Originally Posted by Logik!
Address translation will allow you to share one or more
IPs for all of your systems to connect to the Internet
(or another network). This can be done with hardware or
software, as appropriate.
According to RFC 1918, the following addresses are
available for private networks:
172.16.x.x - 172.31.x.x
For all of the scenarios in this document (including the
linked PDF file below), we'll work with the 192.168.99.0
The basic diagram of a network using Network Address
Translation (NAT) is as follows:
In the above scenario, the addresses can be statically
mapped, or assigned by DHCP (my preference), with the
gateway of the internal systems set to 192.168.99.1.
The Gateway machine (GATE1), which contains two network
interfaces, should NOT have a Default Gateway configured
on the 192.168.99.x interface. There should only be a
single Default Gateway, and it should be configured on
the external network interface (provided by the ISP).
This is true whether the ISP-provided IP address is
statically, or DHCP-assigned.
NOTE: The Gateway machine (or device) listed above, can
be a server or desktop running NAT/Proxy/Firewall
software, or it can be a Broadband Router, or it
can be a Firewall/VPN applicance. In any event,
it will need to have at least two distinct network
interfaces, for proper security and operation.
In the event that a Windows-based machine is being used
to provide Internet gateway services, NetBIOS should be
unbound from the public NIC (see the SECURITY section
for more details) and a firewall should be installed on
the gateway system (preferably with robust packet
filtering or stateful packet inspection, if possible).
TCP Ports 135-139 should be not be permitted to traverse
your router/firewall/gateway, unless you have some sort
of bizarre deathwish.
If you're running DNS on the gateway system, all of the
internal clients should point to it using the INTERNAL
address of the gateway system. The gateway system can
configure its DNS server as a forwarder to the ISP's
DNS servers, or any other legitimate DNS servers that
you have access to.
The systems in the diagram can be connected with a Hub
or a Switch, as you desire, but these days, the price
of a low-end, unmanaged Switch is far too low to pass
up, especially considering the performance advantage
you will gain over a Hub (reduced collisions). Also,
many broadband routers come with switch ports, thus
eliminating the need for a separate switch.
NOTE: NAT is only the first level of security. It should
not be the *only* level of security deployed on