended, that this direct routing is
> not done, but instead ALL traffic from zone MASQ becomes masqueraded
> out over the dynamic PPP connection to the internet, comes back over
> the CISCO line to HOST, then gets routed to the extern destination IP
> (in zone GOOD or DMZ) and when the reply from there comes back again
> to HOST, it should get routed over the CISCO internet connection and
> then back over the dynamic PPP connection, demasqueraded, and at last
> delivered to the original source in zone MASQ.
>
> This works up to the point, where the reply comes back to HOST.  Now
> I'm not able to tell HOST, that this reply should again routed out
> to the internet over the CISCO line and only demasqueraded if it comes
> in over the PPP connection (btw.  the demasquerading does also not
> occur if the reply gets not routed;  I assume, this is because the
> masquerding tables are waiting for a packet that comes in over the PPP
> connection and not on IF0 or IF1).

	I think, I understand the setup. I'm still wondering what
is the end goal. I can only speculate:

Assumption 1. Hosts from GOOD want to see client from DynIP, not from
a.b.c.62. The solution: use SNAT with saddr=DynIP when talking to
GOOD because the default masquerade action is to use a.b.c.62
which is recommended from the routing. I assume GOOD and DMZ
do not care how the packet with saddr=DynIP appeared as long as
it looks as expected?

2. For some reason (even by introducing security problems) you
want packets with saddr=DynIP to walk the external path and
to reach GOOD. Is it needed? Is there a problem with the above
solution in #1?

> Regards,
> Christian

Regards

--
Julian Anastasov <ja@ssi.bg>