Router - TG582N - Mixed NAT: Difference between revisions
No edit summary |
(clean up) |
||
(10 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
[[Image:T582-small.png]] |
[[Image:T582-small.png|link=:Category:Router TG582N|Got to Main TG582N Page]] |
||
⚫ | |||
⚫ | |||
subnet does not get NATed. Or, looking at it differently, adding a subnet of (e.g.) |
|||
RFC1918 addresses which will be NATed on a router with an existing routeable IP block setup. |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
router made out of FireBrick, BSD or Linux that gives proper control of things |
router made out of FireBrick, BSD or Linux that gives proper control of things |
||
on an address level rather than on an interface. |
on an address level rather than on an interface level. |
||
Firstly, you need to put a public address on the |
Firstly, you need to put a public address on the Ethernet interface. |
||
Supposing you have been assigned 192.0.2.0/24 as your public network, |
Supposing you have been assigned 192.0.2.0/24 as your public network, |
||
Line 26: | Line 28: | ||
to NAT things on its "Internet" interface. There is no way to undo |
to NAT things on its "Internet" interface. There is no way to undo |
||
this as such, and preserve the ability to NAT the non-routeable |
this as such, and preserve the ability to NAT the non-routeable |
||
addresses. The workaround is to add some strange NAT |
addresses. The workaround is to add some strange ''transparent'' NAT |
||
rules: |
|||
actually do nothing: |
|||
{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2 |
{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2 |
||
Now the host at 192.0.2.2 won't have its address translated. Or rather |
Now the host at 192.0.2.2 won't have its address translated. Or rather |
||
it will, but it will get translated to the same |
it will, but it will get translated to exactly the same address. A rule like |
||
this needs to be added for each of the public addresses that have been |
this needs to be added for each of the public addresses that have been |
||
assigned. Thankfully these days only small blocks are obtainable. |
assigned. Thankfully these days only small blocks are obtainable. |
||
''[Actually according to an application note it is possible to specify address ranges, e.g.'' |
|||
:nat mapadd intf=Internet type=nat outside_addr=192.0.2.[2-6] inside_addr=192.0.2.[2-6] |
|||
''but your author doesn't have enough routeable addresses to check that this works.]'' |
|||
== Firewalling == |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
firewall. Again there appears to be no way to selectively disable the |
firewall. Again there appears to be no way to selectively disable the |
||
keeping of state, so it must be turned off globally: |
keeping of state, so it must be turned off globally: |
||
Line 55: | Line 62: | ||
of any help for security. |
of any help for security. |
||
== Changing the outside address used by NAT == |
|||
⚫ | |||
[[Category:Router]] |
|||
By default NAT will use the PPP assigned IPv4 address as the outside |
|||
address. It might be preferred to use one of the public IP addresses |
|||
as the outside address instead, this can be achieved by entering |
|||
:nat mapadd intf=Internet type=napt outside_addr=192.0.2.42 |
|||
If you want to get clever, it's possible to add an ''access_list'' |
|||
parameter to restrict the mapping to specified inside addresses, |
|||
so you could NAT some inside address blocks to one outside address, and |
|||
others to a different outside address. And even add a ''foreign_addr'' |
|||
parameter to only use this mapping for a range of destination addresses. |
|||
Note that when PPP IPCP comes up it automatically adds an entry like |
|||
:nat mapadd intf=Internet type=napt outside_addr=<my_ppp_addr> weight=50 |
|||
to the end of the NAT map - see |
|||
:nat maplist expand=enabled |
|||
but any entries made by the user will take priority. |
|||
Note also that specifying the outside address means that the outside address |
|||
used will not be that of any PPP link in use by the router. So, for example, if you have |
|||
a fallback to a 3G USB modem setup and the fallback takes place then you will |
|||
perhaps be sending packets with a source address of one of your AAISP addresses |
|||
rather than an auto-assigned address from your 3G provider. If your 3G is |
|||
AAISP's Broadband Backup product you'll be OK though. |
|||
==Other pages regarding this router== |
|||
<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router TG582N</ncl> |
|||
⚫ |
Latest revision as of 00:03, 18 August 2018
This is how to configure a Technicolor gateway with two subnets on its local network such that one subnet gets its addresses translated by NAT and the other subnet does not get NATed. Or, looking at it differently, adding a subnet of (e.g.) RFC1918 addresses which will be NATed on a router with an existing routeable IP block setup.
Mixed NAT is not recommended, far better to use a real router made out of FireBrick, BSD or Linux that gives proper control of things on an address level rather than on an interface level.
Firstly, you need to put a public address on the Ethernet interface. Supposing you have been assigned 192.0.2.0/24 as your public network,
{Administrator}=>:ip ipadd intf=LocalNetwork addr=192.0.2.1/24 {Administrator}=>:ip iplist Flags legend: [P]referred primar[Y] [R]oute [H]ost route d[E]precated [I]nvalid [T]entative d[U]plicated [A]nycast auto[C]onf [D]ynamic [O]perational Prefix Interface Type Flags Remote IP ------ --------- ---- ----- --------- 192.0.2.1/24 LocalNetwork Ethernet ..RH.......O 192.168.1.1/24 LocalNetwork Ethernet ..RH.......O 81.x.x.x/32 Internet Serial ..RH......DO 81.y.y.y 127.0.0.1/32 loop Internal ...H......DO
Now this is enough to have hosts in the public network reachable internally. But there is a problem. The router thinks that it ought to NAT things on its "Internet" interface. There is no way to undo this as such, and preserve the ability to NAT the non-routeable addresses. The workaround is to add some strange transparent NAT rules:
{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2
Now the host at 192.0.2.2 won't have its address translated. Or rather it will, but it will get translated to exactly the same address. A rule like this needs to be added for each of the public addresses that have been assigned. Thankfully these days only small blocks are obtainable. [Actually according to an application note it is possible to specify address ranges, e.g.
:nat mapadd intf=Internet type=nat outside_addr=192.0.2.[2-6] inside_addr=192.0.2.[2-6]
but your author doesn't have enough routeable addresses to check that this works.]
Firewalling
There is a problem, however, if you want to allow unfettered access inbound to the routeable address(es) -- it will get caught by the stateful firewall. Again there appears to be no way to selectively disable the keeping of state, so it must be turned off globally:
{Administrator}=>:firewall state=disable
This actually turns off *all* packet filtering so caveat emptor. Enough state is nevertheless kept that NAT for the hosts on non-routeable addresses to still be able to reach the Internet. So both classes of host now work, those completely exposed on a public address, and those on private addresses that work as before, though without a firewall in front of them.
Very important to make sure that any hosts on the network are all properly patched, run their own local packet filters, and so forth because in this configuration the router cannot be relied upon to be of any help for security.
Changing the outside address used by NAT
By default NAT will use the PPP assigned IPv4 address as the outside address. It might be preferred to use one of the public IP addresses as the outside address instead, this can be achieved by entering
:nat mapadd intf=Internet type=napt outside_addr=192.0.2.42
If you want to get clever, it's possible to add an access_list parameter to restrict the mapping to specified inside addresses, so you could NAT some inside address blocks to one outside address, and others to a different outside address. And even add a foreign_addr parameter to only use this mapping for a range of destination addresses.
Note that when PPP IPCP comes up it automatically adds an entry like
:nat mapadd intf=Internet type=napt outside_addr=<my_ppp_addr> weight=50
to the end of the NAT map - see
:nat maplist expand=enabled
but any entries made by the user will take priority.
Note also that specifying the outside address means that the outside address used will not be that of any PPP link in use by the router. So, for example, if you have a fallback to a 3G USB modem setup and the fallback takes place then you will perhaps be sending packets with a source address of one of your AAISP addresses rather than an auto-assigned address from your 3G provider. If your 3G is AAISP's Broadband Backup product you'll be OK though.
Other pages regarding this router
<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router TG582N</ncl>