Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Router - TG582N - Mixed NAT: Difference between revisions

← Older edit
Content deleted Content added
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,616 edits
No edit summary
Reedy (talk | contribs)
editor
706 edits
clean up
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Image:T582-small.png|link=:Category:Router TG582N|Got to Main TG582N Page]]
This is how to configure a technicolor gateway with two subnets on its

local network such that one gets translated and the other does
This is how to configure a Technicolor gateway with two subnets on its
not. This configuration is not recommended, far better to use a real
local network such that one subnet gets its addresses translated by NAT and the other
subnet does not get NATed. Or, looking at it differently, adding a subnet of (e.g.)
RFC1918 addresses which will be NATed on a router with an existing routeable IP block setup.

Mixed NAT is not recommended, far better to use a real
router made out of FireBrick, BSD or Linux that gives proper control of things
router made out of FireBrick, BSD or Linux that gives proper control of things
on an address level rather than on an interface.
on an address level rather than on an interface level.


Firstly, you need to put a public address on the ethernet interface.
Firstly, you need to put a public address on the Ethernet interface.
Supposing you have been assigned 192.0.2.0/24 as your public network,
Supposing you have been assigned 192.0.2.0/24 as your public network,


Line 23: Line 28:
to NAT things on its "Internet" interface. There is no way to undo
to NAT things on its "Internet" interface. There is no way to undo
this as such, and preserve the ability to NAT the non-routeable
this as such, and preserve the ability to NAT the non-routeable
addresses. The workaround is to add some strange NAT rules that
addresses. The workaround is to add some strange ''transparent'' NAT
rules:
actually do nothing:


{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2
{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2


Now the host at 192.0.2.2 won't have its address translated. Or rather
Now the host at 192.0.2.2 won't have its address translated. Or rather
it will, but it will get translated to the same thing. A rule like
it will, but it will get translated to exactly the same address. A rule like
this needs to be added for each of the public addresses that have been
this needs to be added for each of the public addresses that have been
assigned. Thankfully these days only small blocks are obtainable.
assigned. Thankfully these days only small blocks are obtainable.
''[Actually according to an application note it is possible to specify address ranges, e.g.''
:nat mapadd intf=Internet type=nat outside_addr=192.0.2.[2-6] inside_addr=192.0.2.[2-6]
''but your author doesn't have enough routeable addresses to check that this works.]''


== Firewalling ==
There is still a problem, however, if you want to allow unfettered

access inbound to that address -- it will get caught by the stateful
There is a problem, however, if you want to allow unfettered access inbound
to the routeable address(es) -- it will get caught by the stateful
firewall. Again there appears to be no way to selectively disable the
firewall. Again there appears to be no way to selectively disable the
keeping of state, so it must be turned off globally:
keeping of state, so it must be turned off globally:
Line 51: Line 61:
because in this configuration the router cannot be relied upon to be
because in this configuration the router cannot be relied upon to be
of any help for security.
of any help for security.

== Changing the outside address used by NAT ==

By default NAT will use the PPP assigned IPv4 address as the outside
address. It might be preferred to use one of the public IP addresses
as the outside address instead, this can be achieved by entering

:nat mapadd intf=Internet type=napt outside_addr=192.0.2.42

If you want to get clever, it's possible to add an ''access_list''
parameter to restrict the mapping to specified inside addresses,
so you could NAT some inside address blocks to one outside address, and
others to a different outside address. And even add a ''foreign_addr''
parameter to only use this mapping for a range of destination addresses.

Note that when PPP IPCP comes up it automatically adds an entry like
:nat mapadd intf=Internet type=napt outside_addr=<my_ppp_addr> weight=50
to the end of the NAT map - see
:nat maplist expand=enabled
but any entries made by the user will take priority.

Note also that specifying the outside address means that the outside address
used will not be that of any PPP link in use by the router. So, for example, if you have
a fallback to a 3G USB modem setup and the fallback takes place then you will
perhaps be sending packets with a source address of one of your AAISP addresses
rather than an auto-assigned address from your 3G provider. If your 3G is
AAISP's Broadband Backup product you'll be OK though.

==Other pages regarding this router==
<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router TG582N</ncl>


[[Category:Router TG582N|Mixed]]
Retrieved from "http://support.aa.net.uk/Router_-_TG582N_-_Mixed_NAT"