Joined: 09 Oct 2002
Location: Lausanne, Switzerland
|Posted: Fri Jun 13, 03 10:58 Post subject: LAN has NAT active but all incoming traffic looks wrong
|Normally you would not activate NAT on the LAN, leaving it active on the WAN is all that you need to do for Internet sharing.
By default, an interface that has NAT activated will masquerade all traffic that passes through it, making it seem that the interface generated the packet. For instance, a packet arriving from the Internet and passing through a LAN interface that has NAT activated will look like it came from the LAN interface, possibly causing problems for administrators trying to track external users by their IP address.
The 2 big reasons that you would use NAT on the LAN are
Officially we ask users needing to know the original IP address to either disable NAT on the LAN or wait for version 3.5 which will have a DNS server integrated BUT we have come up with a temporary solution to use with 3.4.1. Simply add 2 NAT rules to the NAT > INTERFACE > LAN > Output table.
- LAN users can type the same domain name (www.mybusiness.com) that an Internet visitor would use and be redirected correctly
- useful as an external gateway: because data seems to come from this interface on the same subnet as the other users, responses will be sent back to this IP address (LAN interface) instead of being sent to a default gateway.
This says to only use the NAT redirection on the LAN for the traffic originating from the LAN and that for all other traffic to not use NAT (and so not change the source IP address of the packet).
- ANY protocol, Source=LAN subnet, MAP=masquerade
- ANY protocol, ANY source, ANY destination, MAP=nomap