Routing without NAT between two Networks

Hi,

My SuSE 10.0 machine is equiped with two NICs and is supposed to route
between the two networks. Checking "IP Forward" in "YaST2 lan" is not
enough, I also have to enable "Masquerading" in "YaST2 firewall". I suppose
this is NAT, but I only want routing, no NAT. How do I configure this?

Christian

Christian Barmala wrote:

> Hi,
>
> My SuSE 10.0 machine is equiped with two NICs and is supposed to route
> between the two networks. Checking "IP Forward" in "YaST2 lan" is not
> enough, I also have to enable "Masquerading" in "YaST2 firewall". I
> suppose this is NAT, but I only want routing, no NAT. How do I configure
> this?

First, you have give both nic's a fixed IP-address with the proper netmasks.
The IP-address of the nic to the internal network is the default gateway
for the other systems in that network.

Second, you have to give a number of route commands to setup the routing.
The default gateway is the IP-address of the router in the external network.
You have to setup the route to the internal network and to the IP-addresses
in the network connected to the Internet.

In general you have to ask yourself questions about the information needed
for routing IP-packets coming in that system to go to the proper nic.
Remember that you have to deal with 4 types of IP-addresses, the
127.0.0.0/8, the addresses in the internal network, the addresses in the
network connected to the other nic and all other addresses.

--
Freek

> Hi,
>
> My SuSE 10.0 machine is equiped with two NICs and is supposed to route
> between the two networks. Checking "IP Forward" in "YaST2 lan" is not
> enough, I also have to enable "Masquerading" in "YaST2 firewall". I
suppose
> this is NAT, but I only want routing, no NAT. How do I configure this?
>
> Christian
>
> Try editing the (I thing I am right) /etc/sysconfig/SuSEFir... file so
you allow or do not allow NAT or IP Forwarding.

Hi,

Freek wrote:
>> My SuSE 10.0 machine is equiped with two NICs and is supposed to route
>> between the two networks. Checking "IP Forward" in "YaST2 lan" is not
>> enough, I also have to enable "Masquerading" in "YaST2 firewall". I
>> suppose this is NAT, but I only want routing, no NAT. How do I configure
>> this?

BTW: If I enable Masquerading, everything works. I can connect from the
Intranet via the SuSE machine to the DMZ and to the Internet, but I
would prefer non NATed routing.

> First, you have give both nic's a fixed IP-address with the proper netmasks.

SuSE machine:
DMZ NIC = 192.168.DMZ.A/24
Intranet NIC = 192.168.Intranet.B/24
Default Route = External Router

External Router
DMZ IP = 192.168.DMZ.C/24
Static Route = 192.168.Intranet.0/24 -> 192.168.DMZ.A


> The IP-address of the nic to the internal network is the default gateway
> for the other systems in that network.

Intranet machines get their configuration via DHCP from pool
192.168.Intranet.D ... E/24, Default Route = 192.168.Intranet.B


> Second, you have to give a number of route commands to setup the routing.

I doubt that I have to modify anything:
netstat -rn
Kernel IP Routentabelle
Ziel Router Genmask Flags irtt Iface
192.168.DMZ.0 0.0.0.0 255.255.255.0 U 0 eth1
192.168.INTR.0 0.0.0.0 255.255.255.0 U 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
0.0.0.0 192.168.178.1 0.0.0.0 UG 0 eth1

The SuSE machine always connects correctly, but if I disable
Masquerading, the Intranet machines can't reach the Internet any more.

Christian

Hi,

ppppapad@yahoo.com wrote:
>>I only want routing, no NAT. How do I configure this?
> Try editing the (I thing I am right) /etc/sysconfig/SuSEfirewall2 file so you allow or do not allow NAT or IP Forwarding.

You *are* right! :-)

In YaST firewall you can either switch on FW_ROUTE="yes" *and*
FW_MASQUERADE="yes" or switch both off, but if you edit this sysconfig
file (either vi or YaST sysconfig), you can switch them independently. After

YaST2 sysconfig set variable=FW_MASQUERADE value=off

I can still connect from the Intranet to the Internet


Christian

Christian Barmala wrote:

> The SuSE machine always connects correctly, but if I disable
> Masquerading, the Intranet machines can't reach the Internet any more.

Did you try a ping and a traceroute from an Intranet machine to
192.168.178.1. I assume 178=DMZ.

You could catch all traffic on your SuSE machine using tcpdump and do the
above mentioned ping and traceroute to see what is missing.
I also assume you did not have your firewall running on your SuSE machine.

--
Freek

Christian Barmala wrote:
> You *are* right! :-)
>
> YaST2 sysconfig set variable=FW_MASQUERADE value=off

.... oops no, after reboot it didn't work any more. Even setting the
value to on again didn't help only after I invoked "yast firewall",
clicked the masquerading checkbox and rebooted I could access the
Internet from the Intranet. Obviously there are more dependencies
between different components.

Any idea how to switch NAT off, but keep routing on?

Christian

Christian Barmala wrote:

> The SuSE machine always connects correctly, but if I disable
> Masquerading, the Intranet machines can't reach the Internet any more.

See also http://www.novell.com/coolsolutions/feature/16579.html
"HOW-TO: Set Up a SUSE 10 Machine As a Router"

--
Freek

Freek wrote:
> Christian Barmala wrote:
>> The SuSE machine always connects correctly, but if I disable
>> Masquerading, the Intranet machines can't reach the Internet any more.
> See also http://www.novell.com/coolsolutions/feature/16579.html
> "HOW-TO: Set Up a SUSE 10 Machine As a Router"

This document almost perfectly describes my setup. One of the screen
shots shows that the "Masquerading" checkbox is checked. AFAIK this
means "NAT" and that's what I don't want. I just want plain routing.

I got this working on SuSE 9.3 when I used fwbuilder.org instead of
SuSEfirewall, but I would prefer to get this working with SuSEfirewall.

Christian