There have been several posts to the debian-firewall list (debian-firewall@lists.debian.org) about a DNAT from a 192 from another 192 address. This page is intended to kick off a Debian Firewall ?WiKi. To address this issue from as many PoV as possible it's my intent to move the outcome of the discussions on the list into this wiki container.

THE SETUP: A router 192.168.1.1 and x.y.z.p. Several clients on the 192 network(hosts 100 and up). At least one ["DNATed"] server with DNS pointing too x.y.z.p and a real IP of 192.168.1.10.

THE PROBLEM: Hosts 192.168.1.100 gets DNS as x.y.z.p and fails to connect, YES a BUG. The bug that the rest of this document will explain and offer several good solutions.

THE SOLUTIONS: 1. Use separate DNS to point 192 clients to the correct 192 address. This is the (IMHO) BEST but also, thankfully, the HARDEST.

1a. Use hosts on all the clients.

1b. Use dnsmasq, along with or as your DHCP server workes nice.

1c. Use another DNS server for just your internal clients. One problem you will run into is that client's can't have abackup DNS server, unless you setup more than one internal DNS server. To combat this and other problems* I allways run a DNS server/cache on every host. For this dnsmasq is small, so it won't hurt your clients much, and is easy to setup.

2. Use an SNAT from 192.168.1.0/24 to 192.168.1.1

3. Place all severs and clients on differant subnets.

3a. Change the server IP to a different subnet and add a virtual ip on the router for it's gateway address. This send ALL traffic through the router, so isn't practical if the server has a large amount of local traffic from other services.

3b. Add a 2nd virtual IP to the server on a different subnet and a matching virtual IP on the router, and use iproute2 definitions in the server to pass traffic back to the router for the virtual number. Change the DNAT to the virtual address.

3c. Use Differant nic cards for clients and servers. This is good for HA/mission-critical servers as thay don't have to compete with client's for the router's incoming(can not be shaped) bandwith.

4. Route the server(192.168.1.10) to 192.168.1.1/32 instead of 192.168.1.0/24. This is more difficult than 2 and doesn't really gain a whole lot.

5. Add a proxy on the router. It's a huge cpu and disk drain however.

THE FAQ: 1. Q? Why doesn't it just work without all of this.

A? The DNAT allows the SYN togo throught, but never sees the SYN+ACK. This packet gets sent directly from 192.168.1.10 to the client without going through 192.168.1.1. Since according to the router the connection was never accepted the rest of the data from the client is dropped at the router(192.168.1.1).

Hopefully the rest of this will get filled in later. It will involve me (or you) reading back through the list and find the missing data.