#1  
Old December 18th, 2011, 11:38 AM
w4nnw w4nnw is offline
Junior Member
 
Join Date: Dec 2011
Posts: 4
w4nnw is on a distinguished road
Default NAT not working with subnets

I have the following setup (all wired connections, wireless radios are turned off):

Subnet 1 --> Router --> Subnet 2 --> WNDR4000 --> Cable modem --> Internet

IP addresses are:
Subnet 1: 10.0.0.0/24
Router: 10.0.0.1/10.1.0.1
Subnet 2: 10.1.0.0/24
WNDR4000: 10.1.0.2/public IP assigned by ISP

Any system connected to Subnet 2 can access the Internet just fine. Systems in Subnet 1, however, cannot access the Internet.

I took an Ethernet trace between the WNDR4000 and the cable modem and noticed that the NAT function seems to be broken. In any case, the WNDR4000 forwards packets with source addresses of 10.0.0.x to the Internet. Obviously, this doesn't work as the recipient wouldn't know where to return the answer to.

My question is:
What do I need to configure so that the WNDR4000 nats source addresses from private subnets behind another router?

Any pointers would be greatly appreciated.

Regards,
Walt
Reply With Quote
  #2  
Old December 18th, 2011, 06:56 PM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Junior Member
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: NAT not working with subnets

you just doing simple double NAT so should able to hit the internet traffic
Reply With Quote
  #3  
Old December 18th, 2011, 09:57 PM
w4nnw w4nnw is offline
Junior Member
 
Join Date: Dec 2011
Posts: 4
w4nnw is on a distinguished road
Default Re: NAT not working with subnets

Except, of course, that all Netgear router documentation warns from using double NAT and strongly suggests to switch the cable router to modem mode.

Now, what's the difference if I NAT before the WNDR4000 instead of after it?

Apart from that, yes it does work. I obviously had to use this configuration or I'd be without Innternet connection. :-( However, this is against all NAT conventions. Why should a NAT device get the idea to forward RFC1918 addresses?

Walt
Reply With Quote
  #4  
Old December 19th, 2011, 04:32 AM
fordem fordem is offline
Moderator
NETGEAR Fanatic
 
Join Date: Nov 2006
Posts: 7,499
fordem is on a distinguished road
Default Re: NAT not working with subnets

If I understand what you saying correctly, it would seem to me that the problem(s) lie in - one, an incorrect expectation of what should happen; two, an incorrect configuration; and three, a poorly chosen network design.

First - as I understand it - you have two routers, with the first one (the "non-WNDR4000" router, labeled 'router' in your diagram, in "classic router" mode and not in "NAT router" mode. You don't state this specifically, but it is the only way that you would (should) be seeing 10.0.0.0/24 traffic at the WNDR4000.

Assuming that to be correct, you, for some reason, expect the WNDR4000 to NAT the 10.0.0.0/24 traffic along with the 10.1.0.0/24 traffic - that is an incorrect expectation - in choosing a 10.1.0.0/24 network range, you explicitly tell the WNDR4000 what traffic you want NATed, and since there is also a default gateway rule telling it to forward all traffic to the default gateway, it forwards the 10.0.0.0/24 traffic - this is normal for consumer grade routers.

You can configure the "non WNDR4000" router to perform NAT and it will translate the 10.0.0.0/24 traffic so that it all appears to come from 10.1.0.1, in which case the WNDR4000 will NAT the traffic, and both subnets will have internet access - the only danger in this is that forwarding unsolicited incoming traffic to the 10.0.0.0/24 network becomes very challenging (not impossible, just very challenging).

Another approach is to completly "flip" your network addressing so that it actually reflects what you're attempting to do - have a network with a subnet - consider this ...

Code:
Subnet 1 --> Router --> Subnet 2 --> WNDR4000 --> Cable modem --> Internet

IP addresses are:
Subnet 1: 10.0.1.0/24
Router: 10.0.1.1/10.0.0.2
Subnet 2: 10.0.0.0/16
WNDR4000: 10.0.0.1/public IP assigned by ISP
I have chosen to use a 10.0.0.0/16 class-b network on the outside, and to subnet that down to a 10.0.1.0/24 class-c network for the inside "network" - in this way, all 10.0.1.0/24 traffic reaching the WNDR4000, should, by virtue of the fact that it is included within the 10.0.0.0/16 network, be NATed by the WNDR4000.

Please note - I haven't actually tested this with a WNDR4000 - however, assuming the WNDR4000 supports a /16 network, it should work. If the WNDR4000 cannot support a /16 network, then you'll need to use a /24 and subnet that as appropriate.
__________________
Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Reply With Quote
  #5  
Old December 19th, 2011, 05:42 AM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Junior Member
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: NAT not working with subnets

I don't think these home end router will do class b. I remember hearing about it will not take setting other than class c subnet
Reply With Quote
  #6  
Old December 19th, 2011, 12:13 PM
w4nnw w4nnw is offline
Junior Member
 
Join Date: Dec 2011
Posts: 4
w4nnw is on a distinguished road
Default Re: NAT not working with subnets

Out of curiosity, I reconfigured the Netgear router to a class b subnet. Contrary to June's suspicion, it does work. I didn't test routing but at least the router's web management interface can be accessed.

Router IP was: 10.95.28.1
Client IP was: 10.95.152.81

So, Fordem's suggested solution could possibly work. Except :-)

Let's assuime I configure the WDNR4000 to a class b subnet address, say 10.0.0.1/16. It receives, from the ISP, a response to a previously outgoing, nat'ed request, which it "nat's back" and finds that it should be forwarded to, say, 10.0.7.48.

Unfortunately, at that point, it will try to directly send the response to the recipient instead of sending it to the internal router at 10.0.0.2. Class b indicates that both addresses are in the same subnet and don't need to be routed.

The subnetting you describe does work and is used - albeit "on the other side of the incoming" router. :-) It is used to reduce the number of routes that need to be maintained (manually or through a routing protocol). On the inside, which is the lan side of the WNDR4000, smaller subnet masks are in place to ensure correct routing.

In any case, you are absolutely right - I expected something different should happen. Namely, that all packets received on the lan side and addressed to the wan side should be subject to nat'ing, no matter their effective address.

Incidentally, that's what my stone age (15 years old) router does (which I finally have to replace for performance reasons). And I'm pretty sure the same holds true for Linux' iptables.

In my interpretation, it's also what RFC 1631 requires. Quote:
"NAT's basic operation is as follows. The addresses inside a stub domain can be reused by any other stub domain. For instance, a single Class A address could be used by many stub domains."

As the RFC suggests, NAT is performed on the stub border router, translating all outgoing addresses.

Oh well, seems that today's consumer grade routers are actively crippled not to fully comply with the RFC.

If you happen to know one which does and is fast enough for a 100Mbps downlink, I'd appreciate any hints and I'll send back the WNDR4000. In the meantime, I'll probably have to live with double NAT.

Walt
Reply With Quote
  #7  
Old December 19th, 2011, 12:44 PM
jmizoguchi's Avatar
jmizoguchi jmizoguchi is offline
Junior Member
 
Join Date: Feb 2007
Location: Kentucky, USA
Posts: 0
jmizoguchi is an unknown quantity at this point
Default Re: NAT not working with subnets

got to smallbuildernetwork website. they have WAN-LAN throughput spec

although I think 4000 should handle over 300Mbps on WAN so you should be just fine
Reply With Quote
  #8  
Old December 19th, 2011, 01:40 PM
w4nnw w4nnw is offline
Junior Member
 
Join Date: Dec 2011
Posts: 4
w4nnw is on a distinguished road
Default Re: NAT not working with subnets

I came from there. :-)

Performance-wise, the WNDR4000 certainly fits the bill. Unfortunately, smallnetbuilder.com doesn't test for NAT completeness.

Walt
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 08:23 PM.