Local Address proxy and managed NAT

The local address proxy and NAT hosting questions in this article are somewhat suspicious and some are incomprehensible! However, if I say a simple and basic principle, you will not be confused, that is, the address of your outer router's Internet port is not assigned to you, only the Intranet address of your external router is assigned to you! Those familiar with Linux nat masquerade may be puzzled. This is obvious because the NAT under the control of MASQUERADE is not a real NAT, and it is just an address proxy! This sounds incredible. The Incredible reason is that everyone is using this NAT, because it is convenient! As shown in: Who do you think addr1 is? Is the Intranet address assigned by the carrier to the enterprise router or the carrier's own address? If the router is deployed on the Internet edge, the answer is the former. If the router is deployed inside the enterprise, the answer may be the latter. Now let's consider the first case. If the operator assigns an addrX/maskX address segment to the enterprise, the addrX/maskX should be configured as the Secondary IP/mask on the add2 interface in the figure, at this time, addr1 only exists as an addressing requirement. If the router is a Linux router and the MASQUERADE rule is used, the source addresses of all sent packets will be converted to addr1, in terms of management and other actual control, addr1 is not a source address that should appear. reapply it again. It only exists for addressing and does not represent access by any customer! In view of the convenience of operator management, generally the operator only allocates addr1 as the addressing requirement, and the address segment actually allocated to the enterprise is configured on the corresponding interface of addr2. Therefore, in many cases, the Intranet port of the enterprise egress router will be configured with two addresses, one is the Intranet address, and the second IP is one of the address segments allocated to the enterprise by the carrier, when an intranet packet goes out, the source address is converted to a random one in the address segment address pool allocated to the enterprise by the carrier. However, the average IT enterprise intranet administrator or R & D personnel do not think so. They think that the network segment allocated by the operator is on the network port of addr1, in fact, these people only think of the router as a proxy, proxy for All Intranet users, and select its source address as the Internet address, that is, addr1. This is a misunderstanding. In fact, the address on the addr1 side is only required for addressing, which facilitates operators, they only need to configure the next hop to reach a customer's network, and the next hop is the Internet port address of each enterprise's external router. This is a real Internet routing method, but I don't know when someone will extend NAT into a proxy, and then generate MASQUERADE on Linux, although I use the word "Although" in this sentence, it is not a sorrow, but a specific application. A pool is required for NAT. The address of the router implementing NAT does not need to be in this pool. The intranet port of the router is configured with two addresses, one Intranet address, the other is that the address in the CIDR block allocated by the carrier is not in the pool. Note that the CIDR block allocated by the carrier is not configured on the Internet port of the router. If you have used a Cisco device, inside, outside will be able to explain all this! If you have never played, indulge in Linux, better later than never!