ER605 hierarchical under ER605 & NAT challenge
ER605 hierarchical under ER605 & NAT challenge
Hello,
how can I configure ER605, which was hierarchically under an other ER605?
My configuration:
1. Internet -> Fritz!Box -> ER605-1 -> ER605-2 -> Dedicated mini-computer with IP 10.11.1.11
2. I use OC200 for all the admin of all my tp-link devices.
3. Fritz!Box used IP-Range 192.168.0.1 - 192.168.0.255 => here are my main devices
4. First ER605 (ER605-1) is used to share Internet access in a new IP-Range 192.168.10.1 - 192.168.10.255 => here are may special control devices
5. Second ER605 (ER605-2) is only to share Internet access for a dedicated mini-computer with IP 10.11.1.11. (I use IP-Range 10.11.1.10 - 10.11.1.20).
6. The IP of ER605-2 is 10.11.10 -> Okay
7. I see the dedicated mini-computer with IP 10.11.1.11 at the ER605-2 -> Okay
What works:
- All devices can access internet - inclusive my dedicated mini-computer.
- I can access devices in the IP-Range 192.168.10.1 - 192.168.10.255 from IP-Range 192.168.0.x, because I use NAT and One-To-One-NAT entries.
What doesn't work:
I cann't access my dedicated mini-computer from an address 192.168.10.x (or 192.168.10.x), because I cann't use NAT and One-To-One-NAT at the ER605-2. The interface listbox was empty!
How can I configure a one-to-one NAT or similar for my dedicated mini-computer?
Best Regards
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Sheep_Dog
Thanks for posting in our business forum.
I think you may misunderstand how it works, kindly see this configuration guide:
How to configure One-to-One NAT on the Omada Gateway
- Copy Link
- Report Inappropriate Content
Hello @Clive_A,
thank you for the quick response to my question.
I know the basic concept for a one-to-one NAT, but I have a special requirement: In an existing network with a Fritz!Box, an ER605 and an OC200, I have to integrate a special device that only has a fixed IP address. So I want to use the NAT functionality to translate this address (10.x.x.x).
The unpleasant alternative would be to give all other devices (over 100) a new IP address in the 10.x.x.x range. This is very time-consuming and error-prone.
What's wrong with setting up a LAN2 with a different IP range "under" a LAN1?
It doesn't work with my infrastructure to assign port-by-port IP ranges to the first ER605, because there are other devices on the string with the special device via a switch.
Yes, if I could redesign it, I would do it differently today...
Best regards
- Copy Link
- Report Inappropriate Content
Isn't the main point of NAT to reduce IP exhaustion and hide the details of the LAN?
And yet you use mappings to give each LAN client an IP on the WAN side?
As is, that's 3 layers of NAT within your network for some of your devices!
So you have different networks and they need to communicate.
Why don't you setup a few VLAN on your top router?
I suspect you might be able to create a network per LAN port but I haven't tried that. That's if you don't have VLAN capable switches.
By default, VLANs will all be able to talk to one another using their actual IP addresses. You can constrain inter-VLAN traffic.
If your existing router can't do this, maybe you put it in bridge mode and move all your devices behind the ER605.
If you insist on keeping your existing top level LAN, you'll have to manage mappings only once at that first layer.
- Copy Link
- Report Inappropriate Content
Hello @EricPerl,
thank you for your information and questions
My main purpose of NAT is not to reduce IP exhaustion. Yes, the IP ranges should be separated.
No, not every device can communicate with every device. Only a few devices have comprehensive access.
Yes, there are 3 IP ranges, with two ranges having special features:
- The first IP range is specified by the Fritz!box, which will probably be discontinued after some time.
- The third IP range is only for one (!) device, as it cannot be changed in terms of IP.
(The second IP range is my main area)
Yes, I have three different network ranges and they must communicate. I have moved away from the VLAN approach on the top router because I cannot assign the ranges to individual ports on the ER605 or 1:1 VLANs. Unfortunately, the in-house cabling does not allow this. I can't move all my devices behind the ER605-1 either, because the cabling doesn't allow it, and I can't use WiFi for some devices.
Yes, I would like to keep the existing top-level LAN, which would then have three LAN levels:
LAN1 (top), LAN2 (middle), LAN3 (bottom).
I have successfully stored NATs in the ER605-1 for LAN1 and LAN2, but not for access from LAN1 to LAN3.
My levels are:
- Fritz!Box -> ER605-1 -> ER605-2 -> Dedicated mini-computer
- WAN____-> LAN1____-> LAN2___-> LAN3
Perhaps I'm making a mistake in my thinking.
- Copy Link
- Report Inappropriate Content
IP v4 exhaustion is definitely a concern at the global level and NAT is a critical part of addressing it.
From the WAN side, the details of the LAN are unknown. Range, number of clients... All traffic appears to be coming from the GW's WAN address.
Exposing 1:1 mappings defeats the purpose. It's not a concern globally because you're doing it within the confines of your LAN...
And it explains why you can't access LAN3 from LAN1. With the method that you use, you'd need to do another mapping from LAN1 to the LAN2 mapping of the LAN3 machine you want to access. I guess that technically it means that instead of doing NAT with port mappings (GW-WAN-IP:X to Machine-LAN-IP:Y) you end up with IP mappings (Machine-WAN-IP:Y to Machine-LAN-IP:Y). You can't jump directly from 1 to 3 because you have to traverse each layer one by one.
This will end up being unmanageable really quickly. It's also quite unnatural and inefficient.
I'm also in a situation where my house wiring is constraining my internal physical network.
I made a post about it a few months ago.
But as long as you can physically get to all the devices, the beauty of VLANs is that you can build a logical/virtual network on top of that physical network to fulfil your needs.
By doing assignment of physical switch ports to VLAN profiles, you indicate which wired client(s) belongs to which VLAN.
By creating a SSID per VLAN, you bind wireless clients to the VLAN based on the SSID they connect to.
This is actually quite easy with Omada (and Omada compatible switches and APs). There's a guide for that.
All clients can communicate using their native IPs out of the box.
For your fixed IP machine, you create a VLAN with a compatible IP range.
And again, you can curtail inter-VLAN traffic.
HTH
- Copy Link
- Report Inappropriate Content
You absolutely can assign an entire VLAN, all by itself to each ER605 port, in both standalone and controller mode.
I dont understand why you dont just have as many vlans as you need, with their own IP ranges, and assign individually to each router port, then use ACLs to control inter vlan communication, all from one router. Adding a basic omada switch will allow you better control of the VLANs splitting off the ER605 from each port, and allow more granular switch ACLs.
Granted, this is actually a bit easier to achieve in standalone, but absolutely doable in controller.
And Switch VLAN distribution:
And Switch based inter-vlan control ACLs
- Copy Link
- Report Inappropriate Content
Hello @EricPerl,
I am aware of the poor solution, but my in-house network imposes some limitations.
Yes, I am also aware that I need two translations when accessing LAN1 to LAN3, which is very unsightly, awkward, unnatural and inefficient.
I would be happy to use a different solution, such as VLANs. However, with the existing cabling, one strand must allow LAN2 and LAN3 communication. From what I understand so far, this does not work, as one strand (with TP-Link) is always a port on the Er605 for a VLAN. Maybe I am wrong.
I would like to have as few wireless connections as possible, as any cable connection is better than a wireless network.
Best Regards,
Uwe
PS: Where can I find your article?
- Copy Link
- Report Inappropriate Content
Hello @GRL,
thank you for the detailed feedback.
In my in-house environment, I have to assign two VLAN's to ONE ER605 port. I have to access LAN2 and LAN3 because both IP ranges are required on the line in the house cabling. As far as I know, this doesn't work.
Furthermore, my ER605 only has 5 connections and this limitation is also an additional factor.
Best Regards,
Uwe
- Copy Link
- Report Inappropriate Content
You can have multiple vlans on one port. For end device, you can either use a managed switch at the other end of the run (or at each device) to do the VLAN tagging for you, or if you device supports it, you can assign a 802.11Q vlan tag on its port.
I currently have 10 vlans running around my business network, mostly on individual links to different rooms then its split off at each device using tags of if not possible, managed switches.
All these VLANs are on one port on my gateway:
Please dont take offense, but i think you need to do some reading on how vlans, port tagging etc work as you are jumping to far more problematic solutions (multi NAT, etc) than you actually need to be using.
- Copy Link
- Report Inappropriate Content
I agree with GRL, your understanding of VLANs is incomplete to say the least.
The entire point of VLANs is to reuse a single physical network and overlay logical networks (VLANs) on top.
Of course, you wouldn't need to do this if you could segregate the networks physically in the first place. I understand you can't, I'm in the same boat.
My entire house is wired with Ethernet coming down to a central point from each room. If I had a single device per room, or no room where I have devices that I'd rather not have on the same network, and less than 5 networks, then maybe I'd get away with physical segregation. But none of these conditions are true. And I'd need a few more switches...
And BTW, I only use 2 ports of my ER605, WAN & LAN. The LAN port goes to a switch and carries ALL the VLANs (only my network devices live in the default LAN, all clients are in VLANs). None of the intra-VLAN traffic touches my ER605. My inter-VLAN traffic is minimal. And since my client VLANs all have a wireless component, physical segregation would also require more APs. VLANs allow me to use my physical infrastructure more efficiently...
In VLAN jargon, ports that handle more than 1 VLAN are called trunk ports (pretty typically for switch-switch and switch-router connectivity). Traffic on these ports is tagged (with the VLAN ID). Ports connected to clients are often assigned to the VLAN ID you want for that client (the main exception are VLAN aware clients, e.g a host with VMs in separate VLANs).
You don't need 3 routers. You need one. You need enough switches to establish physical connectivity based on existing wiring.
Omada switches would make it easier (IMO) but I've done it with TL-SG108Es as well.
HTH
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 574
Replies: 12
Voters 0
No one has voted for it yet.