ISP
4.4.4.1
|
WAN
4.4.4.2/24
|
------------------------
| |
| |
NAT MASQ |
TO WAN |
| |
--------------- <><> > ----------
VLAN 223 on eth2 VLAN 5 on eth2
172.45.223.1/24 4.5.5.9/29
| |
| |
172.45.223.X/24 4.5.5.10/29
LAN Clients Additional Firewall Router
ISP routes: 4.5.5.8/29 to 4.4.4.2
Everything works fine except when a LAN Client attempts to access
the web server at _http://4.5.5.10/_
The "Additional Firewall Router" is configured to deny inbound
packets from RFC1918 addresses. It appears that the Astaro is
routing packets from 172.45.223.X to 4.5.5.10 before the NAT
masquerading process - along the "<><> >" path in the diagram -
as the "Additional Firewall Router" is logging discards from
172.45.223.X.
Is there any way to make the NAT Masquerading process be done
earlier, forcing NAT to be performed before the packet enters the
rest of the routing process?
I looked for documentation about what process is done where in the
stack, but came up empty.
Naturally, I don't want it to egress back to the ISP only to be
routed back to me, but handled in the Astaro.
This thread was automatically locked due to age.
