Web lists-archives.com

Re: Only using masquerading on internet facing server




On 2019-03-14 08:26, john doe wrote:
On 3/13/2019 1:39 PM, Stefan Monnier wrote:
Ip range on server a: 172.17.232.0/24
IP range on server b: 192.168.3.0/24

That's very vague.
But I'll assume that your "server b" has an address 172.17.232.NN
on one network interface and 192.168.3.1 on another.

If I enable MASQUERADING on server b everything works as expected but as
soon as I disabled MASQUERADING on server b the hosts behind it don't
have internet access for example.
What do I need to do on server a to properly MASQUERADE server b?

My guess is that on "server a" you have not setup routing so as to send
all the 192.168.3.0/24 packets to "server b".

IOW on "server a" you need to do something like

    route add -net 192.168.3.0/24 gw 172.17.232.NN



Thanks to anyone who has contributed to this question.

By the answers in this thread, I guess I need to explane what I have and
what I'm trying to do.

Server a and server b are identical, server a is the internet facing
server which has one network behind it (eth1 172.17.232.0/24 and eth0 is
the interface connected to the internet), server b is behind server a
and connected using the eth0 interface.
Server b is behind server a and is connected to server a through eth0,
server b has one network behind it (eth1 192.168.3.0/24).

For now both server (a and b) are responsible for MASQUERADING the
networks behind them.
So server a MASQUERADEs 172.17.232.0/24 and server b MASQUERADEs
192.168.3.0/24.

MASQUERADE is only needed on server a.

Does it help understanding what I'm trying to do?

I really appriciate any help/hint.

--
John Doe
put ipfire or pfsense on server a, they've got Guis for sorting out that stuff.

mick

--
Key ID    4BFEBB31