C.J. thanks for the examples. I think I know the answer to what I am going to ask, but..
Could an IPIP tunnel accomplish the same thing that OpenVPN can for the situation I described (NAT and no modification to a remote firewall)?
Why not?
Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and not TCP or UDP, so contrack, which manages NAT traversal does not support it. In a NAT situation, incoming connections not triggered from the inside don't get translated, since the NAT doesn't know the originator. Being a stateless point to multipoint communication, you do not have a "inside" originated connection for all connections. It is expected that NAT knows where to forward a data packet by using information from the original outgoing connection (established and related packets are sent to the internal originating ip ), which is not the case for IPIP since incoming data from another host (we have a mesh architecture) has no corresponding outgoing connection.
On the other hand, in OpenVPN, if the server is located outside, all connections are stateful and trackable by contrack, being a single IP endpoint on port 1194 originated inside, so NAT traversal is as simple as any connection originated locally.
Marius, YO2LOJ
Greetings,
On Fri, 19 Apr 2013, Marius Petrescu wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and not TCP or UDP, so contrack, which manages NAT traversal does not support it.
Actually, IPIP encap (Proto-4) passes through NAT just fine. But *not* in the typical sense. If you define your JNOS box (or the IP address on the Linux box that is running JNOS) as the "DMZ Host", many off-the-shelf cheapie routers WILL pass *ALL* traffic arriving at the PUBLIC side of your NAT router directly to the JNOS box, including IPIP Proto-4.
WARNING: DO NOT try to "port forward" any TCP or UDP ports to the DMZ host address. This breaks DMZ and you *will* have problems!
Be aware that OLDER Dlink and LinkSys boxes work best. But as these manufacturers added new whiz-bang features to support things like Plug-n-Play and other features, they ran out of ROM or RAM space, and dropped support for IPIP to pass through unencumbered through NAT. So YMMV.
It is still *best* to toss those cheapie Dlink or LinkSys routers in favor of a more 'professional' router/firewall based on Linux or FreeBSD such as "PFsense".
Enjoy! --- Jay Nugent WB8TKL o Chair, ARRL Michigan Section "Digital Radio Group" (DRG) [www.MI-DRG.org]
() ascii ribbon campaign in /\ support of plain text e-mail
Averaging at least 3 days of MTBWTF!?!?!? The solution for long term Internet growth is IPv6. +------------------------------------------------------------------------+ | Jay Nugent jjn@nuge.com (734)484-5105 (734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com] | | Internet Consulting/Linux SysAdmin/Engineering & Design | | ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring | +------------------------------------------------------------------------+ 05:01:01 up 273 days, 14:22, 2 users, load average: 0.10, 0.12, 0.10
Jay, you are right about DMZ setup. But the issue is to be able to establish tunnels _WITHOUT_ having access to the NAT router. So any port/protocol forwarding, including DMZ (which is actually a full 1:1 port forwarding) is out the scope.
-
Jay Nugent -
kb9mwr@gmail.com -
Marius Petrescu -
marius@yo2loj.ro