[NTLUG:Discuss] Router Needed? -- multiple NAT devices not good (_avoid_ if possible)

Bryan J. Smith b.j.smith at ieee.org
Wed Jul 7 13:49:16 CDT 2004 

Kenneth Loafman wrote:  
> Stepping into the deep end here...
> What I want to do is set up a subnet here that isolates the conference
> room and guest work areas from the rest of the office so that folks
> can come in and use their laptops without being able to see the rest
> of the office and/or servers.  I'm guessing I'll need a router to do
> that isolation.  Is there a different solution short of banning
> laptops, or forcing them to be scanned by our non-existant IT security
> staff?
> If its a router solution, which one would be the easiest to set up?

Kenneth Loafman then wrote:  
> What I want is for them to have access so they can check their
> mail.  I would prefer that they not have any access to our net at
> all.  That said, I suspect that if an investor wanted to print, we'd
> bend over backwards to make sure he could do so.  What would the
> solution be then?

- "Just the easiest answer"

Install IPCop 1.3 ( http://www.ipcop.org ) and make it your firewall.
Turn the 3rd zone, ORANGE (DMZ) into the zone for your conference room.
By default, nothing can get into ORANGE (DMZ) from RED (Internet), and
the ORANGE (DMZ) cannot access GREEN (LAN).

The new IPCop 1.4beta also has a 4th zone, BLUE (WLAN) for segmenting
Wireless.  Same rules as ORANGE (DMZ) by default.  You can use it
instead of ORANGE (DMZ), in case you need a real DMZ.

- Detailed Response

First off, _most_ of the responses I've seen here are a network
technologist's _worst_nightmare_.  You can't simply start throwing
around NAT devices any more than cascading hubs or switches.  On a
network (especially larger), you're going to introduce all sorts
of issues that are _very_hard_ to debug.  It's more than just
simple routing table issues, but more complex inefficiencies like
ARP tables, onto detrimental issues with ARP mappings, as well as
various vendor and 802.1 protocol features that hit their timeout/
TTL thresholds (this is very _commonplace_, but _poorly_ understood).
I'd go into all the details, but it gets really complex (enough to
fill several books).

Which brings me to calling a NAT device a "router."  NAT devices
aren't really routers -- NAT complements routing, and port forwarding
itself isn't really routing on its own.  Again, I'd go into all the
details, but it gets really complex.  You should subnet, and firewall
between those subnets as necessary, but don't NAT.  It's not only
redundant, but it's asking for ARP inefficiency and, in many cases,
flat out network breakage in many configurations.

So, in a nutshell, if you can _avoid_ adding more devices, and doing
unnecessary NAT (especially on multiple devices -- ouch!), you'll
save yourself a _lot_ of headaches.  NAT devices should be limited
to the _entry_/_exit_ of a LAN.  This includes even when you are
NAT'ing inside of a network.  Inside of your network, use "real"
routers and/or packet state (firewalling) devices.

You don't need to NAT to firewall.  In other words, you should not
NAT just to firewall.  NAT'ing is _not_ firewalling. It's something
that has its application, but is far to "canned" into a solution
for SOHO (small office, home office) networks.  On SMB (small to
medium business) systems, you need to think things through.

I'm willing to help anyone on-list/off-list via e-mail for free.
Or I'm more than willing to help in person (but that's not free ;-).

-- Bryan J. Smith, CCDP (not that it means anything ;-)


-- 
     Linux Enthusiasts call me anti-Linux.
   Windows Enthusisats call me anti-Microsoft.
 They both must be correct because I have over a
decade of experience with both in mission critical
environments, resulting in a bigotry dedicated to
 mitigating risk and focusing on technologies ...
           not products or vendors
--------------------------------------------------
Bryan J. Smith, E.I.         b.j.smith at ieee.org

More information about the Discuss mailing list