Router - TG582N - Mixed NAT: Difference between revisions

From AAISP Support Site
No edit summary
(Document how to change the outside address used by NAT)
Line 1: Line 1:
[[Image:T582-small.png|link=:Category:Router_TG582N|Got to Main TG582N Page]]
[[Image:T582-small.png|link=:Category:Router_TG582N|Got to Main TG582N Page]]


This is how to configure a technicolor gateway with two subnets on its
This is how to configure a Technicolor gateway with two subnets on its
local network such that one gets translated and the other does
local network such that one gets translated and the other does
not. This configuration is not recommended, far better to use a real
not. This configuration is not recommended, far better to use a real
Line 7: Line 7:
on an address level rather than on an interface.
on an address level rather than on an interface.


Firstly, you need to put a public address on the ethernet interface.
Firstly, you need to put a public address on the Ethernet interface.
Supposing you have been assigned 192.0.2.0/24 as your public network,
Supposing you have been assigned 192.0.2.0/24 as your public network,


Line 25: Line 25:
to NAT things on its "Internet" interface. There is no way to undo
to NAT things on its "Internet" interface. There is no way to undo
this as such, and preserve the ability to NAT the non-routeable
this as such, and preserve the ability to NAT the non-routeable
addresses. The workaround is to add some strange NAT rules that
addresses. The workaround is to add some strange ''transparent'' NAT
rules:
actually do nothing:


{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2
{Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2


Now the host at 192.0.2.2 won't have its address translated. Or rather
Now the host at 192.0.2.2 won't have its address translated. Or rather
it will, but it will get translated to the same thing. A rule like
it will, but it will get translated to exactly the same address. A rule like
this needs to be added for each of the public addresses that have been
this needs to be added for each of the public addresses that have been
assigned. Thankfully these days only small blocks are obtainable.
assigned. Thankfully these days only small blocks are obtainable.
Line 54: Line 54:
of any help for security.
of any help for security.


== Changing the outside address used by NAT ==

By default NAT will use the PPP assigned IPv4 address as the outside
address. It might be preferred to use one of the public IP addresses
as the outside address instead, this can be achieved by entering

:nat mapadd intf=Internet type=napt outside_addr=192.0.2.42

If you want to get clever, it's possible to add an ''access_list''
parameter to restrict the mapping to specified inside addresses,
so you could NAT some inside address blocks to one outside address, and
others to a different outside address.


==Other pages regarding this router:==
==Other pages regarding this router:==

Revision as of 15:58, 18 January 2015

Got to Main TG582N Page

This is how to configure a Technicolor gateway with two subnets on its local network such that one gets translated and the other does not. This configuration is not recommended, far better to use a real router made out of FireBrick, BSD or Linux that gives proper control of things on an address level rather than on an interface.

Firstly, you need to put a public address on the Ethernet interface. Supposing you have been assigned 192.0.2.0/24 as your public network,

   {Administrator}=>:ip ipadd intf=LocalNetwork addr=192.0.2.1/24 
   {Administrator}=>:ip iplist
   Flags legend: [P]referred  primar[Y]     [R]oute    [H]ost route  d[E]precated  [I]nvalid
                 [T]entative  d[U]plicated  [A]nycast  auto[C]onf    [D]ynamic     [O]perational
               Prefix Interface        Type           Flags              Remote IP
               ------ ---------        ----           -----              ---------
         192.0.2.1/24 LocalNetwork     Ethernet       ..RH.......O                
       192.168.1.1/24 LocalNetwork     Ethernet       ..RH.......O                
          81.x.x.x/32 Internet         Serial         ..RH......DO       81.y.y.y
         127.0.0.1/32 loop             Internal       ...H......DO                

Now this is enough to have hosts in the public network reachable internally. But there is a problem. The router thinks that it ought to NAT things on its "Internet" interface. There is no way to undo this as such, and preserve the ability to NAT the non-routeable addresses. The workaround is to add some strange transparent NAT rules:

   {Administrator}=>:nat mapadd intf=Internet type=nat outside_addr=192.0.2.2 inside_addr=192.0.2.2

Now the host at 192.0.2.2 won't have its address translated. Or rather it will, but it will get translated to exactly the same address. A rule like this needs to be added for each of the public addresses that have been assigned. Thankfully these days only small blocks are obtainable.

There is still a problem, however, if you want to allow unfettered access inbound to that address -- it will get caught by the stateful firewall. Again there appears to be no way to selectively disable the keeping of state, so it must be turned off globally:

   {Administrator}=>:firewall state=disable

This actually turns off *all* packet filtering so caveat emptor. Enough state is nevertheless kept that NAT for the hosts on non-routeable addresses to still be able to reach the Internet. So both classes of host now work, those completely exposed on a public address, and those on private addresses that work as before, though without a firewall in front of them.

Very important to make sure that any hosts on the network are all properly patched, run their own local packet filters, and so forth because in this configuration the router cannot be relied upon to be of any help for security.

Changing the outside address used by NAT

By default NAT will use the PPP assigned IPv4 address as the outside address. It might be preferred to use one of the public IP addresses as the outside address instead, this can be achieved by entering

:nat mapadd intf=Internet type=napt outside_addr=192.0.2.42

If you want to get clever, it's possible to add an access_list parameter to restrict the mapping to specified inside addresses, so you could NAT some inside address blocks to one outside address, and others to a different outside address.

Other pages regarding this router:

<ncl style=bullet maxdepth=5 headings=bullet headstart=2 showcats=1 showarts=1 showfirst=1>Category:Router TG582N</ncl>