0

I have a proprietary web filtering device which also functions as a NAT router. It's one interface has a public IP and another interface has a private IP. All local clients connect to the interface with the private IP and they get IP address via DHCP. I do not know how to do QOS on the web filtering router. So, I want to add a Linux box on which I can do QOS. At the same time I want to retain the web filtering device as it is. The only possible way to achieve this is to do double NATing: I will connect one interface of the Linux box to the LAN interface of the web filtering device. And all my local clients connect to the second interface of the Linux box. So my question is, is double NATing efficient? Or is there any other setup to achieve this?

nixnotwin
  • 1,513
  • 5
  • 34
  • 54

1 Answers1

1

I think double NATing is not efficient, moreover you could do the trick. Assume that local ip of your web filtering device is 192.168.1.1 and that ip is the default gateway on your clients. You could change it to 192.168.1.254 and set 192.168.1.1 to your linux box.

On the linux box you just set 192.168.1.254 as default gateway. So there is no need in the NAT on thу linux box at all. And you could apply QOS policy as you want without need in any changes on the clients.

As is 

local_clients(192.168.1.0/24) <-----> (192.168.1.1)web filtering device <-----> ISP

As would be

local_clients(192.168.1.0/24) <-----> (192.168.1.1) linux box(192.168.2.1) <---->(192.168.2.2) web filtering device <-----> ISP

On the linux box you would need 2 network cards or you can use VLAN, if you network equipments support 8021.q

ALex_hha
  • 7,025
  • 1
  • 23
  • 39
  • In this setup the packets that get sent from the local clients would go via the Linux box. But the packets that come from the internet would be directly sent by the web filtering device to the local clients. – nixnotwin Jul 22 '13 at 03:34
  • I have updated the scheme with a little modification – ALex_hha Jul 22 '13 at 05:28
  • I was able to implement your solution. I had to add a static route for 192.168.1.0/24 subnet in the filtering device. Also I had to do SNAT for 192.168.1.0/24 subnet. It works well. – nixnotwin Jul 24 '13 at 15:07
  • Glad to hear it. But why are you using SNAT, as I understand on the linux box? – ALex_hha Jul 24 '13 at 15:27
  • I'm using SNAT on the filtering device and not on the Linux box. Linux box just does routing. I should do SNAT for the 192.168.1.0/24 on the filtering device because the network is not directly available to the filtering device. – nixnotwin Jul 25 '13 at 03:27