Public IPs behind NAT

09/11/2006, 16h57

Hello everyone,

Is there any way a person can associate some computers behind a NAT
with a public address so they behave as if they were normal public
machines?

I'm familiar with the options of port-forwarding and DMZ, but would
really like to have the entire set of ports and specific IPs associated
with a individual machines.

We are currently routing traffic through a NAT router into a wireless
trunk with many remote computers spread over a wide area. We would like
to make some of those remote machines more accessible from the
Internet. If we could have some public IPs associated with those
machines, that would be great.

Is there any special equipment required for this? Are there any
specific routers you could recommend?

I hope I was clear enough... Any would be appreciated.

Thanks,

Nathan

09/11/2006, 18h06

In article <1163091421.032024.293760@e3g2000cwe.googlegroups. com>,
Nathan Funk <nathan.funk@gmail.com> wrote:

>Is there any way a person can associate some computers behind a NAT
>with a public address so they behave as if they were normal public
>machines?

>I'm familiar with the options of port-forwarding and DMZ, but would
>really like to have the entire set of ports and specific IPs associated
>with a individual machines.

Could you clarify the difference that you see between using static
port forwarding and having "the entire set of ports and specific IPs
associated with an individual machine" ?

Do you mean something like, you do not want to assign permanent
IPs to the internal machines, and inside you want the internal machines to
be somehow recognized by the infrastructure, and the public IP and
appropriate ports automatically associated with whatever internal IP
number that machine has?

>We are currently routing traffic through a NAT router into a wireless
>trunk with many remote computers spread over a wide area. We would like
>to make some of those remote machines more accessible from the
>Internet. If we could have some public IPs associated with those
>machines, that would be great.

At the moment, I do not see why you do not just use standard NAT
and access controls and standard static IP addressing for those
machines that you want to be accessible? Is the difficulty related
to the wireless aspect, something like that the machines move around
and get assigned different IPs depending on which access point they
move into the range of??

09/11/2006, 23h24

Nathan Funk wrote:

> Is there any way a person can associate some computers behind a NAT
> with a public address so they behave as if they were normal public
> machines?

> I'm familiar with the options of port-forwarding and DMZ, but would
> really like to have the entire set of ports and specific IPs associated
> with a individual machines.

It sounds like you are using terms in non-standard ways or have
particular meanings in mind for generic terms. Do you want to configure
the computer with a public IP address? Or do you only want the NAT box
to know that that computer has a public IP address? If the latter, what
could you want other than port forwarding?

If you mean you want to configure the computer internally with a
private address and have it appear to have a public address externally,
then in general the answer is that it is very hard to get that to work
exactly right.

The problem is that when the machine asks its stack what its own IP
address is, it will get the internal address. It is hard to make every
decision the machine could make on that basis come out right.

> We are currently routing traffic through a NAT router into a wireless
> trunk with many remote computers spread over a wide area. We would like
> to make some of those remote machines more accessible from the
> Internet. If we could have some public IPs associated with those
> machines, that would be great.

UPnP may be what you want. If you want to assign those machines public
addresses directly, your router probably has that capability.

> Is there any special equipment required for this? Are there any
> specific routers you could recommend?

What we did was turn off NAT in the router we got from our provider and
use a separate Linux box to do our NAT (router on a stick). This allows
machines on our network to be either configured with public IP
addresses or, if they use DHCP, to get a NATed internal IP from the
Linux box.

DS

10/11/2006, 00h15

Thanks for your reply.

> Could you clarify the difference that you see between using static
> port forwarding and having "the entire set of ports and specific IPs
> associated with an individual machine" ?

With the cheap NAT router (<$100) we're working with, it obtains a
single public IP via DHCP. I was using port-forwarding under the narrow
definition of say, forwarding port 80 from that single public IP to a
computer on the LAN. The difference between that and what I want to do
it that I would like to map *multiple* public IPs to machines in our
network. I am not sure whether I can directly assign public IPs to the
machines, or have to assign local addresses and then use a
mapping/forwarding method at the router.

So in the final system I could have three public IPs for example:

- 12.34.56.1 (public IP for all NATed computers)
- 12.34.56.2 (public IP for a special computer in our network)
- 12.34.56.3 (public IP for a second special computer)

The advantage over port-forwarding through the *single* IP is of course
that anybody can access all ports on the second and third machine. With
this setup, a person could have web servers on port 80 running on
12.34.56.2 and 12.34.56.3 without them interfering with each other.

> Do you mean something like, you do not want to assign permanent
> IPs to the internal machines, and inside you want the internal machines to
> be somehow recognized by the infrastructure, and the public IP and
> appropriate ports automatically associated with whatever internal IP
> number that machine has?

Not necessarily. Most machines will be be NATed with local IPs assigned
via DHCP. Just for a few, we would like to have specific public
addresses for specific machines.

> At the moment, I do not see why you do not just use standard NAT
> and access controls and standard static IP addressing for those
> machines that you want to be accessible? Is the difficulty related
> to the wireless aspect, something like that the machines move around
> and get assigned different IPs depending on which access point they
> move into the range of??

It might not be a problem at all - with the proper equipment and
configuration. We are just not sure exactly what that equipment and
configuration is at this point

One thing that adds complexity is that we do not have static public
IPs. Instead we are getting dynamic public IPs from our ISP. So we need
to get around the NAT router's DHCP server to instead get IPs from the
ISP's DHCP server.

Nathan

10/11/2006, 01h08

In article <1163117717.278571.99420@e3g2000cwe.googlegroups.c om>,
"Nathan Funk" <nathan.funk@gmail.com> wrote:

> So in the final system I could have three public IPs for example:
>
> - 12.34.56.1 (public IP for all NATed computers)
> - 12.34.56.2 (public IP for a special computer in our network)
> - 12.34.56.3 (public IP for a second special computer)
>
> The advantage over port-forwarding through the *single* IP is of course
> that anybody can access all ports on the second and third machine. With
> this setup, a person could have web servers on port 80 running on
> 12.34.56.2 and 12.34.56.3 without them interfering with each other.

This type of thing can easily be done with enterprise routers and
firewalls, but not with most consumer "broadband routers". You'll
probably have to spend at least $500 for the type of device that does
this.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

10/11/2006, 02h29

Barry Margolin wrote:

> In article <1163117717.278571.99420@e3g2000cwe.googlegroups.c om>,
> "Nathan Funk" <nathan.funk@gmail.com> wrote:

> > So in the final system I could have three public IPs for example:
> >
> > - 12.34.56.1 (public IP for all NATed computers)
> > - 12.34.56.2 (public IP for a special computer in our network)
> > - 12.34.56.3 (public IP for a second special computer)
> >
> > The advantage over port-forwarding through the *single* IP is of course
> > that anybody can access all ports on the second and third machine. With
> > this setup, a person could have web servers on port 80 running on
> > 12.34.56.2 and 12.34.56.3 without them interfering with each other.

> This type of thing can easily be done with enterprise routers and
> firewalls, but not with most consumer "broadband routers". You'll
> probably have to spend at least $500 for the type of device that does
> this.

Right, most consumer devices can only do NAT or direct routing onto a
segment and cannot easily be made to do both. You have several obvious
choices:

1) Upgrade to router a device that can do both.

2) Replace the firmware in the router you have with something like
OpenWRT that can do both.

3) Use the router strictly to route and add a PC as a NAT box.

4) Add a second cheap router to do the NAT, set the current one just to
do passthrough.

We faced the same problem. We had 5 public IPs and many machines that
were fine with NAT. We set the router our provider gave us to do simple
routing and added a Linux box to do NAT. That Linux box was also our
web and mail server, so it was going to get an outside IP address
anyway.

DS

10/11/2006, 03h16

> It sounds like you are using terms in non-standard ways or have
> particular meanings in mind for generic terms. Do you want to configure
> the computer with a public IP address? Or do you only want the NAT box
> to know that that computer has a public IP address? If the latter, what
> could you want other than port forwarding?

We're planning to have multiple computers with public IPs and a
majority of computers with private IPs dynamically assigned. So it's
different than only wanting to forward ports on a single public IP to a
single computer on our network.

> What we did was turn off NAT in the router we got from our provider and
> use a separate Linux box to do our NAT (router on a stick). This allows
> machines on our network to be either configured with public IP
> addresses or, if they use DHCP, to get a NATed internal IP from the
> Linux box.

This sounds similar to what we want to accomplish. Are the public IP
addresses you use static? What do you do if they public IPs are dynamic
(our case)?

We are looking into a managed switch might be the solution to our
problem. I don't understand too much about them, but in vague terms we
would put the NAT'd traffic on VLAN 1 and the machines with public IPs
on a VLAN 2. Does this make any sense?

Nathan

10/11/2006, 06h04

Nathan Funk wrote:

> > What we did was turn off NAT in the router we got from our provider and
> > use a separate Linux box to do our NAT (router on a stick). This allows
> > machines on our network to be either configured with public IP
> > addresses or, if they use DHCP, to get a NATed internal IP from the
> > Linux box.

They are static in our case.

> This sounds similar to what we want to accomplish. Are the public IP
> addresses you use static? What do you do if they public IPs are dynamic
> (our case)?

How can you have multiple dynamic public IPs? How do you know which IPs
are yours? Do you use DHCP to get each address? In that case, configure
your cheap router as a bridge. Let the NAT router use DHCP to get its
address just like the others.

> We are looking into a managed switch might be the solution to our
> problem. I don't understand too much about them, but in vague terms we
> would put the NAT'd traffic on VLAN 1 and the machines with public IPs
> on a VLAN 2. Does this make any sense?

Yes, but that doesn't solve the basic problem. That assumes the problem
is already solved.

If you use DHCP for all the public addresses, then it should be this
simple:

1) Change your router to a bridge. Connect that router to VLAN2.
Connect all machines with public IPs to VLAN2. Leave them set to use
DHCP.

2) Connect a cheap router or Linux box as a NAT. Connect its outside
port to VLAN2 and its inside port to VLAN1. Set the router/box to use
DHCP on the outside port to get its public address and to offer DHCP on
its inside port so those machines authoconfigure.

That should do it. I have a friend who has satellite access that works
this way, and this is the setup he uses.

You will need to use VLANs if you want DHCP to work on both segments.
(Well, not strictly need, but if you don't segment your LAN, you have
to configure the DHCP servers carefully.)

DS

09/11/2006, 16h57	#1
Nathan Funk Messages: n/a Hébergeur:	Public IPs behind NAT Hello everyone, Is there any way a person can associate some computers behind a NAT with a public address so they behave as if they were normal public machines? I'm familiar with the options of port-forwarding and DMZ, but would really like to have the entire set of ports and specific IPs associated with a individual machines. We are currently routing traffic through a NAT router into a wireless trunk with many remote computers spread over a wide area. We would like to make some of those remote machines more accessible from the Internet. If we could have some public IPs associated with those machines, that would be great. Is there any special equipment required for this? Are there any specific routers you could recommend? I hope I was clear enough... Any would be appreciated. Thanks, Nathan

09/11/2006, 18h06	#2
Walter Roberson Messages: n/a Hébergeur:	Re: Public IPs behind NAT In article <1163091421.032024.293760@e3g2000cwe.googlegroups. com>, Nathan Funk <nathan.funk@gmail.com> wrote: >Is there any way a person can associate some computers behind a NAT >with a public address so they behave as if they were normal public >machines? >I'm familiar with the options of port-forwarding and DMZ, but would >really like to have the entire set of ports and specific IPs associated >with a individual machines. Could you clarify the difference that you see between using static port forwarding and having "the entire set of ports and specific IPs associated with an individual machine" ? Do you mean something like, you do not want to assign permanent IPs to the internal machines, and inside you want the internal machines to be somehow recognized by the infrastructure, and the public IP and appropriate ports automatically associated with whatever internal IP number that machine has? >We are currently routing traffic through a NAT router into a wireless >trunk with many remote computers spread over a wide area. We would like >to make some of those remote machines more accessible from the >Internet. If we could have some public IPs associated with those >machines, that would be great. At the moment, I do not see why you do not just use standard NAT and access controls and standard static IP addressing for those machines that you want to be accessible? Is the difficulty related to the wireless aspect, something like that the machines move around and get assigned different IPs depending on which access point they move into the range of??

09/11/2006, 23h24	#3
David Schwartz Messages: n/a Hébergeur:	Re: Public IPs behind NAT Nathan Funk wrote: > Is there any way a person can associate some computers behind a NAT > with a public address so they behave as if they were normal public > machines? > I'm familiar with the options of port-forwarding and DMZ, but would > really like to have the entire set of ports and specific IPs associated > with a individual machines. It sounds like you are using terms in non-standard ways or have particular meanings in mind for generic terms. Do you want to configure the computer with a public IP address? Or do you only want the NAT box to know that that computer has a public IP address? If the latter, what could you want other than port forwarding? If you mean you want to configure the computer internally with a private address and have it appear to have a public address externally, then in general the answer is that it is very hard to get that to work exactly right. The problem is that when the machine asks its stack what its own IP address is, it will get the internal address. It is hard to make every decision the machine could make on that basis come out right. > We are currently routing traffic through a NAT router into a wireless > trunk with many remote computers spread over a wide area. We would like > to make some of those remote machines more accessible from the > Internet. If we could have some public IPs associated with those > machines, that would be great. UPnP may be what you want. If you want to assign those machines public addresses directly, your router probably has that capability. > Is there any special equipment required for this? Are there any > specific routers you could recommend? What we did was turn off NAT in the router we got from our provider and use a separate Linux box to do our NAT (router on a stick). This allows machines on our network to be either configured with public IP addresses or, if they use DHCP, to get a NATed internal IP from the Linux box. DS

10/11/2006, 00h15	#4
Nathan Funk Messages: n/a Hébergeur:	Re: Public IPs behind NAT Thanks for your reply. > Could you clarify the difference that you see between using static > port forwarding and having "the entire set of ports and specific IPs > associated with an individual machine" ? With the cheap NAT router (<$100) we're working with, it obtains a single public IP via DHCP. I was using port-forwarding under the narrow definition of say, forwarding port 80 from that single public IP to a computer on the LAN. The difference between that and what I want to do it that I would like to map multiple public IPs to machines in our network. I am not sure whether I can directly assign public IPs to the machines, or have to assign local addresses and then use a mapping/forwarding method at the router. So in the final system I could have three public IPs for example: - 12.34.56.1 (public IP for all NATed computers) - 12.34.56.2 (public IP for a special computer in our network) - 12.34.56.3 (public IP for a second special computer) The advantage over port-forwarding through the single IP is of course that anybody can access all ports on the second and third machine. With this setup, a person could have web servers on port 80 running on 12.34.56.2 and 12.34.56.3 without them interfering with each other. > Do you mean something like, you do not want to assign permanent > IPs to the internal machines, and inside you want the internal machines to > be somehow recognized by the infrastructure, and the public IP and > appropriate ports automatically associated with whatever internal IP > number that machine has? Not necessarily. Most machines will be be NATed with local IPs assigned via DHCP. Just for a few, we would like to have specific public addresses for specific machines. > At the moment, I do not see why you do not just use standard NAT > and access controls and standard static IP addressing for those > machines that you want to be accessible? Is the difficulty related > to the wireless aspect, something like that the machines move around > and get assigned different IPs depending on which access point they > move into the range of?? It might not be a problem at all - with the proper equipment and configuration. We are just not sure exactly what that equipment and configuration is at this point One thing that adds complexity is that we do not have static public IPs. Instead we are getting dynamic public IPs from our ISP. So we need to get around the NAT router's DHCP server to instead get IPs from the ISP's DHCP server. Nathan

10/11/2006, 01h08	#5
Barry Margolin Messages: n/a Hébergeur:	Re: Public IPs behind NAT In article <1163117717.278571.99420@e3g2000cwe.googlegroups.c om>, "Nathan Funk" <nathan.funk@gmail.com> wrote: > So in the final system I could have three public IPs for example: > > - 12.34.56.1 (public IP for all NATed computers) > - 12.34.56.2 (public IP for a special computer in our network) > - 12.34.56.3 (public IP for a second special computer) > > The advantage over port-forwarding through the single IP is of course > that anybody can access all ports on the second and third machine. With > this setup, a person could have web servers on port 80 running on > 12.34.56.2 and 12.34.56.3 without them interfering with each other. This type of thing can easily be done with enterprise routers and firewalls, but not with most consumer "broadband routers". You'll probably have to spend at least $500 for the type of device that does this. -- Barry Margolin, barmar@alum.mit.edu Arlington, MA * PLEASE post questions in newsgroups, not directly to me * * PLEASE don't copy me on replies, I'll read them in the group *

10/11/2006, 02h29	#6
David Schwartz Messages: n/a Hébergeur:	Re: Public IPs behind NAT Barry Margolin wrote: > In article <1163117717.278571.99420@e3g2000cwe.googlegroups.c om>, > "Nathan Funk" <nathan.funk@gmail.com> wrote: > > So in the final system I could have three public IPs for example: > > > > - 12.34.56.1 (public IP for all NATed computers) > > - 12.34.56.2 (public IP for a special computer in our network) > > - 12.34.56.3 (public IP for a second special computer) > > > > The advantage over port-forwarding through the single IP is of course > > that anybody can access all ports on the second and third machine. With > > this setup, a person could have web servers on port 80 running on > > 12.34.56.2 and 12.34.56.3 without them interfering with each other. > This type of thing can easily be done with enterprise routers and > firewalls, but not with most consumer "broadband routers". You'll > probably have to spend at least $500 for the type of device that does > this. Right, most consumer devices can only do NAT or direct routing onto a segment and cannot easily be made to do both. You have several obvious choices: 1) Upgrade to router a device that can do both. 2) Replace the firmware in the router you have with something like OpenWRT that can do both. 3) Use the router strictly to route and add a PC as a NAT box. 4) Add a second cheap router to do the NAT, set the current one just to do passthrough. We faced the same problem. We had 5 public IPs and many machines that were fine with NAT. We set the router our provider gave us to do simple routing and added a Linux box to do NAT. That Linux box was also our web and mail server, so it was going to get an outside IP address anyway. DS

10/11/2006, 03h16	#7
Nathan Funk Messages: n/a Hébergeur:	Re: Public IPs behind NAT > It sounds like you are using terms in non-standard ways or have > particular meanings in mind for generic terms. Do you want to configure > the computer with a public IP address? Or do you only want the NAT box > to know that that computer has a public IP address? If the latter, what > could you want other than port forwarding? We're planning to have multiple computers with public IPs and a majority of computers with private IPs dynamically assigned. So it's different than only wanting to forward ports on a single public IP to a single computer on our network. > What we did was turn off NAT in the router we got from our provider and > use a separate Linux box to do our NAT (router on a stick). This allows > machines on our network to be either configured with public IP > addresses or, if they use DHCP, to get a NATed internal IP from the > Linux box. This sounds similar to what we want to accomplish. Are the public IP addresses you use static? What do you do if they public IPs are dynamic (our case)? We are looking into a managed switch might be the solution to our problem. I don't understand too much about them, but in vague terms we would put the NAT'd traffic on VLAN 1 and the machines with public IPs on a VLAN 2. Does this make any sense? Nathan

10/11/2006, 06h04	#8
David Schwartz Messages: n/a Hébergeur:	Re: Public IPs behind NAT Nathan Funk wrote: > > What we did was turn off NAT in the router we got from our provider and > > use a separate Linux box to do our NAT (router on a stick). This allows > > machines on our network to be either configured with public IP > > addresses or, if they use DHCP, to get a NATed internal IP from the > > Linux box. They are static in our case. > This sounds similar to what we want to accomplish. Are the public IP > addresses you use static? What do you do if they public IPs are dynamic > (our case)? How can you have multiple dynamic public IPs? How do you know which IPs are yours? Do you use DHCP to get each address? In that case, configure your cheap router as a bridge. Let the NAT router use DHCP to get its address just like the others. > We are looking into a managed switch might be the solution to our > problem. I don't understand too much about them, but in vague terms we > would put the NAT'd traffic on VLAN 1 and the machines with public IPs > on a VLAN 2. Does this make any sense? Yes, but that doesn't solve the basic problem. That assumes the problem is already solved. If you use DHCP for all the public addresses, then it should be this simple: 1) Change your router to a bridge. Connect that router to VLAN2. Connect all machines with public IPs to VLAN2. Leave them set to use DHCP. 2) Connect a cheap router or Linux box as a NAT. Connect its outside port to VLAN2 and its inside port to VLAN1. Set the router/box to use DHCP on the outside port to get its public address and to offer DHCP on its inside port so those machines authoconfigure. That should do it. I have a friend who has satellite access that works this way, and this is the setup he uses. You will need to use VLANs if you want DHCP to work on both segments. (Well, not strictly need, but if you don't segment your LAN, you have to configure the DHCP servers carefully.) DS

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email