Not necessarily. But what I am telling you is that whatever goes out NAT gateway A has to come back in through NAT gateway A.
You can build whatever topology you want on either side of that and nothing says B has to be any where near A. Owen > On Jul 5, 2015, at 11:25 , Josh Moore <jmo...@atcnetworks.net> wrote: > > So basically what you are telling me is that the NAT gateway needs to be > centrally aggregated. > > > > > Thanks, > > Joshua Moore > Network Engineer > ATC Broadband > 912.632.3161 > >> On Jul 5, 2015, at 1:29 PM, Owen DeLong <o...@delong.com> wrote: >> >> If you want to keep that, then you’ll need a public backbone network that >> joins all of your NATs and you’ll need to have your NATs use unique exterior >> address pools. >> >> Load balancing a single session across multiple NATs isn’t really possible. >> >> Owne >> >>> On Jul 5, 2015, at 08:11 , Josh Moore <jmo...@atcnetworks.net> wrote: >>> >>> Performing the NAT on the border routers is not a problem. The problem >>> comes into play where the connectivity is not symmetric. Multiple >>> entry/exit points to the Internet and some are load balanced. We'd like to >>> keep that architecture too as it allows for very good protection in an >>> internet link failure scenario and provides BGP best path connectivity. >>> >>> So traffic cones in ISP A might leave ISP B or traffic coming in ISP A may >>> come in ISP B simultaneously. >>> >>> >>> >>> >>> Thanks, >>> >>> Joshua Moore >>> Network Engineer >>> ATC Broadband >>> 912.632.3161 >>> >>>> On Jul 5, 2015, at 10:43 AM, Mel Beckman <m...@beckman.org> wrote: >>>> >>>> WISPs have been good at solving this, as they are often deploying >>>> greenfield networks. They use private IPv4 internally and NAT IPv4 at >>>> multiple exit points. IPv6 is seamlessly redundant, since customers all >>>> receive global /64s; BGP handles failover. If you home multiple upstream >>>> providers on a single NAT gateway hardware stack, redundancy is also >>>> seamless, since your NAT tables are synced across redundant stack members. >>>> If you have separate stacks, or even sites, IPv4 can fail over to an >>>> alternate NAT Border gateway but will lose session contexts, unless you go >>>> to the trouble of syncing the gateways. Most WISPs don't. >>>> >>>> -mel beckman >>>> >>>>> On Jul 5, 2015, at 7:25 AM, Josh Moore <jmo...@atcnetworks.net> wrote: >>>>> >>>>> So the question is: where do you perform the NAT and how can it be >>>>> redundant? >>>>> >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joshua Moore >>>>> Network Engineer >>>>> ATC Broadband >>>>> 912.632.3161 >>>>> >>>>>> On Jul 5, 2015, at 10:12 AM, Mel Beckman <m...@beckman.org> wrote: >>>>>> >>>>>> Josh, >>>>>> >>>>>> Your job is simple, then. Deliver dual-stack to your customers and if >>>>>> they want IPv6 they need only get an IPv6-enabled firewall. Unless >>>>>> you're also an IT consultant to your customers, your job is done. If you >>>>>> already supply the CPE firewall, then you need only turn on IPv6 for >>>>>> customers who request it. With the right kind of CPE, you can run MPLS >>>>>> or EoIP and deliver public IPv4 /32s to customers willing to pay for >>>>>> them. Otherwise it's private IPv4 and NAT as usual for IPv4 traffic. >>>>>> >>>>>> -mel via cell >>>>>> >>>>>>> On Jul 5, 2015, at 6:57 AM, Josh Moore <jmo...@atcnetworks.net> wrote: >>>>>>> >>>>>>> We are the ISP and I have a /32 :) >>>>>>> >>>>>>> I'm simply looking at the best strategy for migrating my subscribers >>>>>>> off v4 from the perspective of solving the address utilization crisis >>>>>>> while still providing compatibility for those one-off sites and >>>>>>> services that are still on v4. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Joshua Moore >>>>>>> Network Engineer >>>>>>> ATC Broadband >>>>>>> 912.632.3161 >>>>>>> >>>>>>> On Jul 5, 2015, at 9:55 AM, Mel Beckman <m...@beckman.org> wrote: >>>>>>> >>>>>>>>> >>>>>>>>> Josh Moore wrote: >>>>>>>>> >>>>>>>>> Tunnels behind a CPE and 4to6 NAT seem like bandaid fixes as they do >>>>>>>>> not give the benefit of true end to end IPv6 connectivity in the >>>>>>>>> sense of every device has a one to one global address mapping. >>>>>>>> >>>>>>>> No, tunnels do give you one to one global IPv6 address mapping for >>>>>>>> every device. From a testing perspective, a tunnelbroker works just >>>>>>>> as if you had a second IPv6-only ISP. If you're fortunate enough to >>>>>>>> have a dual-stack ISP already, you can forgo tunneling altogether and >>>>>>>> just use an IPv6-capable border firewall. >>>>>>>> >>>>>>>> William Waites wrote: >>>>>>>>> I was helping my >>>>>>>>> friend who likes Apple things connect to the local community >>>>>>>>> network. He wanted to use an Airport as his home gateway rather than >>>>>>>>> the router that we normally use. Turns out these things can *only* do >>>>>>>>> IPv6 with tunnels and cannot do IPv6 on PPPoE. Go figure. So there is >>>>>>>>> not exactly a clear path to native IPv6 for your lab this way. >>>>>>>> >>>>>>>> Nobody is recommending the Apple router as a border firewall. It's >>>>>>>> terrible for that. But it's a ready-to-go tunnelbroker gateway. If >>>>>>>> your ISP can't deliver IPv6, tunneling is the clear path to building a >>>>>>>> lab. If you have a dual-stack ISP already, the clear path is to use an >>>>>>>> IPv6-capable border firewall. >>>>>>>> >>>>>>>> So you are in a maze of non-twisty paths, all alike :) >>