Double NAT and SAMBA

[jvande]

This, I’m sure, is not a unique problem, but I’ve tried a couple of different things that don’t seem to work properly. I’ve drawn a quick diagram to illustrate my current setup:

Here is the problem. I’d like to access, via Samba (Windows share), Router B’s hard drive from Computer A. Computer A can read Router A, and Computer B can read Router A and Router B’s hard drive, but Computer A can’t reach Router B’s hard drive due to a double NAT situation (from what I can understand - this may be wrong though, hence the question asking for advice). Router B used to be the main gateway to the internet but my new ISP requires their modem to be the gateway now. I had DDNS and a VPN set up on Router B. The only way (so far) that I can get those two working now is to enable a DMZ to router B, which makes Computer A unable to connect via Windows Share.

Some options?:

• turning off firewall on Router B to allow traffic (exposes network to internet - no thanks)
• moving hard drive B to Router A (possible, but then network drives need to be completely remapped and VPN and DDDNS on Router B still won’t work)
• turn off DMZ and assign 192.168.2.1 address to router 2 (other features such as DDNS and VPN no longer work)
• Swap Router A with Router B (ISP won’t allow this – no TV otherwise)
• “Transparent Bridging” (Computer A no longer receives an IP address as all of the lan ports are now bridged – in reality the internet disappears on all machine - PPPoe - no password provided by ISP)
• static routing (how do you do this and where/what do you put into router?)

Perhaps I merely need instructions on how to complete the transparent bridge. I have two options for transparent bridging on the ISP's router: a Port4 Bridge (enable/disable) and a All Lan Ports Bridge (enable/disable). If I enable the Port 4 Bridge, I would assume, that an external IP is given to Router B (plugged into Port 4 of Router A) and then all would be well, but the whole network seems to crash on both routers. What is the “best way” to accomplish what I’m looking for?

I apologize if this is a repeat question, but I’ve been scouring the net for a solution and I’ve crashed my network multiple times now (my roommate is getting pissed because he’s on the same subnet as computer A).

Thanks to all of the experts.

 

[stevech]

double-NAT: It hurts when I do that.
Well, don't do that.

 

[sfx2000]

it burns, it burns... make it stop!!!

lol...

 

[remixedcat]

static routes?

 

[netwrks]

Turn your router into an Access Point in the same subnet as the IS P router... Or, static routes from your router to pick up .2 subnet. You may also need a static route to pick everything else - like the internet.. The main rule in home networks is: one router one network.. KISS..

 

[jvande]

I can't turn my router into an AP as then I would lose my ability to VPN (which my ISPs modem/router doesn't allow) and my DDNS wouldn't work. What router would you put the static routes on? Router A I'm assuming. How do you do this?

Thanks.

Router A's Static Route Page - I can't enter the external IP of Router B here, so I would have to turn off DMZ first, or use 192.168.1.1?

 

[thiggins]

I'm confused on where DMZ is enabled and to what IP.

How is Router B's WAN port connected? You should the WAN IP as XXX.XXX.XXX.XXX

 

[netwrks]

Add the routes on the blue router.. If the router really supports static routes try Destination IP: 0.0.0.0 Subnet mask: 0.0.0.0 Gateway IP: 192.168.2.1. That statement says: For Any ip any subnet go to 192.168.2.1

 

[netwrks]

If you can ping 192.168.2.1 from your blue router, then, in theory, the static route should work..

 

[jvande]

thiggins: The DMZ is turned on Router A through a feature called "Advanced DMZ" in the router's settings. You set the MAC address of Router B and then Router B gets an external IP instead of an internal IP of 192.168.2.xx. Then Router B is basically connected as if there wasn't a router A at all. Except for the fact that Computer A can no longer read the media server on Router B because it is outside of the "loop". Router B has the external WAN IP and is coming in on the WAN port leaving the 4 LAN ports available. Hope that makes sense.

netwrks: I'll try to enter the static routes when I get home. Computers hooked to Router B can connect to both Router A & B no problem. It's just going from Computer A backwards to Router B that doesn't work. Would this expose my internal network to the Internet? Confused - sorry

Thanks!

 

[netwrks]

Ok.. RE: DMZ addressing. In your current configuration, it sounds like you are already exposed to the Internet, by using the DMZ feature. with an external IP address.

 

[thiggins]

The "Advanced DMZ" sounds like transparent bridging, if Router B is getting a routable WAN IP address. So both routers have public IP addresses?

Why is anything connected to Router A anyway? How is Router A acting as a "gateway" if Router B is connected directly to the internet?

 

[sfx2000]

That SAMBA server - is it running on the Router B or is it running on the MediaCenter HD attached to Router B - USB or Ethernet?

 

[jvande]

sfx2000: The SAMBA server is running on Router B attached via USB. It is a 1TB USB3.0 drive attached to an ASUS RT N66U router with a share name of \\SERVER

thiggins: There is an option for an "Enhanced Bridge Mode" as well, but I've only enabled the "Advanced DMZ". Both Router A and Router B seem to have the same external WAN IP address. I can't remove Router A as it is required for the FibreOp line coming in on VLAN35 (or something like that). It is a Bell FibreOp 3.0 install and Router A is an ActionTec R3000 which is an AC router.

 

[sfx2000]

So if you want Computer A to have access to Files hosted on Router B - just open the ports on Router B.

Samba uses tcp 135, 139, 445. possibly - but not necesarly 135-139 udp

Don't get all crazy with the routing and what not... keep it simple.

One thing you might check on the Samba server is run testparm, and see if there is a scope restriction...

See below, if you see something in hosts allow that limits scope in the global section...

cipher:~$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
workgroup = WORKGROUP
map to guest = Bad Password
idmap config * : backend = tdb
hosts allow = 192.168.1.0/24

[share]
comment = HomeServer
path = /sharepoint
force user = fileserver901
force group = fileserver901
read only = No
guest ok = Yes​

 

[sfx2000]

So if you see something like this:

hosts allow = 192.168.1.0/24

That means that only clients on that subnet can access the Samba host...

 

[djgizmo]

I'm not sure this can be done based on the DMZ issue.

Normally, I'd say use static routes on both routers. Each router would have its on internal IP set (like they do now) and the. You'd connect another port (say port 5 to port 5 with a common subnet, such as 10.10.10.1 and 10.10.10.2) then add a static route on router1 to 192.168.1.0/24 to gateway 10.10.10.2

And vice versa
Router2 192.168.2.0/24 to gateway 10.10.10.1

However with DMZ, this completely segregated the port that is connecting router 1 and router 2 together.

If the ports were were individually addressable, then I'd say you'd have to use another port and do what I mentioned above.

However you mentioned if you turned off the firewall of router 2 you were able to access it correct? Which destination IP did you use?


Sent from my iPhone using Tapatalk

 

[djgizmo]

I'm not sure this can be done based on the DMZ issue.

Normally, I'd say use static routes on both routers. Each router would have its on internal IP set (like they do now) and the. You'd connect another port (say port 5 to port 5 with a common subnet, such as 10.10.10.1 and 10.10.10.2) then add a static route on router1 to 192.168.1.0/24 to gateway 10.10.10.2

And vice versa
Router2 192.168.2.0/24 to gateway 10.10.10.1

However with DMZ, this completely segregated the port that is connecting router 1 and router 2 together.

If the ports were were individually addressable, then I'd say you'd have to use another port and do what I mentioned above.

However you mentioned if you turned off the firewall of router 2 you were able to access it correct? Which destination IP were you able to access it?


Sent from my iPhone using Tapatalk