About disabling NAT: can still it work as a router ?

[develox]

Hi,

My Asus RT-AC68U is currently the first point of connection for several of my machines. It has some services running on his own also (openvpn client and server, samba server, media server, etc). As part of experimentation, it's usually behind some pure firewall (Watchguard, ZyWALL, etc) who in turns goes directly to my modem/router. Everything works fine as long as I keep the Asus' NAT on, with the drawback that from the firewall point of view, anything behind the Asus is of course seen with a single IP (the Asus' WAN), which doesn't allow much control.

Trying to expose the Asus' clients directly to the firewall, I've gone through what would the implications be in changing the operation mode from Wireless router to AP, and I'm not sure I want to give up the services that disappear along with the WAN interface.

After fiddling a bit with the network I found that I can connect the Asus' switch directly to the firewall and, by disabling the Asus' LAN DHCP server, having them directly in the same firewall's LAN subnet. I can also keep the Asus' WAN connected to the firewall and it's services working, but on a separate subnet. I could make the two talk each other, but at this point I've already lost Asus AI Protection (which I'm getting used to when browsing), and can't benefit of the Asus' VPN client for my work's connections (since traffic from the LAN clients are by-passing the WAN interface where the VPN transits).

So I think that the perfect setup would be to keep the Asus working like a router, with just the WAN interface connected to the firewall, and all the traffic between the outside and it's clients going through it, but with NAT disabled. For my current level of networking understanding, that should conceptually work. The Asus would route inboud/outboud packets as usual, just not translating them from/to a single (WAN) IP address.

But ... I can't make it work so far. Anyone has any hint ? Or, to put it another way, am I trying something impossible ?

Thanks in advance
Peppe

 

[charlie2alpha]

What want from the router is it's secondary services but no routing. Did you try configuring the WAN and the LAN ip in the same subnet? In any case, since you have another device in front of the ASUS doing it's own routing/firewalling etc the ASUS should be used in AP mode normally, anything else complicates the setup by a lot. Is it not possible to have the ASUS router in front of the firewall?

 

[develox]

What want from the router is it's secondary services but no routing. Did you try configuring the WAN and the LAN ip in the same subnet? In any case, since you have another device in front of the ASUS doing it's own routing/firewalling etc the ASUS should be used in AP mode normally, anything else complicates the setup by a lot. Is it not possible to have the ASUS router in front of the firewall?

Thanks for your points charlie2alpha.

Putting the device in AP Mode makes many of the secondary services you mention disappear as they are bound the the presence of the WAN interface.
Why do you suggest I don't need routing ? If I want all the Asus' clients' traffic pass through the WAN interface (inbound/outbound), making it act as the default gateway for them as it does with NAT enabled, isn't that a normal routing operation mode ?
Putting the firewall behind of the Asus might be a good idea and serve some purpose, but only for wired clients (which are the minority). Wireless ones would bypass the firewall.

 

[ColinTaylor]

Hi develox,

You said in the other thread:

The problem in doing so it's not that the annexed services don't work, they actually do. I can even reach my work server via the VPN from a PC wired to the Asus' switch. The WAN side of the Asus if perfectly connected to the public internet (I can make test ping outside from an SSH terminal into the router).
The problem is rather the opposite: it's the Asus' internal switch traffic (LAN) that doesn't make it through the WAN interface, and it's then isolated. From the point of view of a LAN client in the Asus' switch, no NAT means no internet.

I'd hazard a guess that this is because your gateway device doesn't know how to route the incoming (WAN) traffic back to the LAN clients behind the ASUS. It just assumes they are on its switch port whereas they need to be routed through the ASUS.

But that's just a guess as my knowledge of routing protocols starts getting hazy at level of detail. (I thought RIP took care of this stuff - does the ASUS do RIP?)

I suppose that in a "normal" scenario you would have the ASUS on a separate subnet. So you main router would be 192.168.1.1/24 and the ASUS would be 192.168.2.1/24 (*). Both devices would have their own DHCP servers, etc. but the ASUS's firewall and NAT would be turned off. There would be static routes between both devices. Broadcast traffic between the subnets would be a problem of course.

(*) Perhaps use 192.168.1.1/24 and 192.168.1.128/25 ??? Not quite sure how that works - like I said I'm hazy on the specifics. Hopefully a routing expert can help us out.

 

[develox]

I'd hazard a guess that this is because your gateway device doesn't know how to route the incoming (WAN) traffic back to the LAN clients behind the ASUS. It just assumes they are on its switch port whereas they need to be routed through the ASUS.

That was it, Colin !

As simple as it appears now, there was no routing back for the traffic sources behind the Asus. It was enough to add a static route on the Watchguard to make it work, with everything on (firewall, vpn, transmission, etc).

Thanks a lot for your attention and help !

 

[ColinTaylor]

That's good to hear.

Out of interest, would you describe which Watchguard device you have and how it is connected to the ASUS. I had assumed that the Watchguard had (or was connected to) its own switch with multiple devices hanging off of it. One of those devices being the ASUS.

But it sounds like the Watchguard is just a single port device plugged straight into the ASUS. Correct?

 

[develox]

That's good to hear.

Out of interest, would you describe which Watchguard device you have and how it is connected to the ASUS. I had assumed that the Watchguard had (or was connected to) its own switch with multiple devices hanging off of it. One of those devices being the ASUS.

But it sounds like the Watchguard is just a single port device plugged straight into the ASUS. Correct?

The Watchguard (XTM 2 series) has its own internal switch similarly to the Asus, though it allows considerably higher configurability. Each port is configurable as LAN/WAN, as belonging to a security zone, as part of an aggregated bridge of ports, etc ...

The Asus is connected to one of these ports.

 

[ziv]

That was it, Colin !

As simple as it appears now, there was no routing back for the traffic sources behind the Asus. It was enough to add a static route on the Watchguard to make it work, with everything on (firewall, vpn, transmission, etc).

Thanks a lot for your attention and help !

Hi
I have simillar problem.
I have ISP router: Sagemcom F@st 3184 that provide Lan and Wireless network to part of the house.
In other part i got Asus RT-AC66U Router.
I cant access my router from outside the network and the apps like Aicloud do not work due to "Multiple NAT" problem
I am really novice in networks so i was hoping you could put some explnation on how you overcome that problem.
Thanks