Disable outbound NAT for specific VLAN/subnet
Good day!
I'm having an issue that causes outbound connections from a subnet with public IPs to be NATed as the 'main' connection. I was wondering how to disable this behaviour.
Situation:
I have an ER605v2 with software release 2.1.4 Build 20230727 Rel.40308 in standalone mode.
- The connection to my ISP is via PPPoE and my ISP has allocated me a public /32 and and public /29 subnet.
- The /32 is on the default vlan (LAN) and has NAT enabled, as it should be.
- For the /29 I have set up a separate VLAN and have set up the firewall rules accordingly
- I can ping hosts inside the /29 from the public internet and can connect to them without issues
- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.
So how can I disable outbound NAT for this subnet? What did I miss and how can I fix this?
Thanks in advance!
Sjon
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
I am afraid that we cannot provide any further help on this.
Let me iterate. We don't offer guidance or support to any need for root or command lines.
We don't offer support to disable the NAT as it's against our design of the product. If this is what you need, please consider seeking other solutions.
Any actions you've done on modifying the system files or flash the router with a different non-official firmware will void the warranty and we are not obliged to offer any support to you. Conditions that Disqualify Products from the Limited Warranty
- Copy Link
- Report Inappropriate Content
After some digging in the GPL sources, I found that in /etc/config/nat, section 'rule_napt' the IP was set to 0.0.0.0. This means that *ALL* traffic is going to be NATed, regardless.
So, I managed to gain root access to my ER605 and changed 0.0.0.0 to 192.168.0.0/16 and re-applied the config; lo and behold my normal LAN is still NATed and my public IPs are just routed. Happy days!
So, if somebody from TP-Link reads this, would you kindly change the ranges to be NATed by default to only include the ranges specified in rfc1918 or make it configurable?
Thanks!
Sjon
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
1. There is no way that you can disable the NAT.
2. We don't offer any root access. Nor provide any docs to do so.
3. Do you access these IPs even you don't own them??
Sjon_Gerrits wrote
- I can ping hosts inside the /29 from the public internet and can connect to them without issues
4. How do you determine that by saying "appear"? How do you monitor it? Can you illustrate your test methodology?
Sjon_Gerrits wrote
- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.
- Copy Link
- Report Inappropriate Content
@Clive_A Thank you for your reply!
Clive_A wrote
1. There is no way that you can disable the NAT.
2. We don't offer any root access. Nor provide any docs to do so.
3. Do you access these IPs even you don't own them??
Sjon_Gerrits wrote
- I can ping hosts inside the /29 from the public internet and can connect to them without issues
4. How do you determine that by saying "appear"? How do you monitor it? Can you illustrate your test methodology?
Sjon_Gerrits wrote
- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.
1. I just found out his is a bug/issue in the ER605's firmware concerning only PPPoE-connections, I will make a separate post further down.
2. The internet does ;) You too will probably know what the 'debug' command does in the 'remote assistance'-console and how those passwords are generated
3. I do not 'own' them, they were allocated/leased to me by my ISP. So it's nothing illegal or shady. It is fully supported by them (just not by that many routers these days).
4. I test it by initiating connections from from those IPs. Sites like test-ipv6[.]com also work. They will show the /32 not their actual IP
For example, an SSH connection:
Without changing the NAT rules:
Last login: Wed Aug 16 07:24:40 2023 from xx.xx.5.201 (my /32)
After changing 'postrouting_rule_multinat' from -s 0.0.0.0 (again, this appears to be a bug) to -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 (as it should be!)
Last login: Wed Aug 16 07:24:45 2023 from xx.xx.171.134 (from my /29 network)
And both LANs still have connectivity.
- Copy Link
- Report Inappropriate Content
Thank you for your suggestion, it is a PPPoE connection, and the web interface doesn't allow me to add the subnet as 'virtual' or 'alias' IPs; this only works with setting the connection type to Dynamic/Static IP.
On the other hand, in my opinion, public addresses should just be routed/firewalled, not NATed.
- Copy Link
- Report Inappropriate Content
From what I can tell, at least in the case of a PPPoE-connection, the script /lib/nat/nat_napt.sh builds the masquerading rules using information from /etc/config/nat.
Option 'ipaddr' and 'mask' under 'rule_napt' are of interest. Since they where 0.0.0.0 and 0, this meant that all IPv4-traffc from the (v)lans was going to be masqueraded; resulting in the issue I had where incoming connections worked fine, but outgoing traffic was always masqueraded.
Luckily, files in /etc/config are saved across reboots, so I changed ipaddr and mask to 192.168.0.0 and respectively and restarted the device. Now the masquerading rules are constructed correctly.
I still think this is an issue that should be fixed; only non-routable IP-space specified in RFC1918 should be masqueraded. This is a business router afterall...
Again, thanks for the replies and I hope this information is useful Please let me know if you need more information.
Sjon
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
I am afraid that we cannot provide any further help on this.
Let me iterate. We don't offer guidance or support to any need for root or command lines.
We don't offer support to disable the NAT as it's against our design of the product. If this is what you need, please consider seeking other solutions.
Any actions you've done on modifying the system files or flash the router with a different non-official firmware will void the warranty and we are not obliged to offer any support to you. Conditions that Disqualify Products from the Limited Warranty
- Copy Link
- Report Inappropriate Content
Thank you for your suggestion, it is a PPPoE connection, and the web interface doesn't allow me to add the subnet as 'virtual' or 'alias' IPs; this only works with setting the connection type to Dynamic/Static IP.
Are you saying that its not possible to specify the additional public subnet as a Secondary (static) connection on the WAN when the main connection type is PPPoE ?
- Copy Link
- Report Inappropriate Content
As it currently stands, that is not possible, no. The 'secondary connection' for PPPoE appears to be for something else.
But since the 'WAN IP Alias' seems to be a new feature, it will probably be added in the future.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1273
Replies: 9
Voters 0
No one has voted for it yet.