Anonymizing With Nat - D-Link NetDefend DFL-210 User Manual

7.1. NAT
Chapter 7. Address Translation
ISP using PPTP. The traffic is directed to the anonymizing service provider where a D-Link
Firewall is installed to act as the PPTP server for the client, terminating the PPTP tunnel. This
arrangement is illustrated in the diagram below.
Figure 7.2. Anonymizing with NAT
NetDefendOS is set up with NAT rules in the IP rule set so it takes communication traffic coming
from the client and NATs it back out onto the Internet. Communication with the client is with the
PPTP protocol but the PPTP tunnel from the client terminates at the firewall. When this traffic is
relayed between the firewall and the Internet, it is no longer encapsulated by PPTP.
When an application, such as a web server, now receives requests from the client it appears as
though they are coming from the anonymizing service provider's external IP address and not the
client's IP. The application therefore sends its responses back to the firewall which relays the traffic
back to the client through the PPTP tunnel. The original IP address of the client is not revealed in
traffic as it is relayed beyond the termination of the PPTP tunnel at the NetDefendOS.
Typically, all traffic passes through the same physical interface and that interface has a single public
IP address. Multiple interfaces could be used if multiple public IP addresses are available. There is
clearly a small processing overhead involved with anonymizing traffic but this need not be an issue
if sufficient hardware resources are employed to perform the anonymizing.
This same technique can also be used with L2TP instead of PPTP connections. Both protocols are
discussed further in Section 9.5.4, "PPTP/L2TP Clients".
287