apara0
join:2005-07-03
La Crescenta, CA
| reply to janderso1
Re: Using two routers for securtity without double
With the NAT disabled in R2, 192.168.8.0 addresses reach R1 and then use R1's NAT to go out to the internet?
So there is still a firewall even with NAT disabled? I always thought that NAT was the firewall in most routers. I guess the SPI firewall is separate from NAT and still does not allow arbitrary traffic INTO the router?
Thanks.
-AP_ |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| Yes, R1 must do NAT for both subnets (not all routers will doe this, the ones I mentioned will). On the Zyxel routers you can enable/disable NAT and the SPI firewall separately. You may be able to do this with some of the Linksys routers.
--
Jim Anderson |
|
seezar
Premium
join:2001-07-01
Rochester, NY
 ·ViaTalk
edit:
July 8th, @12:43PM
| You could always get a soekris box (net4801) for about $275, »www.soekris.com/ which has a WAN port and 2 LAN ports and then run M0n0wall on it, »m0n0.ch/wall/ . I have my wired LAN on one LAN interface and my wireless on the other. Then configure each interface for 2 different subnets and a firewall rule on the wired LAN to block all traffic from the wireless LAN. That way the wireless network is behind NAT but cant get to my wired LAN but I can access the wireless network via the wired. |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI | Its not clear to me how this avoids double NAT. Its seems like both routers are on seperate subnets!? |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| When you disable NAT on R2 (the Zyxel) it acts as a pure router. When a PC on the R2 LAN accesses the Internet its real 192.168.8.x address is passed to R1 by R2. R1 then replaces the 192.168.8.x with its WAN IP address (which is why R1 must be able to do NAT for more than one subnet).
--
Jim Anderson |
|
