Static Routing...?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Static Routing...?

adamdotclarke

45 posts

Geek

Topic # 65933 9-Aug-2010 19:12

Hey Guys,

I have a question and I have been googling and cant find the answer to. Ok here goes, I have a Linksys AG300 with IP 192.168.10.1 and subnet of 255.255.255.252.

I also have an ISA server box IP 192.168.10.2 and same subnet. Now currently I have NAT enabled on the AG300 but also ISA performs NAT so effectively I am double-natting. Now I believe the best alternative is Static Routing, am I correct?

If not, what do I need to do to disable NAT on my AG300 and just have it forwarding packets? If so, what options do I set for static routing, I have tried all combos I can think that are logical to me and none work.

It needs Dest IP, Subnet and Gateway IP.

Any ideas?

Thanks

Adam

Regs

Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted

Microsoft NZ

Subscriber

Reply # 365610 9-Aug-2010 20:27

what you really want is "ip extension" or "half bridge" modes on your linksys. it will avoid the double-nat, presenting the external IP address directly to ISA via DHCP

try this link for some help: http://www.ben.geek.nz/2006/11/adsl-routing-solution-in-detail

i'm pretty sure the ag300 does half bridge too

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

adamdotclarke

45 posts

Geek

Reply # 365619 9-Aug-2010 20:39

I have just scoured my router config and looked on google and cannot find how to put this modem into bridge mode. I have a telecom single pc thomson st536v6 but couldnt figure out on that how to, seems maybe telecom locked it? I dont mind which box I use but would like to remove double nat?

Any ideas?

adamdotclarke

45 posts

Geek

Reply # 365625 9-Aug-2010 20:46

Scratch that, st536 is buggered. Telstraclear are sending me a free modem, anyone know mdoem number that will be? Half bridge?

nbroad

224 posts

Master Geek
+1 received by user: 11

Reply # 365785 10-Aug-2010 10:26

the /30 subnet (255.255.255.252) gives you only two usable addresses, 192.168.10.1 and 192.168.10.2.

I presume the ISA server has two network cards and you have hosts using the ISA server? If so, what is IP address and subnet mask of the inside or trusted interface?

Maybe the option is to have the ISA server route between its inside and outside NIC's instead of performing NAT?

adamdotclarke

45 posts

Geek

Reply # 365801 10-Aug-2010 11:05

Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..

nbroad

224 posts

Master Geek
+1 received by user: 11

Reply # 365802 10-Aug-2010 11:19

adamdotclarke: Correct, inside interface IP is 172.20.10.1. Ah i see so then the AG300 does the NAT leaving the ISA just routing, hadnt thought of it that way..

yep, should work. Only one way to find out I suppose!

raytaylor

3280 posts

Uber Geek
+1 received by user: 661

Trusted

Reply # 365962 10-Aug-2010 18:33

Another suggestion may be to set your modem to 10.1.1.1 and your ISA Wan to 10.1.1.2 - then have it as the DMZ in the modem.

Then set your ISA server to issue 192.168.0.x on its LAN interface

Or get a modem that does half bridge / ip extension, or use an internal PCI ADSL modem like I do.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

Regs

Infrastructure Geek
4057 posts

Uber Geek
+1 received by user: 195

Trusted

Microsoft NZ

Subscriber

Reply # 366032 10-Aug-2010 21:35

raytaylor:
or use an internal PCI ADSL modem like I do.

that *should* be the easiest option, and potentially the most reliable, - but they're harder to find these days. got any links to models for sale?

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

adamdotclarke

45 posts

Geek

Reply # 366044 10-Aug-2010 21:52

Yea that is how I had it configured but swap the IP ranges.
But still isnt that not fixing the double nat issue?
Yea if you could recommend any good models as I have heard they can be unreliable if the wrong model...?

raytaylor

3280 posts

Uber Geek
+1 received by user: 661

Trusted

Reply # 366052 10-Aug-2010 22:09

I have a couple which i picked up off trademe. I always get them from there and have never had any problems with them - though if your case gets too warm i guess they could have problems.

Usually I just get one for $30 off trademe as I use them in managed firewalls for clients, and mako use them in their managed firewalls for the new government healthlink system that most pharmacy's are getting installed.

See here http://www.trademe.co.nz/Browse/SearchResults.aspx?searchType=all&searchString=pci+adsl&type=Search&generalSearch_keypresses=14&generalSearch_suggested=0

The ones i have in a load balancing firewall at home that i put together are both GlobespanVirata or something like that off trademe.

Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

webwat

1984 posts

Uber Geek
+1 received by user: 133

Trusted

Reply # 366188 11-Aug-2010 12:35

What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.

Qualified in business, certified in fibre, stuck in copper, have to keep going ^_^

nbroad

224 posts

Master Geek
+1 received by user: 11

Reply # 366197 11-Aug-2010 12:49

webwat: What are your trying to achieve, ie which LAN do your want to firewall behind the NAT? Best security would have the NAT router in front of the server, so it sounds like you are protecting a second device behind the ISA server. I would have thought the second LAN would be a separate subnet on the first router instead of double NAT.

performing NAT on consumer grade ADSL modem/routers usually cannot be avoided unless using a workaround such as half bridge as suggested or the Draytek option, so the first subnet is going to be natted. It sounds like the OP's goal is to protect hosts behind the ISA server and possibly utilise ISA's firewall policies for outbound control etc etc. I don't understand what you mean when you say 'the second LAN would be a separate subnet on the first router instead of double NAT'
I doubt the first router could take a secondary IP and subnet on the LAN interface and I don't see what that would achieve.
I still think it would be worth trying the ISA in route mode instead of NAT. Seems simple to me. ISA routes between the two private subnets and the modem/router performs NAT to the internet.
The only downside would be if you wanted to allow some inbound connections to hosts behind the ISA server you would have to port forward once on the modem/router and then also create port forwards and policies on the ISA server.

adamdotclarke

45 posts

Geek

Reply # 366198 11-Aug-2010 12:52

@nbroad you are correct, that is what I am aiming to do, I will give the route on ISA, NAT on adsl device option a try when I have the chance

Thanks heaps for all the suggestions guys, ill let you know how I get on...