Disable outbound NAT for specific VLAN/subnet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Disable outbound NAT for specific VLAN/subnet

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Disable outbound NAT for specific VLAN/subnet
Disable outbound NAT for specific VLAN/subnet
2023-08-15 16:27:59 - last edited 2023-08-17 07:35:21
Tags: #WAN Setup #Outbound nat
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.4 Build 20230727 Rel.40308

Good day!

 

I'm having an issue that causes outbound connections from a subnet with public IPs to be NATed as the 'main' connection. I was wondering how to disable this behaviour.

 

Situation:


I have an ER605v2 with software release 2.1.4 Build 20230727 Rel.40308 in standalone mode.

 

- The connection to my ISP is via PPPoE and my ISP has allocated me a public /32 and and public /29 subnet.

- The /32 is on the default vlan (LAN) and has NAT enabled, as it should be.

- For the /29 I have set up a separate VLAN and have set up the firewall rules accordingly

- I can ping hosts inside the /29 from the public internet and can connect to them without issues

- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.

 

So how can I disable outbound NAT for this subnet? What did I miss and how can I fix this?

 

Thanks in advance!

 

 

Sjon

  0      
  0      
#1
Options
1 Accepted Solution
Re:Disable outbound NAT for specific VLAN/subnet-Solution
2023-08-17 01:30:14 - last edited 2023-08-17 07:24:47

Hi @Sjon_Gerrits 

Thanks for posting in our business forum.

I am afraid that we cannot provide any further help on this.

Let me iterate. We don't offer guidance or support to any need for root or command lines.

We don't offer support to disable the NAT as it's against our design of the product. If this is what you need, please consider seeking other solutions.

Any actions you've done on modifying the system files or flash the router with a different non-official firmware will void the warranty and we are not obliged to offer any support to you. Conditions that Disqualify Products from the Limited Warranty

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  3  
  3  
#8
Options
9 Reply
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-15 20:32:39

After some digging in the GPL sources, I found that in /etc/config/nat, section 'rule_napt' the IP was set to 0.0.0.0. This means that *ALL* traffic is going to be NATed, regardless.

 

So, I managed to gain root access to my ER605 and changed 0.0.0.0 to 192.168.0.0/16 and re-applied the config; lo and behold my normal LAN is still NATed and my public IPs are just routed. Happy days!

 

So, if somebody from TP-Link reads this, would you kindly change the ranges to be NATed by default to only include the ranges specified in rfc1918 or make it configurable?

 

Thanks!

 

 

Sjon

  2  
  2  
#2
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-15 21:58:39
I believe you could also have done rhis with tge standard 1:1 NAT feature, but excellent hack though!
<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#3
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-16 05:45:21

Hi @Sjon_Gerrits 

1. There is no way that you can disable the NAT.

2. We don't offer any root access. Nor provide any docs to do so.

3. Do you access these IPs even you don't own them??

Sjon_Gerrits wrote

- I can ping hosts inside the /29 from the public internet and can connect to them without issues

 4. How do you determine that by saying "appear"? How do you monitor it? Can you illustrate your test methodology?

Sjon_Gerrits wrote

- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-16 07:41:30 - last edited 2023-08-16 07:42:06

  @Clive_A Thank you for your reply!

Clive_A wrote

Hi @Sjon_Gerrits 

1. There is no way that you can disable the NAT.

2. We don't offer any root access. Nor provide any docs to do so.

3. Do you access these IPs even you don't own them??

Sjon_Gerrits wrote

- I can ping hosts inside the /29 from the public internet and can connect to them without issues

 4. How do you determine that by saying "appear"? How do you monitor it? Can you illustrate your test methodology?

Sjon_Gerrits wrote

- HOWEVER, all connections initiated from the /29 subnet hosts appear as coming from the /32 main IP. Of course, this should not be happening.

 

 

1. I just found out his is a bug/issue in the ER605's firmware concerning only PPPoE-connections, I will make a separate post further down.

2. The internet does ;) You too will probably know what the 'debug' command does in the 'remote assistance'-console and how those passwords are generated

3. I do not 'own' them, they were allocated/leased to me by my ISP. So it's nothing illegal or shady. It is fully supported by them (just not by that many routers these days).

4. I test it by initiating connections from from those IPs. Sites like test-ipv6[.]com also work. They will show the /32 not their actual IP

 

For example, an SSH connection:

 

Without changing the NAT rules:

Last login: Wed Aug 16 07:24:40 2023 from xx.xx.5.201 (my /32)

 

After changing 'postrouting_rule_multinat' from -s 0.0.0.0 (again, this appears to be a bug) to -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 (as it should be!)

Last login: Wed Aug 16 07:24:45 2023 from xx.xx.171.134 (from my /29 network)

 

And both LANs still have connectivity.

  0  
  0  
#5
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-16 07:47:24

  @d0ugmac1 

 

Thank you for your suggestion, it is a PPPoE connection, and the web interface doesn't allow me to add the subnet as 'virtual' or 'alias' IPs; this only works with setting the connection type to Dynamic/Static IP.

 

On the other hand, in my opinion, public addresses should just be routed/firewalled, not NATed.

  0  
  0  
#6
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-16 11:46:37

@Clive_A 

 

From what I can tell, at least in the case of a PPPoE-connection, the script /lib/nat/nat_napt.sh builds the masquerading rules using information from /etc/config/nat.

 

Option 'ipaddr' and 'mask' under 'rule_napt' are of interest. Since they where 0.0.0.0 and 0, this meant that all IPv4-traffc from the (v)lans was going to be masqueraded; resulting in the issue I had where incoming connections worked fine, but outgoing traffic was always masqueraded.

 

Luckily, files in /etc/config are saved across reboots, so I changed ipaddr and mask to 192.168.0.0 and respectively and restarted the device. Now the masquerading rules are constructed correctly.

 

I still think this is an issue that should be fixed; only non-routable IP-space specified in RFC1918 should be masqueraded. This is a business router afterall...

 

Again, thanks for the replies and I hope this information is useful Please let me know if you need more information.

 

 

Sjon

  1  
  1  
#7
Options
Re:Disable outbound NAT for specific VLAN/subnet-Solution
2023-08-17 01:30:14 - last edited 2023-08-17 07:24:47

Hi @Sjon_Gerrits 

Thanks for posting in our business forum.

I am afraid that we cannot provide any further help on this.

Let me iterate. We don't offer guidance or support to any need for root or command lines.

We don't offer support to disable the NAT as it's against our design of the product. If this is what you need, please consider seeking other solutions.

Any actions you've done on modifying the system files or flash the router with a different non-official firmware will void the warranty and we are not obliged to offer any support to you. Conditions that Disqualify Products from the Limited Warranty

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  3  
  3  
#8
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-17 06:42:31 - last edited 2023-08-17 06:43:02

  @Sjon_Gerrits 

Thank you for your suggestion, it is a PPPoE connection, and the web interface doesn't allow me to add the subnet as 'virtual' or 'alias' IPs; this only works with setting the connection type to Dynamic/Static IP.

 

Are you saying that its not possible to specify the additional public subnet as a Secondary (static) connection on the WAN when the main connection type is PPPoE ?

 

 

  0  
  0  
#9
Options
Re:Disable outbound NAT for specific VLAN/subnet
2023-08-17 07:24:23 - last edited 2023-08-17 07:29:31

  @MisterW 

 

As it currently stands, that is not possible, no. The 'secondary connection' for PPPoE appears to be for something else. 

 

But since the 'WAN IP Alias' seems to be a new feature, it will probably be added in the future.

  0  
  0  
#10
Options