What are my options and what's the most straight-forward way?
add dst-address=192.168.210.0/24 gateway=192.168.200.5
add dst-address=192.168.220.0/24 gateway=192.168.200.4
add dst-address=192.168.230.0/24 gateway=192.168.200.3
add dst-address=192.168.240.0/24 gateway=192.168.200.2
I have many users with Skype phones that are behind 3 nat firewalls and still they claim to have perfect communications. Better at times than the national pstn provider and certainly better than the cell phones!kaptain1 wrote:VoIP may not work well.
OK, interesting info. Although I'll do it for 5 years and haven't noticed any problems as of yet (maybe I just don't recognize the problem if they are there...?) in my network. But that doesn't make your statement invalid.changeip wrote:double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times ... design your network properly and you will be in a better position down the road.
OK, that all makes sense to me. Maybe indeed some issues reported to us are of the nature you prescribe. I always looked into my own network to see if things could be improved/solved and I must say I already limit the amount of connections a user can make in my main gateway.changeip wrote:The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don't get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can't track all the connections. And then they 'power cycle' their router to get it back online again (clearing the table). The asus routers now market using 'high p2p connections' because they have more ram in them and have a larger conntrack table.
Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
OK. Let me think out loud: Now my ISP routes that /24 range to my main router, where they are indeed all to be found on the WAN interface and than that main router takes care of NAT and receives/routes traffic from/to client by the info in its routing tables. Because I have some 20 AP's all with their own dhcp server in their own network (/24 to /28 ranges) I have nearly the same amount of routing tables (less because I can combine some which are split up later in the network. My network is at places 6 levels deep and each node is a router.fewi wrote:Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.
Users browsing this forum: Bing [Bot] and 14 guests