19 Apr
2013
19 Apr
'13
5:27 a.m.
C.J. thanks for the examples. I think I know the answer to what I am going
to ask, but..
Could an IPIP tunnel accomplish the same thing that OpenVPN can for the
situation I described (NAT and no modification to a remote firewall)?
Why not?
19 Apr
19 Apr
5:59 a.m.
New subject: private tunnel?
Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and
not TCP or UDP, so contrack, which manages NAT traversal does not support
it.
In a NAT situation, incoming connections not triggered from the inside don't
get translated, since the NAT doesn't know the originator.
Being a stateless point to multipoint communication, you do not have a
"inside" originated connection for all connections. It is expected that NAT
knows where to forward a data packet by using information from the original
outgoing connection (established and related packets are sent to the
internal originating ip ), which is not the case for IPIP since incoming
data from another host (we have a mesh architecture) has no corresponding
outgoing connection.
On the other hand, in OpenVPN, if the server is located outside, all
connections are stateful and trackable by contrack, being a single IP
endpoint on port 1194 originated inside, so NAT traversal is as simple as
any connection originated locally.
Marius, YO2LOJ
10:33 a.m.
New subject: private tunnel?
Greetings,
On Fri, 19 Apr 2013, Marius Petrescu wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Hi,
IPIP can not traverse NAT because first of all it uses proto 4 (encap) and
not TCP or UDP, so contrack, which manages NAT traversal does not support
it.
Actually, IPIP encap (Proto-4) passes through NAT just fine. But *not*
in the typical sense. If you define your JNOS box (or the IP address on
the Linux box that is running JNOS) as the "DMZ Host", many off-the-shelf
cheapie routers WILL pass *ALL* traffic arriving at the PUBLIC side of
your NAT router directly to the JNOS box, including IPIP Proto-4.
WARNING: DO NOT try to "port forward" any TCP or UDP ports to the DMZ
host address. This breaks DMZ and you *will* have problems!
Be aware that OLDER Dlink and LinkSys boxes work best. But as these
manufacturers added new whiz-bang features to support things like
Plug-n-Play and other features, they ran out of ROM or RAM space, and
dropped support for IPIP to pass through unencumbered through NAT. So
YMMV.
It is still *best* to toss those cheapie Dlink or LinkSys routers in
favor of a more 'professional' router/firewall based on Linux or FreeBSD
such as "PFsense".
Enjoy!
--- Jay Nugent WB8TKL
o Chair, ARRL Michigan Section "Digital Radio Group" (DRG)
[www.MI-DRG.org]
() ascii ribbon campaign in
/\ support of plain text e-mail
Averaging at least 3 days of MTBWTF!?!?!?
The solution for long term Internet growth is IPv6.
+------------------------------------------------------------------------+
| Jay Nugent jjn(a)nuge.com (734)484-5105 (734)649-0850/Cell |
| Nugent Telecommunications [www.nuge.com] |
| Internet Consulting/Linux SysAdmin/Engineering & Design |
| ISP Monitoring [www.ispmonitor.org] ISP & Modem Performance Monitoring |
+------------------------------------------------------------------------+
05:01:01 up 273 days, 14:22, 2 users, load average: 0.10, 0.12, 0.10
10:46 a.m.
New subject: private tunnel?
Jay, you are right about DMZ setup.
But the issue is to be able to establish tunnels _WITHOUT_ having access
to the NAT router. So any port/protocol forwarding, including DMZ (which
is actually a full 1:1 port forwarding) is out the scope.
4032
days inactive
4032
days old
3 comments
4 participants
participants (4)
-
Jay Nugent -
kb9mwr@gmail.com -
Marius Petrescu -
marius@yo2loj.ro