DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Packet TTL size spoofing to allow NAT
- davidthornton
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 0
06 Nov 2010 16:36 #64726
by davidthornton
Packet TTL size spoofing to allow NAT was created by davidthornton
I travel with a Draytek 2820 so I can create a private LAN in my hotel room, use its built in IPsec cabailities to connect to remote LAN VPN's and to ensure that my laptop is not tethered by an Ethernet cable to a desk port.
I've come across a hotel room, this weekend, which is blocking NAT. Usually I setup the router first, connect my laptop to it and authenticate against the hotel Internet web site using the information I am supplied with at reception or where ever. In this hotel, I can get to the authentication page and enter the login information provided by reception to authenticate, through the router as usual. However as soon as I authenticate, everything goes dead (pings, web, the lot) and nothing will route. If I remove the router from the equation and connect my laptop directly to the hotel Internet, everything works fine. The hotel is not allowing me to use NAT.
I have tried spoofing the router WAN port MAC address and making it the same as my laptop wired MAC address. That does not work here!
I've disabled NAT and DHCP on the Draytek, and plugged the Internet cable into a LAN port, and my laptop into another LAN port. This is effectively using the Draytek as a switch. This works but I cannot plug additional devices into the other switch ports to get Internet on those because the hotel will only allocate me one IP address per payment. Of course this is why I want to use NAT.
I believe the problem relates to practices described at both of these URLs:
http://www.sflow.org/detectNAT/
http://www.sevenrains.ro/?p=ispnat
There is also forum discussion here:http://forums.macrumors.com/showthread.php?t=833193
I am wondering if it is possible to do some post routing on the 2820 to make all outbound packets the same size. That way the hotel could not detect NATed packets and block them as it currently appears to be doing.
I have never come across a hotel with such restrictions before. I assume they do not want one person setting up a wireless router, and sharing one paid for connection amongst several rooms via wifi. What this does prevent is someone wanting to use a laptop and other wireless devices with their own router for legitimate purposes in their own room. I cannot use any wireless only device on the Internet because I cannot set up a wireless router in my room.
There is no wifi in this hotel and the room only has one Ethernet cable so it would be great to be able to use a router with NAT and not have to pay to authenticate every individual device against their system which is what I have to do if I use the 2820 in switch only mode. Even if the hotel did have wifi, some of me of my IP enabled wireless devices cannot connect to hotspots because they have no web browser capability to allow me to authenticate, hence me wanting to use my own router.
The macrumours thread, linked above, mentions acquiring an old Cisco PIX 501 or using a router running DD-WRT to do this. Obviously I'd prefer to be able to do it on my Draytek 2820 to save carrying another piece of equipment for this eventuality!
I've come across a hotel room, this weekend, which is blocking NAT. Usually I setup the router first, connect my laptop to it and authenticate against the hotel Internet web site using the information I am supplied with at reception or where ever. In this hotel, I can get to the authentication page and enter the login information provided by reception to authenticate, through the router as usual. However as soon as I authenticate, everything goes dead (pings, web, the lot) and nothing will route. If I remove the router from the equation and connect my laptop directly to the hotel Internet, everything works fine. The hotel is not allowing me to use NAT.
I have tried spoofing the router WAN port MAC address and making it the same as my laptop wired MAC address. That does not work here!
I've disabled NAT and DHCP on the Draytek, and plugged the Internet cable into a LAN port, and my laptop into another LAN port. This is effectively using the Draytek as a switch. This works but I cannot plug additional devices into the other switch ports to get Internet on those because the hotel will only allocate me one IP address per payment. Of course this is why I want to use NAT.
I believe the problem relates to practices described at both of these URLs:
There is also forum discussion here:
I am wondering if it is possible to do some post routing on the 2820 to make all outbound packets the same size. That way the hotel could not detect NATed packets and block them as it currently appears to be doing.
I have never come across a hotel with such restrictions before. I assume they do not want one person setting up a wireless router, and sharing one paid for connection amongst several rooms via wifi. What this does prevent is someone wanting to use a laptop and other wireless devices with their own router for legitimate purposes in their own room. I cannot use any wireless only device on the Internet because I cannot set up a wireless router in my room.
There is no wifi in this hotel and the room only has one Ethernet cable so it would be great to be able to use a router with NAT and not have to pay to authenticate every individual device against their system which is what I have to do if I use the 2820 in switch only mode. Even if the hotel did have wifi, some of me of my IP enabled wireless devices cannot connect to hotspots because they have no web browser capability to allow me to authenticate, hence me wanting to use my own router.
The macrumours thread, linked above, mentions acquiring an old Cisco PIX 501 or using a router running DD-WRT to do this. Obviously I'd prefer to be able to do it on my Draytek 2820 to save carrying another piece of equipment for this eventuality!
Please Log in or Create an account to join the conversation.
- ignatius
- Offline
- Junior Member
Less
More
- Posts: 19
- Thank you received: 0
07 Nov 2010 12:41 #64735
by ignatius
Replied by ignatius on topic Packet TTL size spoofing to allow NAT
I don't have a solution, but your post interests me as it's something that I'd like to try.
I've a Netgear which is connected to ADSL and configured to be DHCP server (10.10.10.0/8 ). A Draytek 2820n is connected to the Netgear (straight cable into WAN2 port) and WAN2 is enabled as DHCP client. The Draytek is configured to be DHCP server for it's four LAN ports (172.19.0.0/16). I connect a PC to one of the Draytek LAN ports and all the relevant ethernet LAN LEDs (Netgear, Draytek WAN2 and Draytek LAN) are green.
The Draytek WAN2 port has picked up 10.10.10.2 from the Netgear and the PC has picked up 172.19.0.2 from the Draytek. I can't ping from the PC to the outside world when connected to the Draytek but I can if I connect the PC directly to the Netgear so I know that the ADSL line is working.
I guess it's something to do with the routing within the Draytek. Can you give me any tips? I had hoped to send you a PM rather than discuss this side issue in this thread, but that's not possible.
I've a Netgear which is connected to ADSL and configured to be DHCP server (10.10.10.0/8 ). A Draytek 2820n is connected to the Netgear (straight cable into WAN2 port) and WAN2 is enabled as DHCP client. The Draytek is configured to be DHCP server for it's four LAN ports (172.19.0.0/16). I connect a PC to one of the Draytek LAN ports and all the relevant ethernet LAN LEDs (Netgear, Draytek WAN2 and Draytek LAN) are green.
The Draytek WAN2 port has picked up 10.10.10.2 from the Netgear and the PC has picked up 172.19.0.2 from the Draytek. I can't ping from the PC to the outside world when connected to the Draytek but I can if I connect the PC directly to the Netgear so I know that the ADSL line is working.
I guess it's something to do with the routing within the Draytek. Can you give me any tips? I had hoped to send you a PM rather than discuss this side issue in this thread, but that's not possible.
Please Log in or Create an account to join the conversation.
- ignatius
- Offline
- Junior Member
Less
More
- Posts: 19
- Thank you received: 0
07 Nov 2010 13:14 #64736
by ignatius
Replied by ignatius on topic Packet TTL size spoofing to allow NAT
It's infuriating ... play around for a few minutes with a clear head (unlike my confused head yesterday evening), and everything falls into place!!!
I was correct and needed to set a static route:
Destination IP: 10.10.0.0
Subnet Mask: 255.255.0.0
Gateway IP Address: 172.19.0.1
Network Interface: WAN2
I put my solution in here just in case anyone else has a similar problem!
I hope that someone provides a solution to the OP's situation.
I was correct and needed to set a static route:
Destination IP: 10.10.0.0
Subnet Mask: 255.255.0.0
Gateway IP Address: 172.19.0.1
Network Interface: WAN2
I put my solution in here just in case anyone else has a similar problem!
I hope that someone provides a solution to the OP's situation.
Please Log in or Create an account to join the conversation.
- davidthornton
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 30
- Thank you received: 0
08 Nov 2010 01:23 #64746
by davidthornton
Replied by davidthornton on topic Packet TTL size spoofing to allow NAT
Yes, static route required as you have established. How would PC (a) know how to get to PC (b) when both are behind different routers? It wouldn't unless routers are given static routes.
Absolutely nothing to do with my thread though and I think you've possibly realised that starting your own thread might have been a better idea. If it wasn't, we'd all be posting within one huge one.
Absolutely nothing to do with my thread though and I think you've possibly realised that starting your own thread might have been a better idea. If it wasn't, we'd all be posting within one huge one.
Please Log in or Create an account to join the conversation.
- ignatius
- Offline
- Junior Member
Less
More
- Posts: 19
- Thank you received: 0
08 Nov 2010 11:23 #64750
by ignatius
Replied by ignatius on topic Packet TTL size spoofing to allow NAT
I realise that I diverted away somewhat from your original problem and I apologise. Ideally, I would have sent a PM but, as I mentioned, that wasn't possible. I hope that you manage to find a solution as it's something that will interest me too. I'll watch your new thread for suggestions.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek