NAT Masquerade Exception
As per https://community.tp-link.com/en/business/forum/topic/571608, I need to make an exception in the default masquerade rule for another local subnet outside of the local network beyond the ER605. Is this possible yet or is it likely to be?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @L2K
Thanks for posting in our business forum.
You can try out the label and search for the keywords. I think you are talking about the same thing as this accepted request.
- Copy Link
- Report Inappropriate Content
I'm using a software controller and the latest version is currently 5.14.26.1 so looks like I'll have to wait, but I do notice that it seems that thread is saying you can turn NAT on or off entirely, but I am wanting to add an exception for a single subnet, not turn NAT off entirely so not sure if that is *exactly* the same thing as I am requesting?
- Copy Link
- Report Inappropriate Content
Hi @L2K
Thanks for posting in our business forum.
L2K wrote
I'm using a software controller and the latest version is currently 5.14.26.1 so looks like I'll have to wait, but I do notice that it seems that thread is saying you can turn NAT on or off entirely, but I am wanting to add an exception for a single subnet, not turn NAT off entirely so not sure if that is *exactly* the same thing as I am requesting?
Not entirely, partially disable the NAT?
We are not an open-source system where you can use the CLI to partially disable the NAT. I understand that might be possible on OpenWRT with the iptables or anything similar. W
It has iptables built-in, I think. But I don't think we ever opened the system to users for willingly changing them.
Curious, how do you achieve this on the third-party router? This can be split?
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Hi @L2K
Thanks for posting in our business forum.
Curious, how do you achieve this on the third-party router? This can be split?
Using Mikrotik currently so I could just add a !192.168.0.0.16 to the masquerade rule for instance to masquerade everything except for the designated subnet.
- Copy Link
- Report Inappropriate Content
Hi @L2K
Thanks for posting in our business forum.
L2K wrote
Clive_A wrote
Hi @L2K
Thanks for posting in our business forum.
Curious, how do you achieve this on the third-party router? This can be split?
Using Mikrotik currently so I could just add a !192.168.0.0.16 to the masquerade rule for instance to masquerade everything except for the designated subnet.
What would be the name of this feature?
Like the title? Or a different name. I will take a look at it.
- Copy Link
- Report Inappropriate Content
I think the title is pretty close, as a layman. Not sure what the exact term wouold be in the world of network engineering, coming from the Mikrotik world there are so many options for every rule I'm not sure every single option has a specific name.
Not sure if my exact setup is unique but I have a double NAT setup where the Omada router WAN is a client of the DMZ network (where all the DNS and web servers are) but all the traffic for these devices just shows up as coming from the Omada router WAN IP so the logs on the web/DNS servers are useless. I just want to not masquerade/NAT the traffic to this DMZ subnet but everything else can be NATted.
It wouldn't be a major issue if I just turned NAT off entirely here as I am obviously already on a NATted network but the NAT on the Omada router just keeps the traffic out of the DMZ that isn't destined for the DMZ. The setup we have here is becoming more common in the way we set up networks on smaller client sites where we have this DMZ for some local devices doing analytics/security. Here the network setup is the same but rather than DNS/web servers we have client devices like cameras that need to have their source IP revealed to the analytics servers. Again we could just turn NAT off entirely but I am just trying to keep some seperaton where possible.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 190
Replies: 6
Voters 0
No one has voted for it yet.