Static Routing...?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Static Routing...?

adamdotclarke

45 posts

Geek

#65933 9-Aug-2010 19:12

Hey Guys,

I have a question and I have been googling and cant find the answer to. Ok here goes, I have a Linksys AG300 with IP 192.168.10.1 and subnet of 255.255.255.252.

I also have an ISA server box IP 192.168.10.2 and same subnet. Now currently I have NAT enabled on the AG300 but also ISA performs NAT so effectively I am double-natting. Now I believe the best alternative is Static Routing, am I correct?

If not, what do I need to do to disable NAT on my AG300 and just have it forwarding packets? If so, what options do I set for static routing, I have tried all combos I can think that are logical to me and none work.

It needs Dest IP, Subnet and Gateway IP.

Any ideas?

Thanks

Adam

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#365610 9-Aug-2010 20:27

what you really want is "ip extension" or "half bridge" modes on your linksys. it will avoid the double-nat, presenting the external IP address directly to ISA via DHCP

try this link for some help: http://www.ben.geek.nz/2006/11/adsl-routing-solution-in-detail

i'm pretty sure the ag300 does half bridge too

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

adamdotclarke

45 posts

Geek

#365619 9-Aug-2010 20:39

I have just scoured my router config and looked on google and cannot find how to put this modem into bridge mode. I have a telecom single pc thomson st536v6 but couldnt figure out on that how to, seems maybe telecom locked it? I dont mind which box I use but would like to remove double nat?

Any ideas?

adamdotclarke

45 posts

Geek

#365625 9-Aug-2010 20:46

Scratch that, st536 is buggered. Telstraclear are sending me a free modem, anyone know mdoem number that will be? Half bridge?

nbroad

320 posts

Ultimate Geek

#365785 10-Aug-2010 10:26

the /30 subnet (255.255.255.252) gives you only two usable addresses, 192.168.10.1 and 192.168.10.2.

I presume the ISA server has two network cards and you have hosts using the ISA server? If so, what is IP address and subnet mask of the inside or trusted interface?

Maybe the option is to have the ISA server route between its inside and outside NIC's instead of performing NAT?

adamdotclarke

45 posts

Geek

#365801 10-Aug-2010 11:05

Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..

nbroad

320 posts

Ultimate Geek

#365802 10-Aug-2010 11:19

adamdotclarke: Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..

yep, should work. Only one way to find out I suppose!

raytaylor

4014 posts

Uber Geek

Trusted

#365962 10-Aug-2010 18:33

Another suggestion may be to set your modem to 10.1.1.1 and your ISA Wan to 10.1.1.2 - then have it as the DMZ in the modem.

Then set your ISA server to issue 192.168.0.x on its LAN interface

Or get a modem that does half bridge / ip extension, or use an internal PCI ADSL modem like I do.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#366032 10-Aug-2010 21:35

raytaylor:
or use an internal PCI ADSL modem like I do.

that *should* be the easiest option, and potentially the most reliable, - but they're harder to find these days. got any links to models for sale?

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

adamdotclarke

45 posts

Geek

#366044 10-Aug-2010 21:52

Yea that is how I had it configured but swap the IP ranges.
But still isnt that not fixing the double nat issue?
Yea if you could recommend any good models as I have heard they can be unreliable if the wrong model...?

raytaylor

4014 posts

Uber Geek

Trusted

#366052 10-Aug-2010 22:09

I have a couple which i picked up off trademe. I always get them from there and have never had any problems with them - though if your case gets too warm i guess they could have problems.

Usually I just get one for $30 off trademe as I use them in managed firewalls for clients, and mako use them in their managed firewalls for the new government healthlink system that most pharmacy's are getting installed.

See here http://www.trademe.co.nz/Browse/SearchResults.aspx?searchType=all&searchString=pci+adsl&type=Search&generalSearch_keypresses=14&generalSearch_suggested=0

The ones i have in a load balancing firewall at home that i put together are both GlobespanVirata or something like that off trademe.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

webwat

2036 posts

Uber Geek

Trusted

#366188 11-Aug-2010 12:35

What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.

Time to find a new industry!

nbroad

320 posts

Ultimate Geek

#366197 11-Aug-2010 12:49

webwat: What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.

performing NAT on consumer grade ADSL modem/routers usually cannot be avoided unless using a workaround such as half bridge as suggested or the Draytek option, so the first subnet is going to be natted. It sounds like the OP's goal is to protect hosts behind the ISA server and possibly utilise ISA's firewall policies for outbound control etc etc. I don't understand what you mean when you say 'the second LAN would be a separate subnet on the first router instead of double NAT'
I doubt the first router could take a secondary IP and subnet on the LAN interface and I don't see what that would achieve.
I still think it would be worth trying the ISA in route mode instead of NAT. Seems simple to me. ISA routes between the two private subnets and the modem/router performs NAT to the internet.
The only downside would be if you wanted to allow some inbound connections to hosts behind the ISA server you would have to port forward once on the modem/router and then also create port forwards and policies on the ISA server.

adamdotclarke

45 posts

Geek

#366198 11-Aug-2010 12:52

@nbroad you are correct, that is what I am aiming to do, I will give the route on ISA, NAT on adsl device option a try when I have the chance

Thanks heaps for all the suggestions guys, ill let you know how I get on...