[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SNAT out same interface packets come in

On Tue, 2003-05-27 at 17:18, Charles Kidson wrote:
> Surely you want your firewall between your customers and the router
> (ie between your customers and the net.)
> Internet
>    |
> Router
>    |          - eth0
> Firewall
>    |          - eth1
> Internal Lan
> (presuming that the firewall is multihomed)
Unfortunately, I don't have that much say over the network structure. 
Certainly that setup would be easier for me to conceptualise.  However,
the server is a off-site managed rack mount machine and it is not
possible to add another network card to it, nor is it possible to
reconfigure where the internet connection is.

Up until now, we have been getting the router to do the NATing, but now
we need to come up with a solution for monitoring the bandwidth usage of
our connected clients.  Apparently, logging every IP header and then
totalling the packet lengths every hour for some 200 connected clients
would be prohibitive for the router.  This is when I decided to look
into the possibility of getting the router to send all packets up to the
Firewall where we can do better firewalling anyway and can write a
daemon to interface with the ULOG target to total packet lengths per IP.

Please see my next thread on monitoring bandwidth usage if you want to
discuss this aspect further.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: