Two routers masquerading?

In a network where you have a router behind another
can both masquerade or only the first?
If not then can you just forward and not masquerade with
iptables rules? This would have the most outward firewall
doing the masquerade for both subnets and the inward
only forwarding.
Most firewall scripts I've seen do not seem to differentiate
between forward and masquerade. ex yast firewall in SuSE
has turn on forwarding and masquerade as one button.
I'm concerned there is a concern with masquerade twice?
Any help?

-Walt

(E-Mail Removed) wrote:

> In a network where you have a router behind another
> can both masquerade or only the first?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
You can have both masquerade, if it makes sense..
> If not then can you just forward and not masquerade with
> iptables rules?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Why not route with routing rules, if natting is not necessary?
> This would have the most outward firewall
> doing the masquerade for both subnets and the inward
> only forwarding.
> Most firewall scripts I've seen do not seem to differentiate
> between forward and masquerade.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^
Routing and masquerading are different things. Routing is put a packet on an
interface. Masquerading is replacing the senders address with the one of
the gateway.
> ex yast firewall in SuSE
> has turn on forwarding and masquerade as one button.
That means: no forwarding->no masquerading is necessary
> I'm concerned there is a concern with masquerade twice?
> Any help?
>
> -Walt
Regards, Alex

(E-Mail Removed) wrote:
> In a network where you have a router behind another
> can both masquerade or only the first?

You can masquerade as often as You want.


> If not then can you just forward and not masquerade with
> iptables rules? This would have the most outward firewall
> doing the masquerade for both subnets and the inward
> only forwarding.
> Most firewall scripts I've seen do not seem to differentiate
> between forward and masquerade. ex yast firewall in SuSE
> has turn on forwarding and masquerade as one button.
> I'm concerned there is a concern with masquerade twice?
> Any help?

As some other poster already said, forwarding and masquerading is not
the same, but masquerading is some special form of forwarding where
the source IP field of the packet is being changed to the one of the
forwarding device. So forwarding and masqueraded forwarding are closely
related to each other.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

(E-Mail Removed) wrote:

> In a network where you have a router behind another
> can both masquerade or only the first?

Both can use NAT, as neither knows about the other.

--

(This space intentionally left blank)

Yes I understand the difference between the two.
I was questioning whether the forward router could do
all the masquerading and now that I hear myself say it
I see the need to masquerade in each place. Both subnets
have PCs that need the ability.

-Walt

Alex Harsch <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:

>> In a network where you have a router behind another
>> can both masquerade or only the first?
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^
> You can have both masquerade, if it makes sense..
>> If not then can you just forward and not masquerade with
>> iptables rules?
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Why not route with routing rules, if natting is not necessary?
>> This would have the most outward firewall
>> doing the masquerade for both subnets and the inward
>> only forwarding.
>> Most firewall scripts I've seen do not seem to differentiate
>> between forward and masquerade.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^
> Routing and masquerading are different things. Routing is put a packet on an
> interface. Masquerading is replacing the senders address with the one of
> the gateway.
>> ex yast firewall in SuSE
>> has turn on forwarding and masquerade as one button.
> That means: no forwarding->no masquerading is necessary
>> I'm concerned there is a concern with masquerade twice?
>> Any help?
>>
>> -Walt
> Regards, Alex

--
Reply to innkeepATncDOTrrDOTcom to email questions.

(E-Mail Removed) wrote:
> Yes I understand the difference between the two.
> I was questioning whether the forward router could do
> all the masquerading and now that I hear myself say it
> I see the need to masquerade in each place. Both subnets
> have PCs that need the ability.
>
> -Walt
>

I don't believe that you need masq. on both routers. I would probably
only masq. the traffic going through the outside router as this router
is the final one that routes to the internet. I am assuming all internel
ips are not routable to the internet and that all traffic destined for
the internet goes though the outside router via a single connection.

As in:

internet <----> outside router <-----> lan
|-------------------------> router <----> lan