Yes there is a difference. While your posted SNAT rule only translates the IP address, with Masquerading, IPs and Ports are _dynamically_ chosen at the Gateway to allow several connections from the same source port from different computers at once.
Also, with SNAT, the Gateway has no clue where to send server responses to because the original client IP is not stored in the NAT table.
Thanks, Mario, for the explanation of how Astaro does masquerading. I'm confused about S/DNAT being static; if that's the case, then how can hundreds of public clients connect to an internal webserver via a DNAT from a public IP on an external Astaro interface?
Thanks, Mario, for the explanation of how Astaro does masquerading. I'm confused about S/DNAT being static; if that's the case, then how can hundreds of public clients connect to an internal webserver via a DNAT from a public IP on an external Astaro interface?
Hi Bob,
Imagine clients A, B, and C connect to Web Server W.
W is actually the firewall address.
S is a DNAT'd web server behind the firewall.
DNAT doesn't change the source address for A,B,C; it only changes the destination address. The server S still sees the source addresses for A, B, C, and the original client port #s.
If the server needs to make outgoing connections, then SNAT should work for a single server, or MASQ for a server or network.
Thanks, Mario, for the explanation of how Astaro does masquerading. I'm confused about S/DNAT being static; if that's the case, then how can hundreds of public clients connect to an internal webserver via a DNAT from a public IP on an external Astaro interface?
Hi Bob,
Imagine clients A, B, and C connect to Web Server W.
W is actually the firewall address.
S is a DNAT'd web server behind the firewall.
DNAT doesn't change the source address for A,B,C; it only changes the destination address. The server S still sees the source addresses for A, B, C, and the original client port #s.
If the server needs to make outgoing connections, then SNAT should work for a single server, or MASQ for a server or network.
See, Barry, that's the key question: isn't masqing just SNATting a subnet? I bet that it appears the same from outside, but that doesn't mean that it's implemented the same way in the Astaro as the definition and SNAT in my post #2 above.
Dunno... I was under the impression that people in these forums usually recommended policy routing, at least before the connection balancing changes in 7.4.
- Create your secondary internet-access, e.g. DSL. When this line is established by a router in front of Astaro, create additionally the gateway-IP as a host definition.
Webadmin -> Network -> Routing -> policy based routing, for example HTTP
Source: External Address (that one currently with the default gateway on)
Source Interface: Any
Destination: Any
Service: HTTP
Target: Gateway-IP of your secondary Interface (even if this has none itself, since you can only define one gateway), or PPPOE-Interface-Address
- Additionally you need SNAT-rule to replace the external IP to the new target interface.
Webadmin -> Network -> NAT/Masquerading
Source: external address of the primary line
Destination: any
Service: http
Change source to: external address of the secondary interface
