On Mon, Nov 22, 2004 at 09:14:08PM +0300, Peter Volkov Alexandrovich wrote: > I have router with eth0 looking to provider/internet and eth1 into my LAN. As > most of my users do not need direct or real IP address in internet I use > 172.16.0.0/16 addresses in LAN and masquerade them. > > <internet>-----------------eth0<router>eth1-------------<LAN> > xxx.xxx.xxx.96/28 172.16.0.0/16 > > Now. Some of them need real IP and they also want to be in the same subnet as > others. What can I do? I can bind second address on my router (e.g. ip add > add xxx.xxx.xxx.98/28 brd + dev eth0). Then the packets sent to real IP > address xxx.xxx.xxx.98/28 to be DNAT'ed on user's LAN IP and when user send > packets to internet they are SNAT'ed to his real IP (xxx.xxx.xxx.98/28). Oh, in that case I would bind the real IP address to the end machine on the LAN and enable proxy arp on the router. Then the router answers ARPs for that IP and forwards the packets. You don't even need NAT in that situation (if I'm understanding you correctly). Obviously you'll still need basic NAT to handle outgoing connections from 172.16/16. -- Martijn van Oosterhout <kleptog@xxxxxxxxx> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment:
pgpjQ8ZEcZJwK.pgp
Description: PGP signature
