[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipcop-user
Subject:    Re: [IPCop-user] Public subnet in orange & SNAT to green
From:       "Kerry Erb" <kerry () kerryerb ! com>
Date:       2007-08-27 3:38:05
Message-ID: 36216.172.16.0.1.1188185885.squirrel () 172 ! 16 ! 0 ! 1
[Download RAW message or body]

I just realized I made a mistake on the router/pix/whatever device.  It
should most likely have a x.y.135.110 address or something in the same
subnet for the inside address.  The internet side would be the
x.y.155.162/30 address.

My apologies.

Kerry

> AFAIK the Orange DMZ on IPCOP requires private LAN addresses.
>
> More information on the type of services you are providing would be nice,
> but here is a possible solution.
>
> I would first try this without any IPCOP addons:
>
> Internet
> +
> [router/pix/whatever]
> +
> (Eth0 x.y.155.162/30)
> |
> |
> (RED x.y.135.97/28, aliases x.y.135.98-x.y.135.110)
> +
> [IPCOP]+----------------------(ORANGE 192.168.3.x/24)
> +
> (GREEN 192.168.1.1/24)
> |
> |
> LAN (192.168.1.x/24)
>
> You would be changing your DMZ server configurations to be private LAN
> (192.168.3.x), provided this will not break the services running on those
> servers.  This requires port forwarding from the alias addresses of the
> RED Card to the addresses in the ORANGE DMZ servers.
>
> You mentioned traffic shaping.  I have been using the basic built-in
> shaping on IPCOP and have never had a problem with the services requiring
> high priority.  I simply set the VOIP ports to high and everything else to
> medium or low in IPCOP.  I have never had an issue with dropouts for me or
> my customers.  Perhaps you have a more sophisticated system that requires
> the addon, but it never hurts to try natively first.  Besides, you need a
> baseline to see if your traffic shaping is really working.
>
> I probably expounded on this too much without getting more information
> about your setup.  Hopefully this may give some insight.
>
> Kerry
>
>
>
>> I've been digging through the forums and archives for days, but I just
>> can't figure this one out (maybe it's not possible).
>>
>> We're starting to need some traffic shaping, and after doing some
>> research I decided that IPCop with the QoS_NG add-on was the best
>> solution.
>>
>> We have a small public subnet which is currently handled by two PIX
>> firewalls.  The outside PIX has the subnet gateway IP on the outside
>> (exposed Internet) and the first subnet IP on the inside (the DMZ).  The
>> inside PIX has the last subnet IP on the outside (the DMZ) and the first
>> internal IP on the inside (the local network).  Some of the public IPs
>> are in use by servers in the DMZ (between the two PIX) and some are
>> static-NAT mapped to local IPs on the internal network (via the inside
>> PIX).
>>
>> Here is a diagram:
>>
>>
>> Internet
>> |
>> [Outside x.y.155.162 255.255.255.252]
>> Outside PIX
>> [Inside x.y.135.97 255.255.255.240]
>> |
>> DMZ (x.y.135.97-x.y.135.109 255.255.255.240)
>> |
>> [Outside x.y.135.110 255.255.255.240]
>> Inside PIX
>> [Inside 192.168.1.1 255.255.255.0]
>> |
>> Local Network (192.168.1.2 ...)
>>
>>
>> So I want to convert this setup to IPCop.  To the best of my
>> understanding, this would work by putting the subnet gateway IP on red
>> (x.y.155.162), the first public IP on orange (x.y.135.97), and the first
>> internal IP on green (192.168.1.1).  But when I try to do this I run
>> into a couple of problems.
>>
>> 1) How do I open ports for the public IPs (either in orange or mapped to
>> green)?
>> The only things I can find are for either forwarding ports from a red IP
>>   or opening pinholes from orange to green, neither of which is what I'm
>> trying to do.
>>
>> 2) How do I create a static NAT from a public IP to a green IP?
>> I've got the SNAT add-on installed, but it only works with aliases on
>> red.  I've also read a bunch of manual SNAT configurations, but again
>> they all seem to assume that the public IP in question is in use by red,
>> which isn't the case here.
>>
>> Can anyone help me out?
>>
>> Thanks!
>>
>>
>> --
>>
>> Chris Stanley
>>
>> Director of Technical Services         cstanley@cctv.org
>>                                         Office 802-862-1645, x11
>> Center for Media & Democracy           Mobile 802-324-8415
>>                                         Fax    802-860-2370
>> 294 North Winooski Ave                 IM     ChrisStanleyCCTV
>> Burlington, VT 05401                   http://www.cctv.org/
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >>  http://get.splunk.com/
>> _______________________________________________
>> IPCop-user mailing list
>> IPCop-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/ipcop-user
>>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> IPCop-user mailing list
> IPCop-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipcop-user
>



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
IPCop-user mailing list
IPCop-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-user
[prev in list] [next in list] [prev in thread] [next in thread]