If local client IP’s are srce natted to a public IP on the WAN interface, does that WAN interface have to have that public IP mentioned?
Example (I have full /24 address range):
Client has 192.168.1.5
srce nat 192.168.1.5 to 84.232.54.90
On public WAN interface were traffic leaves to the internet:
set IP = 84.232.54.0/24
or set IP = 84.232.54.90/24
or set IP = 84.232.54.90/31
Which of the 3 options to use?
Is the /24 or /31 notificacion making any difference?
What if client needs access for outside (to its server f.i.)?
Than his public IP should be mentioned I presume. And a dst-nat rule to translate 84.232.54.90 into 192.168.1.5..
Would it now make any difference if I use /24 or /31 for the public IP on the WAN interface?
If I would have 4 consequetive /24 networks, so 4x254=1016 addresses, and even so many clients, does this mean all these 1016 has to be mentioned with /30 or /24 on the WAN interface?
What if I have 50.000 clients? Looks a bit odd to me?
1/1 nat is not an option since clients come in with all kinds of IP’s from 10th’s of different networks.
Or should my solution be that indeed I have to use 1/1 nat and make sure all clients are getting IP’s from the same /24 range so 1/1 is going to work?
I am building a new system so any help/advices is appreciated.
1 to 1 Nat : Assign ALL public addresses being used to the WAN interface. Then use NAT to control what privates use those public.
OR
Directly assign the Public Addresses : Assign one public to the WAN interface and subnet out the rest of your /24 to your devices. (If you have more than just a /24 and you have spare publics for your WAN you could use the entire /24 on the LAN.
OR
PPPoE : Assign out the public IP’s via the PPPoE server.
All three options have an upside and a downside. Your info says your a wisp. Based on that if these are for customers I would probably PPPoE them all out.
Ok, thanks for the answers
Indeed we are building now our PPoE server. And with vlan’s I make sure all AP networks are in the same /24 domain. (In the concentrator where all vlans to AP’s start I will bridge these together and set the PPoE server on this bridge? The other end of the vlan is on the wlan of the AP connecting the clients).
Now I have two options?:
Since all client now get same /24 network(s) I can do 1/1 srce natting?
Assign all clients with the public addresses.
I’m only not sure how option 2 relates to security (public IP’s on my LAN!) and how to set up the internet gateway router. Does I have to make it a bridged gateway router? And set up all firewall rules on the bridge?
This is a whole new game for me. And I don’t seem to find a lot of info in the internet…
Probably most safe option is to use option 1. But is it the best solution?
Longer answer : you can NAT to any IP address, and to multiple address on the same router. The only case where the public IP has to be explicitly assigned to the “outside” interface is if you use the action “masquerade”, but there’s no law says you have to do that. You can use the “src-nat” action and specify the public address. I’m not 100% sure if the public address has to be assigned to an interface on the router – I’ve always done that since it doesn’t make sense to me not do to so. But it does not have to be the WAN interface : for example you can create an “empty” bridge interface and assign the address(es) to that.
Now, even longer answer : I wonder if you are thinking of address translation rather than NAT per se. That is, you have “internal” network addresses that are unroutable, private, assigned to your customers. The customers run their own NAT (pretty good idea IMHO). Then at your router you would use address mapping on your router rather than NAT. This is done with two rules (one in the srcnat chain, the other in the dstnat chain) and the netmap action. Let me know if you need more help on this particular option.
masquerade is srce-nat to routers address of the interface traffic is leaving. If that interface has only one IP it works. If you put more than 1 on that “output” interface you never know which “Public” IP the masquerade rule is going to use. It becomes variable and router pick an available IP at random. So for each incoming LAN customer the public IP becomes undetermained and variable. Who wants that?
What you probably ment to say is that when there is one “masquerade” nat rule for some kind of LAN client(s) than if you want others to get a different public IP you have to set a src-nat rule for these with the mentioning of that public IP on the Interface. But this would conflict with what you just wrote before. If the public IP is needed on the public interface, the anwer is yes. If not than the mentioning of the outgoing (=public) IP for that specific client in the srce-nat rule is enough.
You can use the “src-nat” action and specify the public address. I’m not 100% sure if the public address has to be assigned to an interface on the router – I’ve always done that since it doesn’t make sense to me not do to so. But it does not have to be the WAN interface : for example you can create an “empty” bridge interface and assign the address(es) to that.
Why would you put these public IP’s on an “empty” bridge? That makes no sense to me. If you are going to mention them, you might as well put them on the valid public interface.
If I think a bit further; If traffic from a client leaves the NAT router to the internet with a public IP assigned by the srce-nat, and the reply traffic from remote server gets send back, how does this traffic finds its way back to the gateway? By not mentioning that originating public IP on the internet interface, routers sending back reply traffic from servers can’t find that address. Its just not there. Hence my thinking was also that public IP always have to be mentioned on the public interface. Unless the 2/24 IP would cover them all? (That question is still not answered)
Now, even longer answer : I wonder if you are thinking of address translation rather than NAT per se. That is, you have “internal” network addresses that are unroutable, private, assigned to your customers. The customers run their own NAT (pretty good idea IMHO). Then at your router you would use address mapping on your router rather than NAT. This is done with two rules (one in the srcnat chain, the other in the dstnat chain) and the netmap action.
“NAT” means “Network address translation”. So what you call “address translation” is just the same. It can done it two directions. srce-nat (or masquerade) and dst-nat. But its both “NAT”.
dst-nat basically is only needed when you want LAN servers (services) to be available with their assigned public IP. Incoming traffic to this IP will now be forwarded towards the LAN IP of the client.
But for normal internet browsing or VOIP its not needed.
Since the rest was answered I will try to answer this question.
Firewall Filter (I would have these at the top of the firewall)
Drop src Public IP list on lan to private IP on LAN
Allow all other input to publics
Firewall NAT
Omit the public IPs on the LAN from NAT. Specifically the masquerade rule.
So the public IP addresses on the LAN can’t go to other local address and they are not NATed nor does the firewall affect them. Now they should be ready for customers to use them.
PPoe/DHCP (or whatever solution) assignes public IP adresses to clients
Internet gateway router is preventing clients to speak to eachother inside your (mine) network by your firewall filter rule in ‘forward’ chain. They can still talk to eachoter via the providers gateway (the .1 address every clients gets as def. gateway?)
By “not NATed” you mean that they will have a srce-nat action =“accept” rule? Put this on top to bypass any other srce-nat/masquerade.
Ok, just to confirm; Option 2 need to have the bridge funtion on to both the WAN as the LAN interface, Yes?
And than the .1 IP resides on providers router, the .2 on my WAN interface (or the bridge interface) and the rest is given to clients.
I tried to do it without bridge (and src-nat=accept rules) but that doesn’t seem to work…
The Router eats up two publics… One on WAN and Another on LAN… Then the remainder go to the clients with the LAN side IP as gateway. MAKE SURE Masquerade is OFF for these.
Now due to the loss of two address on the router and the forced subnet division, this is the downside of this method. Now in some cases it is not an issue because of the way the provider gives you your IPs. In others the subneting has a loss of IPs.
Example A
60.x.x.1/24 Provider GW
60.x.x.240/28 Your Publics
This is an issue because to use this method you will need to break your /28 into smaller segments to have one on WAN and another on LAN.
Now example B
60.x.x.1/24 Provider GW
60.x.x.240/28 Your Publics
60.x.x.2/32 Additional Public
Now here we just put 60.x.x.2/32 on the WAN then assign 60.x.x.240/28 to the LAN.
1 Question still not clear to me: Do I bridge the WAN with the LAN port wit a real interface bridge?
If not than I was thinking of doing this (following your ip example):
60.x.x.1/24 resides on the providers gateway
60.x.x.2–60.x.x.15 (14 addresses covered by /28). These addresses I put each on the WAN and I use them for specific srce-nat from my office and lab network to public.
60.x.x.16–60.x.x.31 (15 addresses covered by /28). These I share with basic users. They are grouped together and roughly 20-40 clients per group share than one of this public address. All these addresses to be mentioned on the WAN and than srce-nat for LAN ‘basic’-LAN groups to these.
60.x.x.32–60.x.x.63 (31 addresses covered by /27). These I use to assign public IP’s to clients that need access from outside or for my hotspot services to go out.
60.x.x.64–60.x.x.127 (63 addresses covered by /26). These are not mentioned on the WAN (?) I set up 1/1 nat for an internal similar /26 group of LAN IP’s. These are handed out by a pool from a dhcp/PPoE server on my gateway.
60.x.x.128–60.x.x.254 (128 addresses covered by /25). These are also not metnioned on the WAN (?). I set up 1/1 nat for an internal similar /25 group of LAN IP’s. These are handed out from a pool by same dhcp/PPoe server on my gateway.
Basically I shoud now only lose the network and broadcast addresses of the two groups I do 1/1 nat for?.
In stead of handing out local IP’s and than src-nat or 1/1 nat them, can I also use the public IP’s in the dhcp/PPoE pool to hand out directly to clients?
What kind of NAT do I use now? action=accept for these public IP’s residing on the clients? I still have to break the /24 into smaller groups because after all, .1, .2 are already on the WAN side?
I ordered already a 2nd group of class ‘C’ (/24) addresses.
Actually I am thinking of also asking a small group of /29 addresses. These can be used for their and mine gateway (on the WAN) and the 2 class 'C’s I would than have free for my clients can be straigth handed out to them. Either with 2 x 1/1 netmapping rules or locate them all on the clients.