dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4492
share rss forum feed

MrMazda86

join:2013-01-29
Kitchener, ON

Disable NAT on Vonage V-Portal

I was wondering if someone here could give me a little assistance with accomplishing my mission. Currently, my ISP (TekSavvy) has issued me 7 IP Addresses. One is for the PPPoE link to establish the internet connection, and the other 6 are for use on the internet as my assigned static IP addresses.

The problem here is that in order to use these IP addresses in a manner that is acceessible from the public facing internet, you must disable NAT. I have the SSH login information to be able to do this, however what I don't have and cannot seem to find is the command or commands that are needed in order to accomplish this.

The service works fine as it is now, however it would be a lot more helpful to me to be able to not have to reserve one of those 6 IP addresses for my Vonage adapter, just to have to hook the last computer on the network into the LAN port. It would be easier to hook the Vonage V-Portal directly to the modem so that it can piggyback off of the separate IP address from the PPPoE link, thus connecting directly to the internet, while at the same time, allowing the throughput of my network to be broadcast in a manner that is public-facing.

Any help that anyone could give me on how to do this would be greatly apreciated.

Thanks!



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

3 edits

On the assumption that your "modem' is actually a DSL router, what you describe should work with no problems if you just setup your Vonage ATA to use DHCP and allow your "modem" to assign it a private IP address. Under those conditions, the Vonage ATA will get a NAT connection through the "modem", and the rest of your network will be free to use the static IP addresses that are earmarked for your use. I have done that with AT&T DSL service, and with Comcast cable service with no problems.

However, the number of IP addresses you describe is not typical for a routed IP address block, so perhaps TekSavvy is doing something non-standard (such as allowing multiple PPPoE sessions, each with a different IP address). A typical way for an ISP to assign a block of static IP addresses is to use a CIDR block. For example: 12.34.56.0/29 which would provide for a network address (12.34.56.0), 5 user addresses(12.34.56.1 - 12.34.56.5), an address for the "modem" (12.34.56.6), and a broadcast address (12.34.56.7). There would also be a totally separate WAN IP address for the "modem", that is often dynamic (instead of static), and can be supplied via DHCP or PPPoE. If that is actually what you have, then allowing the modem to assign your Vonage ATA a private IP address using DHCP should work, and the Vonage ATA should get a NAT connection that uses the "modem's" (probably dynamic) PPPoE WAN IP address (worst case...the Vonage ATA would get a NAT connection that shared the "modem's" static IP address depending on how the "modem" handled providing private DHCP IP addresses to its LAN).

If you want specific instructions that are reasonably guaranteed to work (instead of a generic guess), you will need to supply some specific information about what equipment is being used, how TekSavvy is actually assigning your static IP addresses, and how your modem/router is configured.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


MrMazda86

join:2013-01-29
Kitchener, ON

Therein lies the problem. The modem itself does allow for this, however if you read my original post, what you would see is that I want to bridge the modem to have it serve only as means of allowing the PPPoE passthrough because of the way the house is setup. There are 5 usable IP Addresses and 5 computers. The problem is that I have the Vonage adapter on ONE of these IP addresses, but would rather have it establish the PPPoE connection so that I can link all 5 of the computers together on the LAN. This is currently not possible with the NAT enabled on the Vonage V-Portal.

This is why I want to disable NAT on the Vonage V-Portal so that the V-Portal would still have it's direct connection to the internet using the IP Address for the PPPoE link, while leaving the 5 other IP Addresses accessible to the internet.

As I said, what I need to do is DISABLE THE NAT on the Vonage V-Portal in order to accomplish this. I have the SSH login to do this, but have not been able to stumble on the actual command to disable NAT. Without doing so, I would only be able to expose the IP address for the PPPoE link, effectively rendering the other IP addresses as useless.

As for assigning the IP Address through DHCP using the modem, this again will NOT work because it would leave me in the same boat that I'm in currently where I have one of the 5 usable IP addresses, reserved for the Vonage V-Portal, thereby not allowing me to directly connect all 5 computers. I think what you're doing is trying to guess at what I want to do, rather than actually fully reading my post. I thought I was very clear to specify that the ONLY way in which to accomplish the task of setting up the Vonage V-Portal to establish the PPPoE connection and allow the 5 IP addresses with the ability to be directly exposed to the internet is to disable the NAT.... THAT is what I'm trying to do.

The only difference between your suggestion and what I'm doing currently is that I would use DHCP to assign the same bloody IP address to the Vonage V-Portal that it already currently has assigned to it as a static IP. Besides, the flaw to DHCP is that when you have *STATIC* IP addresses to assign to your devices, using DHCP would only make those *DYNAMIC* across the network, which defeats the whole purpose of a STATIC IP address.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

I don't know of anyway to have the Vonage box behave as a simple bridge device. If your ISP is assigning all five of your public static IP addresses via a different PPPoE session instead of using a CIDR block, then what you want to do is not possible (unless you can purchase another static IP address from your ISP). Perhaps that is not what you are describing, but that is what I interpret from your last post. It would help to know exactly what kind of "modem" you are using and how it is configured, but lacking that information, all I can do is try to interpret your somewhat conflicting description of your connection.

The closest you can come to achieving your goal (assuming that you really do have to have a separate PPPoE session for each device), would be to have the Vonage box be a PPPoE client, and put the PC behind it into the Vonage box's DMZ. That should allow bidirectional interaction to/from the Internet from the PC behind the Vonage box (it will still be NAT, but the effects should be minimized).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


MrMazda86

join:2013-01-29
Kitchener, ON

The problem is the Simmens SpeedTouch 516 is the only device that establishes a PPPoE connection, as it will only allow for one connection. It then has the NAT disabled and is assigned the first IP address in the block. The modem's one and only LAN port is then plugged directly into a switch with 4 of the 5 computers attached to it. The Vonage V-Portal also has its WAN port connected to the switch, with the 5th computer plugged into the V-Portal's LAN port. The more "juicy" details of the configuration can be found in this forum thread.

If I had the command to use in the SSH terminal to disable the V-Portal's NAT, I could then switch the modem over to bridge mode and wire it directly to the V-Portal's WAN port. From there, the V-Portal would establish the PPPoE session, thus allowing me to use the 76.10.xxx.xxx IP address and assign the 173.xxx.xxx.225 address to the V-Portal's LAN connection, thereby allowing me to plug the V-Portal's LAN port and the computer that once plugged into it into the switch and assign the 173.xxx.xxx.230 IP address to the 5th computer. In this configuration, all devices would be able to be acknowledged as being directly connected, without the need for an additional IP address.

I'm hoping there is a way to do this and that it's just a matter of digging deep enough to do it, but it seems Vonage doesn't seem to have much support for anything to do with the SSH sessions with the V-Portal, which seems a little unusual.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

OK, that clarifies things a bit. I seems that your ISP is indeed using a traditional CIDR IP address assignment instead of using individual PPPoE sessions (as you previously seemed to be saying).

Is the switch behind the SpeedTouch 516 only a 5 port switch? If that is the case, you may want to just get an 8 port switch, or cascade another 5 port switch. I have setup many CIDR block static IP circuits, and unless your SpeedTouch 516 is really brain dead, you should be able to do public static IP assignments for the PCs that you want to be publicly exposed, and just allow the SpeedTouch 516 to do a NAT DHCP assignment to the Vonage box. I have done this on multiple occasions, and it has always worked for me (but I have never tried it with a SpeedTouch 516, so certainly, YMMV).

One thing I am pretty sure of is that Vonage is not going to give your the root authentication for your Vonage box to allow you SSH access (and that is not unusual at all; they have never officially allowed customer SSH access to their ATA boxes). And even if they did, and you could disable NAT inside the Vonage box, I am pretty sure that the Vonage box would then require that its VoIP controller would need one IP address, and any connected devices would have to have a separate IP address. I have worked with ATAs that could be setup as bridge devices, and also with IP phones that were bridge devices, that that was always how they worked.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to MrMazda86

Someone once posted a direct phone number for Vonage's tier 2 support people, hosted in NJ instead of overseas. Searing ought to bring that up. Possibly these more technically inclined can help you by remotely setting up your box as a pass through device. I agree that the odds of your getting root access to it from Vonage are about zero.


MrMazda86

join:2013-01-29
Kitchener, ON

1 edit

Strangely enough, it was pretty easy to get it from them. From what I've been able to find though, they allege that turning off DHCP will disable NAT as well, however this is not the case.

As for the SpeedTouch 516, once NAT is disabled, you cannot use only one device with NAT, while the others are directly exposed unfortunately. This modem just does NOT permit for this kind of thing unfortunately.

This kind of frustrates me actually because it seems that I cannot setup my Vonage device in the only configuration that will work to save me from having to either get additional IP addresses, or otherwise make changes that I don't want to have to make. What I also don't understand is why Vonage doesn't provide an easy way of doing this.

As for the switch, it's a 16-port switch. Prior to switching to TekSavvy, I was with Bell without a static IP, which allowed me to establish an individual PPPoE session for each system, but I can't do that in this configuration. This is reeeeeally beginning to frustrate me because it seems there's no way to do a lot of things with Vonage equipment.

(EDIT: I just spoke with Vonage and it seems that either their staff don't know what the hell they're talking about, or it's impossible to disable the NAT on a Vonage adapter, therefore making it 100% useless for what I need, thereby requiring an additional expense on my part to make my service work with all 5 computers on the same network. I'm seriously not happy about this. It seems to me that it's nothing more than Vonage's way of trying to be cheap and save money.)


MrMazda86

join:2013-01-29
Kitchener, ON
reply to garys_2k

said by garys_2k:

Someone once posted a direct phone number for Vonage's tier 2 support people, hosted in NJ instead of overseas. Searing ought to bring that up. Possibly these more technically inclined can help you by remotely setting up your box as a pass through device. I agree that the odds of your getting root access to it from Vonage are about zero.

You mean this one? --> 732-528-2600

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to MrMazda86

Probably 90%+ of their customers have a single public IP and use DHCP-served NAT for anything but one connection. Your use is definitely outside of their operating bounds.

Would you consider using a provider that won't force you to use proprietary hardware? What you want to do would be entirely straightforward for just about any standard SIP provider, using either an ATA with analog phones, SIP phones or a PBX.

I think that phone number is the right one for advanced support, yes.


MrMazda86

join:2013-01-29
Kitchener, ON

1 edit

There's nothing "proprietary" about my provider. Every DSL provider within Canada uses the same method of subnetting an IP address block for direct exposure to the internet through one modem the same way. You can use *any* DSL modem and *any* router (including the ones built into the modem, depending on the modem and your intended configuration).

The problem is that I have 5 different computers, a /29 subnet (which only comes with 6 IPs, 1 of which must be assigned to the routing device on the LAN side). Currently, only 4 of the computers are hooked to the switch that the modem feeds into. The 5th one had to be hooked into the V-Portal's LAN port, thus assigning the 6th IP address to the V-Portal, not the computer.

If Vonage supported a way of being able to disable the NAT function like just about any other ordinary router (except most D-Link models), I could plug the V-Portal's WAN port into the modem, then plug it's LAN port (and all 5 computers) into the switch. With the modem in bridge mode, I could bypass it completely by establishing the PPPoE link with the V-Portal, then assigning the 173.xxx.xxx.225 address to the V-Portal on the LAN side, which would mean the V-Portal is connected directly with the PPPoE link, and effectively, the other 5 IP addresses would act as though directly exposed to the internet, without the need for port forwarding.

(EDIT: I forgot to mention.... In the UNITED STATES, all DSL connections establish their link to the internet over PPPoA, which is handled by the modem. If anything, PPPoA is the "proprietary" system, because it creates even bigger headaches when doing any kind of networking, which only imposes FORCED firewalls and blockades, which can only inhibit traffic, unless specifically configured. With PPPoE, the link is established directly to the device, which allows you to bridge the modem, then either use a separate device such as a computer or router to establish the link to the internet. This also allows for connection on demand, which has its perks also.)



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by MrMazda86:

(EDIT: I forgot to mention.... In the UNITED STATES, all DSL connections establish their link to the internet over PPPoA, which is handled by the modem...

That is not a factual statement. The two DSL providers that I have used (and done work for) in the past 10 years (AT&T and Covad) supported (and recommended) using PPPoE. Both did also support PPPoA, but it was not the preferred method (and it was not the default method used by the DSL routers that they supplied). AT&T has in fact stopped allowing the use of PPPoA in many of their locations that still use ATM based DSLAMs. AT&T has also replaced both PPPoA and PPPoE for their U-verse branded DSL with certificate based DHCP.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

garys_2k
Premium
join:2004-05-07
Farmington, MI
Reviews:
·Callcentric
·callwithus
reply to MrMazda86

said by MrMazda86:

If Vonage supported a way of being able to disable the NAT function like just about any other ordinary router (except most D-Link models), I could plug the V-Portal's WAN port into the modem, then plug it's LAN port (and all 5 computers) into the switch. With the modem in bridge mode, I could bypass it completely by establishing the PPPoE link with the V-Portal, then assigning the 173.xxx.xxx.225 address to the V-Portal on the LAN side, which would mean the V-Portal is connected directly with the PPPoE link, and effectively, the other 5 IP addresses would act as though directly exposed to the internet, without the need for port forwarding.

The "proprietary" part I meant was the Vonage box, not your IP service. If you used a different VSP then you could use off the shelf, open, routing/ATA hardware. Vonage locks its boxes, as you've seen. Most other providers do not.

MrMazda86

join:2013-01-29
Kitchener, ON

Ah... From a technological point of view, locking your devices solely to your network is definitely a means of trying to force your own crap down the throats of the users, generally for making sure that Ali Babba Shaqua Shouvez in Bangladesh can follow everything through because it's a "standard". The great thing about "standards" is that there's so many to choose from.

The only gripe I have with such a proprietary network locking (which is no different than network locking a cell phone really) is that they do it in such a way that it creates issues such as this where such a standard impedes on the ability to support such standard things. It's kind of aggravating really.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to MrMazda86

I just made some network infrastructure changes on my network by putting each of my two servers behind a Vonage box so that I would have a "hardware" firewall in front of them. One of my Vonage boxes is a VDV23 which is similar to your VPortal device, but the other is an older Cisco/Linksys RTP300. The RTP300 does have the ability to turn off the NAT/Firewall.

Shown below is a screen shot showing where I can turn off the NAT/Firewall in the RTP300 and a diagram of my current network.







I case it is not clear in the above network diagram, each of the server boxes has two NICs; one connects to my LAN, and the other (the VLAN2 and VLAN3 interfaces) connects through a Vonage "firewall" box to the Internet. With this configuration, both of my servers have bidirectional connectivity with the Internet, and each shares the public IP address used by their respective Vonage "firewall" box. Yes, they both use NAT, but they work nonetheless (even inbound VPN works), and externally they use the public IP address that is assigned to their respective Vonage "firewall" box.

If I disable the NAT/Firewall in the RTP300, the RTP300 does not act as a transparent bridge; instead it becomes a standalone ATA with no LAN/WAN pass through in either direction. The server behind it is offline if the NAT/Firewall is disabled in the RTP300. I was pretty sure that this was how it worked even before I tried it this time, but I wanted to be sure before publicly posting a vague memory from previous testing as a fact. I suspect that even if you can find a Vonage tech willing to disable NAT in your Vonage VPortal box, it would also simply act as a standalone ATA instead of a transparent bridge.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

MrMazda86

join:2013-01-29
Kitchener, ON

That all depends on how your provider forwards things to make the different IP addresses work. With NAT disabled, the PPPoE link gets established from the Vonage ATA, which then allows it direct connectivity while effectively using it as a hopping point to be able to directly expose the LAN IP as an internet IP. This is pretty common with a subnet.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

4 edits

said by MrMazda86:

That all depends on how your provider forwards things to make the different IP addresses work. With NAT disabled, the PPPoE link gets established from the Vonage ATA, which then allows it direct connectivity while effectively using it as a hopping point to be able to directly expose the LAN IP as an internet IP. This is pretty common with a subnet.

It has nothing to do with subnetting or anything else that the internet service provider controls. It has to do with what a Vonage ATA/router does when you disable NAT on its WAN interface. I have tried this now with two different Vonage ATA/routers (a Cisco/Linksys RTP300 and a Motorola VT2442) and neither one of them bridged the public IP address to their LAN interface. Instead, they simply became standalone ATA devices with no bridge or router passthrough for IP traffic.

The only way either of those devices would allow LAN/WAN communication was with NAT/Router functions enabled. In that mode, if you enable DMZ for a single device on their LAN, that device is directly visible to the Internet (currently both my Linux and Windows servers operate behind their respective Vonage ATA/router boxes with no problems whatsoever). Yes, that uses NAT, but I don't think you are going to be able to get around that if you continue to use Vonage and try to share a single public IP address with both the Vonage ATA/router and a PC connected behind it. Vonage is a "do it our way" company; if you want a "do it your way" company you are going to have to look somewhere else for your VoIP service.

As for the Vonage box establishing the PPPoE connection, I thought that you said that your DSL router had to do that, and then the devices behind it would directly use the public IP addresses that your ISP provided to you and that you setup in that router's config. And FWIW, I have done PPPoE from Vonage boxes in the past, and the public IP address in that mode is assigned to the Vonage box's WAN; it is not passed through to its LAN (or to devices connected to its LAN).

However, if we are back to you being able to do multiple PPPoE sessions for multiple devices, then you may be able to get away with using the PPPoE PassThrough mode in the Vonage box. My VDV23 supports PPPoE PassThrough, and I am pretty sure that the Vonage Vportal box does it too. That is something that I have never tried with a Vonage box because the older Vonage ATA/routers I have used did not support it, and my current ISP uses DHCP instead of PPPoE.

said by VDV23 :

PPPoE PassThrough

Allows PCs connected to your LAN to use the PPPoE client software provided by your ISP to connect to a PPPoE server on the Internet. By enabling PPPoE PassThrough you allow multiple users, each with their own PPP user name and password, to share your DSL connection.



--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

MrMazda86

join:2013-01-29
Kitchener, ON

1 edit

I think that's where you're not understanding the setup... The modem currently establishes the PPPoE link with NAT disabled so that I can create my LAN using the static subnet that I have been issued. Effectively, the IP address (public IP) that gets assigned to the PPPoE link remains "invisible", while the IP addresses on the LAN are what show up as the IP address from which I am connecting.

If I were to use the V-Portal to establish the PPPoE link, I would then bridge the modem because with the way it is setup, you are limited to only ONE PPPoE link because there is only ONE IP address for which it will be assigned.

As for not allowing the pass through of IP traffic, that is not entirely the case. When NAT is disabled, there is nothing to translate the IP address, as to make the public IP visible to the outside, while making the switch back and forth between the LAN and WAN IP. When NAT is disabled, no such translation is made, so if your established LAN IP addresses are not routed by your provider to your static public IP, the result that you will end up with will appear to be a useless device connection. If the proper routing is in place by your provider however, your LAN IP addresses will be the ones to appear as though they are connecting to the internet directly, which bypasses the need for any such port forwarding.

This is the whole reason why most routers enforce NAT because it's the only way to allow a change in the IP address. Without it as I mentioned, there is no translation of the IP address, which leaves you with a situation where the traffic cannot be processed through the device because the IP address that is showing as the origin is not a routable IP address. In such a case where NAT is disabled, the IP address for the PPPoE connection becomes a "hop" point for which relays the traffic, without the need to translate the address.

This is actually a common and pretty standard method of networking actually.

Also, while I'm on that note, I can tell you from experience that establishing multiple PPPoE links through the same modem is a GREAT way to lead to network instability and reliability issues, especially when more than one user is doing anything that requires any amount of traffic because it allows for the line to much more easily (and quickly) get congested. Aside from that, there's also an issue that will rear its ugly head under higher traffic loads where latency will become RIDICULOUS as compared to only establishing a single PPPoE link, which in a lot of cases will also result in random (and frustrating I assure you) packet loss. I can confirm this for fact from having done this for a number of years before switching to the setup that I'm currently on.

As well, if you don't have a subnet established with the routing in place, normally, disabling NAT on any routing device (be it a Vonage Adapter or otherwise) will produce the illusion of not being able to route any connectivity through the device. This is also a pretty standard thing with every single routing device of any kind that I have ever worked with. The routing tables and such must be in place to allow the LAN subnet to be directly exposed. In most cases, NAT is needed because most users don't have a subnet in which is already established to be able to do this and have it work. That's where the problem will lay.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

I understand how routed subnets work; the problem is that you seem to keep changing your story about how your network is configured. The subject of doing the PPPoE on the Vonage box was brought up by you, not by me. I only offered you a possible solution if you indeed could get multiple PPPoE sessions from your ISP (which some ISPs do allow...AT&T for example allows this for business class accounts).

What I have tried to explain to you is that what you want to do with your Vonage Vportal box is not going to work because my testing shows me that the Vonage firmware will not allow it to work. You can chose to believe that or not.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.