I’m trying to setup my RB5450G to work with Comcast’s business service with a static IP. I moved from DHCP service, which I have no problems connecting to with the RB450G, but when I try to configure everything to work off of the static IP, I can’t seem to get it working.
the IP I’m setting up is 173.163.253.113. Other info they gave is:
CPE IP: 173.163.253.112/29
Static IP block: 173.163.253.113-117 (5 IP addresses)
Broadcast IP: 173.163.253.119
Gateway IP: 173.163.253.118
The are forcing me to use an SMC 8014 as the gateway (ugh). The internal firewall has been shutoff, and when I plug a laptop into the SMC I’m able to configure one of the static IP’s and can verify it functions.
I’m sure something’s not setup correctly under the Address, because when I turn on the DHCP client in the RB450G it works fine.
CPE IP: 173.163.253.112/29
Static IP block: 173.163.253.113-117 (5 IP addresses)
Broadcast IP: 173.163.253.119
Gateway IP: 173.163.253.118
.112 is the network IP address, so you can’t assign that to a host. You can use .113 - .117 on your router. Below is the configuration to apply .113 and .114 to an interface called ‘ether1’, and set a default route out via the interface.
I’m guessing that as far as the srcnat rule is concerned that should go before the masquerade rule, and replace the current src rule that was setup when I was running with DHCP, correct?
Also, if I wanted to do a configuration where I have the majority of my hosts behind .113, then the steps you gave should work. What if I wanted to assign .114 to a server plugged into a specific port on the RB450G and not have it run through NAT. In essence
Would just need to put a straight route from Ether1 to let’s say Ether2 where the server is connected? How would I do so without going through firewall?
Yes on your NAT ordering. The masquerade rule can go - masquerade is for dynamic IPs, src-nat is for static IPs.
Your server - if you really don’t want NAT/firewall for the server use a switch directly connected to your CPE, and connect both the RB450G and the server to that switch. That way your server is outside of the router completely.
I wouldn’t do that, though. I would put the server behind the router and use 1:1 NAT and get it the protection of the firewall inside the RB450G. Most services pass through NAT just fine. This is very simple to do, assuming .114 for the public and 192.168.1.10 as the private inside:
Ah, yes, ok. I was thinking of going the switch route for at least one of the servers. I have an Asterisk PBX that I’ve been having issues running it behind NAT, so I think I may put it on the CPE gateway to to be rid of the headaches once and for all.
But on the other servers (like a web server I have), I think that the 1:1 NAT example you gave would work perfectly.
+1 Karma for all the help. Really saved me a good amount of time as well as gave me a good lesson on how to do some of these items.
That was a good lesson! expecially the 1:1 NAT example. By faith, It is working for me already bcos I need it like yesterday, I have been using switch to seperate them which may have compromised some things in the future!
Glad it helped. Here’s a quick example firewall, which is the last thing you’re missing - it simulates most simple firewall rule sets that permit all traffic from inside to outside (LAN users are trusted to open connections to the Internet), but need explicit exceptions for outside to inside traffic. It also protects the router itself from all administrative access that doesn’t come from the LAN.
The below configures that, and also permits HTTP (tcp/80) to a web server on the LAN at 192.168.1.10. The ‘input’ chain is for traffic that is destined directly to the router (the router, after all NAT, is the end point the packet is for). The ‘forward’ chain is for traffic through the router.
/ip firewall address-list
add list=inside-networks address=192.168.1.0/24
/ip firewall filter
add chain=input connection-state=established action=accept comment="allow packets in established connections"
add chain=input connection-state=related action=accept comment="allow packets in connections related to established connections"
add chain=input connection-state=invalid action=drop comment="drop packets in invalid connections"
add chain=input src-address=192.168.1.0/24 in-interface=ether2 action=accept comment="allow new connections from the LAN to the router"
add chain=input action=drop comment="drop everything else"
add chain=forward connection-state=established action=accept comment="allow packets in established connections"
add chain=forward connection-state=related action=accept comment="allow packets in connections related to established connections"
add chain=forward connection-state=invalid action=drop comment="drop packets in invalid connections"
add chain=forward src-address=192.168.1.0/24 in-interface=ether2 action=accept comment="allow new connections from the LAN to the Internet"
add chain=forward dst-address=192.168.1.20 protocol=tcp dst-port=80 action=accept comment="allow tcp/80 to the web server"
add chain=forward action=drop comment="drop everything else"
Ok, so far so good on all the items you’ve indicated. I can now access the webserver I setup from the internet with one of the static IP’s I have using the 1:1 NAT you indicated.
Now, one thing I noticed is when on a system that I am running behind my .113 address when I try to access the website on the .114 server, I can’t get to it. To make sure the server was working correctly, I went ahead and used a public proxy and was able to pull up the website without issue, so I know the both apache and the server seem to be correctly configured.
Which leaves me to believe I need some sort of route so that systems from behind the NAT on static IP .113 can access the webserver on .114.
Yes - order matters with NAT rules, so more specific rules should come before general rules so the more specific traffic doesn’t match the general rule first - NAT processing stops on first hit.
