dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1281
share rss forum feed

rivimey

join:2012-05-24

Setup P661H-D1 for public/8 net with 2 interior NATs

Hi,

I have assigned from my ISP a /8 public network of which I have been using 1 IP, with the P661H** router in SUA mode. The router port is connected to a linux box running shorewall.

I would like to modify the config so that the whole /8 network passes through the router and is visible on its ethernet ports, and particularly so that the gateway can NAT two of the IPs independently:

The netblock is: ...192 to ...199

I'd like to assign, as an example:
..193 as the router itself (web and telnet) config
..194 as the external interface of the linux/shorewall box
..195 as a NATtable external IP, translating to 192.168.32.0/24
..196 as a NATtable external IP, translating to 192.168.0.0/24

I'm happy for the NAT-ing to be done by shorewall on the linux gateway, so for example:

My idea is that external IPs sent to ..195 and ..196 are sent to 194 as a next-hop, which can then use the difference to NAT and route these internally as appropriate. Or I can add a new physical interface for shorewall, though I don't think it helps.

Anyway. I can't for the life of me work out how to actually achieve this. Can anyone help?

Ruth

P661H: features: 1 Lan IP + 2 IP aliases. Multiple static routing table entries. Bridged & routed mode. NAT in SUA or Full mode. 4 Lan ports, 1 DSL WAN port (no console).


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
I don't exactly understand what you're trying to do, but you can try two things.

1) Switch the P661H from SUA mode to FULL FEATURED mode and try to configure to you liking.

or

2) Change the P661H to transparent bridge (basically you'll downgrade it to modem only) and terminate your PPPoE on your Shorewall and do all the configurations to your liking there.

rivimey

join:2012-05-24
reply to rivimey
Thanks for the reply. To answer the "what I'm trying to do" is complicated, because it comes in 2 parts. Right now, I am working on replacing the existing gateway's OS, moving from Fedora 13 to Ubuntu Server 12. Because there's a lot to get right, I wanted to make the new system as a VM, test it out using other VM's in a virtual net, and once happy then make it non-virtual. I am also switching the local IPs from 192.168.0.0 to 192.168.32.0 to avoid various conflicts I've seen with other networks. However, this process needs internet (but not local net) access, and because the whole local net is NATed, VM internet DNS doesn't work (there can only be one server and its not the VM): "use the non-VM DNS I hear you say: well I would, but that doesn't work, because it doesn't know about the .0 to .32 change and returns incorrect IPs.

I was hoping that I could set up the router using its own NAT, so as to effectively have two independent networks connected only at the DSL router. I said it was complicated...

The longer term reason was that I would like to be able to make use of my IP block better, for example to host a webserver, and so I am not at all unhappy about making this work, even if it the current reason is only for a short time.

My researches had pulled up the options you suggested, but hadn't been able to fill in the detail as to how to do either; the Zyxel docs on Full Feature NAT are unhelpful to me and when I tried something, I locked myself out of the router

I did come across the Bridging option but i'd prefer to keep the router doing its dialup thing if I can, though I don't mind moving the NAT elsewhere. Again, I've no experience with pppoe setups...

Regards, Ruth


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
I really doubt that ISP gave you /8 net block, it's more likely you've got /29 (which is 255.255.255.248)
Your subnet ID is x.x.x.192
Your broadcast is x.x.x.199
And you have 6 usable IPs from .193 - .198

Back to topic, you have to switch to full featured NAT and create multiple 1-M (one to many) or 1-1 (one to one) rules. Keep in mind rules are evaluated from top to bottom (same applies for firewall rules). As a last rule you need to have the Server rule.
Check the manual or built-in help for details.

JPedroT

join:2005-02-18
kudos:1
reply to rivimey
I would go with the bridge solution, since its just plain old easier.
Bridge the ZyXEL, setup your shorewall to do PPPoE (its just a username and password anyway) and do NAT stuff on the shorewall
--
"Perl is executable line noise, Python is executable pseudo-code."


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
reply to Brano
said by Brano:

I really doubt that ISP gave you /8 net block, it's more likely you've got /29 (which is 255.255.255.248)
Your subnet ID is x.x.x.192
Your broadcast is x.x.x.199
And you have 6 usable IPs from .193 - .198

You are certainly correct that it is a /29 block that was assigned but that block may either be routed or bridged.

Some ISP route the IP block which means that you only have 5 truly usable addresses since you need one of them for the router/gateway address.
However other ISP bridge a small block of IP addresses out of a larger block to a customer. In those cases all 8 IP addresses are usable and the netmask is not a /29 but something larger (typically a /24). Router/gateway address and broadcast address are outside of the customer assigned block in those cases.
I have had static IP blocks of both kinds before, my current assignment is bridged static (8 usable addresses in a /24 block). The OP did not provide enough details to know for sure what he has.

Back on topic:
I'm not sure how much of what you want to do can be done with the P661 router. I'm especially uncertain on being able to use the dsl router for two separate NAT tables and two separate LAN dhcp servers. I would bridge the DSL connection to the linux box where there is almost no limit to what you can do with the network connections.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!