cancel
Showing results for 
Search instead for 
Did you mean: 

Using 8-block IP with no-NAT router

N/A

Using 8-block IP with no-NAT router

Hi,

I have a block of 8 IPs. x.y.z.129 is the router address, and x.y.z.130 and so on are useable public IPs.

Our internal network is behind a PC-based firewall so the only PC connected to the router (Netgear DG814) is the firewall PC's external NIC. I have put the 130, 131 etc. addresses on the external NIC.

On the Netgear DG814 router I have disabled NAT, and have the "DMZ" pointing to the 130 address, which is the firewall. If I get a friend (externally) to ping the 130 address all is well, however the other 131,132 etc addresses are not responding.

Question: has anyone done anything like this and if so how do you get the router to accept multiple addresses ?

Thanks

Richard
6 REPLIES
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Using 8-block IP with no-NAT router

Hi amarsys

With respect, you appear to be misunderstanding how routing and routers work.

The routing function simply moves traffic from one subnet to another. The router looks at the packets destination address. If it is on the same subnet as the routers internal interface it accepts the packet and forwards it UNALTERED. That is the destination address embedded in the packet is not changed. Hence your firewall on .130 replys to a ping as it's outside interface address matches the destination address in the packet.

The DMZ function of the router allows a host on the inside subnet to masquerade as the routers outside interface. The router ALTERS the destination address of packets addressed to the outside interface (or subnet). That is it changes the destination address to the configured DMZ address and forwards the packet onto the inside interface. Hence again your firewall may reply to a ping because it's outside interface address matches that in the packet.

Note that some routers will disable DMZ and port forwarding when NAT is turned off.

Your problem would appear, how to get the firewall to ALTER the destination address of inbound packets to match those of hosts on the LAN. Port forwarding or static NAT could achieve it but it depends what your firewall supports.

I am unsure as to what you mean when you say you have added the other public IPs to the firewall. Where did you add the other IPs?

It would help a great deal if you could tell us what the firewall is and what exactly you are trying to achieve?

Regards
Matt
www.mssystems.co.uk
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Using 8-block IP with no-NAT router

A few of maybe obvious but important Qs for me to understand what you are trying to setup.

- Where did you get the 8 IP block from. Was this assigned by PlusNet or someone else?
- What was the intention of using 8 IP addresses. Why did you think you needed 8 in the first place?
- Are you trying to make all 8 IP addresses route through to your firewall. If so for what reason?
- Are you connecting to PlusNet ADSL or is this a genaral enquiry about a local network and how to set it up?
- Does the PC firewall have 2 network cards fitted: one connects to the DG814 and the other connects to your local network to which all the other PCs are connected?
- Are you trying to setup or host a number of domains with each having a separate IP address but resolving to your network?

Cheers

Peter Cool
N/A

Using 8-block IP with no-NAT router

Thanks for the comments (correct, I don't understand routers !). Here is some more info in answer to the points you have all made:

The 8 block is allocated by Plus.net.. Since we need at least 2 public addresses this is the only way to do it. (The 4 block only has 1 useable external public address).

Our ADSL line is connected to Plus.net.

The firewall PC is running Microsoft ISA Server.

The firewall PC has 2 network cards: the external card connects to the DG814; the internal card connects to our main network hub. All PCs on our LAN use the main hub, and therefore only connection out is via the firewall.

The x.y.z.130, 131, 132 addresses etc. are bound to the external network card of the firewall PC.

We are a small software house, and we have 2 internal servers which are used for development and testing by our sub-contractors and customers. Each server holds a number of websites and this is why we definitely need TWO internal servers.

What we want to do is to have the x.y.z.130 address and 131 address accessible as public IPs. I should say that traffic on the 130 address *already* gets passed correctly to the firewall and on to the correct internal websites. The problem is that the DG814 does not seem to know about the 131, 132 etc addresses. (Remember that the DG814's own address is .129).

Incidentally, I have seen exactly the same setup on a leased line installation (using ISA Server etc) so I know this is basically the right way to do it. However that used a Cisco router, whereas we have our nice little DG814 !

Regards

Richard
N/A

Using 8-block IP with no-NAT router

The Netgear does'nt support multiple WAN IP's,
from what I remember , not sure if the situation
is different now, but I think you
might need a more sophisticated router like the Cisco.
Alec.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Using 8-block IP with no-NAT router

This sounds like a plusnet routing problem. The fact that the router is .129 and packets for .130 pass through it and the firewall to the server suggests the DG814 can support multiple IP address routing - i.e pass packets for them through without checking. This means it is routing packets for more than one IP address as it should do.

Can you just confirm the following:

under WAN port and tell me if the Plusnet assigned IP address is x.y.z.129?

What IP address do you have under the LAN port section?

It is possible that PlusNet's routing is not setup correctly and it is only routing packets for .129 and .130 to you.

You need to find out if packets for x.y.z.131 are actually reaching your DG814 router like the .130 packets are so ask your friend to try the following (tracert is a dos tool so create a DOS/CMD window):

What does tracert x.y.z.129 give you? It should stop at your DG814

What does tracert x.y.z.130 give you?

What does tracert x.y.z.131 give you?


Try the same for .132 .133 etc

The results for 130 & 131 should be almost identical upto the .129 address - it depends if your PC firewall responds to tracert commands and pings.

If they are not you need to raise a contact us ticket to get PlusNet to check their routing tables to make sure packets for .131, .132 etc are routed to you. Include all the tracert output as evidence which will help them solve the problem.

If I new the IP addresses, I could have proved this for you.

Cheers

Peter Cool
N/A

Using 8-block IP with no-NAT router

Surprise surprise. I found that the router was still picking up the old 4-block. In the process of gettiing all the info you suggested, I updated the router config and all now seems well.

So, for anyone else with a Netgear DG814, it *will* handle multiple WAN IPs when you put it in no-NAT mode.

Thanks for all the suggestions.

Richard