Business Community > Gateways > ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
< Gateways

ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)

ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)

ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
Yesterday
Tags: #VPN #NAT #VLAN & Multi-Networks
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version: 2.2.3

I’m currently migrating a site from standalone to a full Omada SDN stack and I’ve hit a bit of a wall with the NAT configuration on an ER7206 v2.0 (Firmware 2.2.3) managed by an  OC200 Controller: v1.0 (Firmware 5.14.2)

The site has a Zen Internet FTTP connection using PPPoE on WAN2. I have a stable IKEv2 IPsec tunnel up and running to a third-party Palo Alto gateway. The tunnel is established using a "Custom IP" local subnet of 172.23.24.0/24 as a transit range, which matches the remote encryption domain perfectly.

The issue is that I need to map my local production VLAN (172.16.0.0/24) to that 172.23.24.0/24 transit range before it enters the tunnel. When I go to Settings > Transmission > NAT > One-to-One NAT to create the rule, the "Interface" dropdown is completely empty. It doesn't show the active WAN2 port, nor does it show the IPsec tunnel as a selectable interface.

I’ve checked for "Multi-Net NAT" as a workaround, but that menu seems to be missing entirely from this firmware version.

This was working fine in standalone mode before the adoption, but the SDN controller seems to be filtering out the PPPoE WAN interface from the NAT menus. Has anyone else seen this where the interface dropdown is blank? Is there a specific toggle I’m missing to expose the WAN or the VPN tunnel to the NAT engine so I can get this mapping in place?

Any help would be appreciated as I'm remote now and need to get this routing finalised.

  0      
 
  0      
 
#1
Options
3 Reply
Re:ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
21 hours ago

  @IMC10 

 

One-to-One NAT is only possible on WAN interfaces with a static IP, since your ISP is PPPoE i assume its DHCP on the WAN ?

  0  
  0  
#2
Options
Re:ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
20 hours ago

  @GRL  That makes a lot of sense. I hadn't realised the SDN controller would filter the One-to-One NAT menu based on the WAN type, but as this is a PPPoE connection, that explains why the interface dropdown is empty.

I might be misremembering how I had it set up in standalone mode as I was testing a few different configurations behind another router at the time.

Since the equipment isn't on-site yet, I think the best move is to just configure the 172.23.24.0/24 range natively on the local VLAN. It removes the need for NAT entirely and should be a much cleaner setup for the VPN tunnel anyway.

Thanks for clarifying the menu issue, it's saved me a lot of head-scratching!

  0  
  0  
#3
Options
Re:ER7206 v2 One-to-One NAT interface missing in SDN mode (PPPoE WAN)
an hour ago

  @GRL 

Just to clarify, the public IP is static, but Zen deliver it via PPPoE. So the WAN is PPPoE with DHCP. The tunnel to the Palo Alto is up and established without issue.

The challenge is that I need to perform a subnet translation before traffic enters the IPsec tunnel. The remote side expects 172.23.24.0/24 as the local encryption domain, but the machinery on-site is fixed at 172.16.0.0/24 and the client on the other end is being very resistant to changing their configuration.

 

Ideally I would simply readdress the local VLAN to 172.23.24.0/24 and remove NAT entirely, but politically that is not currently an option.

Because the WAN is PPPoE, the SDN controller hides the One-to-One NAT menu. I have looked at:

- Virtual WAN as a possible static alias workaround

- Policy routing to steer traffic into the tunnel

- Using Custom IP versus Network in the VPN policy

- Creating a transit VLAN locally and trying to bridge with NAT

 

Unfortunately without access to One-to-One or Multi-Net NAT in controller mode, I cannot build the required SNAT rule.

Is there any supported way to perform policy-based NAT for IPsec when the WAN interface is PPPoE in SDN mode? Even via CLI or advanced configuration?

I am at the point of considering replacing the gateway with a FortiGate purely to get proper policy NAT control, so any suggestions before I go down the rip and replace route would be very welcome.

  0  
  0  
#4
Options

Information

Helpful: 0

Views: 56

Replies: 3

Tags

VPN NAT VLAN & Multi-Networks
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.