Network routing -- IP masquerade twice?

I'm looking for some guidance in setting up a network. I have a simple
network setup now and I need to hang another network off of one of the
boxes. It seems like I would need to provide NAT service twice (is
that even possible?). Here is a rough outline of the network:

Internet
|
DSL Modem
|
VPN (Providing NAT addresses: 192.168.0.*)
192.168.0.1
|
+------------+-----------------+
| | |
192.168.0.2 192.168.0.3 |
A B |
192.168.0.5
-----
| C |
-----
192.168.2.1
|
+-------+-------+
| | |
192.168.2.2 .2.3 .2.4
D E F

Currently, I have all the 192.168.0.* ip's working flawlessly. I have
added another network card to box C and configured that as
192.168.2.1. It is providing DHCP services to D, E and F. They (D,E,F)
can see C (192.168.2.1) without a problem but cannot reach the
internet.

Since the VPN is only providing NAT to 192.168.0.1-255 do I need to IP
masq all the 192.168.2.* addresses to 192.168.0.5? Can you run NAT
twice like that?

Is there a simpler way to set this up? Could D, E and F somehow be on
192.168.0.*? They do need to connect through C physically, though.

Any help would be most appreciated!

Thanks,
Mark

Mark Grimes wrote:
> I'm looking for some guidance in setting up a network. I have a simple
> network setup now and I need to hang another network off of one of the
> boxes. It seems like I would need to provide NAT service twice (is
> that even possible?). Here is a rough outline of the network:

Jess... - There's a thread named "double masquerading", and that's about
double masquerading... - But anyways:


> Internet
> |
> DSL Modem
> |
> VPN (Providing NAT addresses: 192.168.0.*)
> 192.168.0.1
> |
> +------------+-----------------+
> | | |
> 192.168.0.2 192.168.0.3 |
> A B |
> 192.168.0.5
> -----
> | C |
> -----
> 192.168.2.1
> |
> +-------+-------+
> | | |
> 192.168.2.2 .2.3 .2.4
> D E F
>
> Currently, I have all the 192.168.0.* ip's working flawlessly. I have
> added another network card to box C and configured that as
> 192.168.2.1. It is providing DHCP services to D, E and F. They (D,E,F)
> can see C (192.168.2.1) without a problem but cannot reach the
> internet.

How come? - If C is a nat router, all {D,E,F} must be able to. See C's
config, or , rather, review.


> Since the VPN is only providing NAT to 192.168.0.1-255 do I need to IP
> masq all the 192.168.2.* addresses to 192.168.0.5? Can you run NAT
> twice like that?
>
> Is there a simpler way to set this up? Could D, E and F somehow be on
> 192.168.0.*? They do need to connect through C physically, though.

OK, I don't know about Your VPN, but the answer is Yes.

Specifically: You sure need to masq all ..2. clients. No choice.
If Your VPN will accept that depends on the design You're using.

If D,E,F must connect through C anyways, it's wiser to keep them
on the ..2. subnet. - You could easily integrate them into Your
...0. net, but since the bottleneck will be C in either case, to me it's
"cleaner" to have the subnet behind C in its own address range.
No matter what You do (i. e. how You name them), this will not
affect performance (I'm afraid).

Technical details upon request.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Mark Grimes wrote:

> It seems like I would need to provide NAT service twice (is
> that even possible?)

Yes. In fact, I'm doing it here.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Mark Grimes <(E-Mail Removed)> wrote:
> I'm looking for some guidance in setting up a network. I have a simple
> network setup now and I need to hang another network off of one of the
> boxes. It seems like I would need to provide NAT service twice (is
> that even possible?). Here is a rough outline of the network:

Although you can certainly do NAT many times, in this scenario, I would
have to ask why you would want to? Just have C act as a normal router.

You could either run routed on both/all the routers, or you could
configure C and VPN with static routes

C: route add default gw VPN (probably done already)
VPN: route add -net 192.168.2.0 netmask 255.255.255.0 gw C

Not having another NAT would make it easier to manage also, wrt port
forwarding, and performance.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!