DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
for NAT usage, for ROUTING usage
- iswizzle
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 21
- Thank you received: 0
22 Jun 2013 04:18 #76762
by iswizzle
for NAT usage, for ROUTING usage was created by iswizzle
Hi,
can anybody give me a clear example of switching from NAT to ROUTING usage on a 2850 or any other draytek.
I can't seem to get it to work. Once I switch to routing usage, I can't access the internet. I don't want to use NAT as I'm not directly connected to the internet but connected to another secure network.
can anybody give me a clear example of switching from NAT to ROUTING usage on a 2850 or any other draytek.
I can't seem to get it to work. Once I switch to routing usage, I can't access the internet. I don't want to use NAT as I'm not directly connected to the internet but connected to another secure network.
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
22 Jun 2013 17:54 #76766
by voodle
Replied by voodle on topic Re: for NAT usage, for ROUTING usage
a NAT VPN is like connecting the router to a dial-in user VPN, it is able to access internet / network resources on the VPN server network but this is only one way, the router connecting to the VPN doesn't give access to the devices / network behind it because of NAT.
a Routed VPN is full routing between the subnets on the two networks, the resources on each side are available to each other depending on the subnets being used (or if more subnets are defined using the More button)
a Routed VPN is full routing between the subnets on the two networks, the resources on each side are available to each other depending on the subnets being used (or if more subnets are defined using the More button)
Please Log in or Create an account to join the conversation.
- iswizzle
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 21
- Thank you received: 0
23 Jun 2013 07:56 #76769
by iswizzle
Replied by iswizzle on topic Re: for NAT usage, for ROUTING usage
Hi Voodle,
thanks for the reply. I have posted before about this as this is a MPLS network that the router is connected to although it shouldn't be a problem.
I can connect a Cisco up to it without a problem but the Cisco is using BGP which draytek doesn't support.
I can actually connect the draytek up to it also but when I look at the BGP routing table (via another cisco), the draytek is advertising a /32 subnet for the LAN despite me entering in a /24.
Now, I'm sure this is down to the router running NAT and when I run NAT, I'm actually connected to the network and can browse the internet etc via our dns & gateway.
Now, the problem with NAT is that we can't initiate a connection from outside to the LAN which we need to do. We don't want to port forward, open ports etc as we need full unrestricted access to the LAN.
I would have though that routing only would have did this but when i enable it, I get nowhere and lose all connectivity.
MPLS NETWORK >>>> PE Router 81.x.x.x >>>> CE Router WAN IP 172.31.255.0/32 LAN 10.1.100.0/24 (router address is 10.1.100.1)
So, the 2 issues are:
1. To use routing only, what would I set and where?
2. And (if anybody knows about MPLS & BGP),why is the BGP routing table only showing 10.1.100.1/32 (the LAN ip of the router) instead of 10.1.100.0/24 (the LAN subnet of the router)
thanks for the reply. I have posted before about this as this is a MPLS network that the router is connected to although it shouldn't be a problem.
I can connect a Cisco up to it without a problem but the Cisco is using BGP which draytek doesn't support.
I can actually connect the draytek up to it also but when I look at the BGP routing table (via another cisco), the draytek is advertising a /32 subnet for the LAN despite me entering in a /24.
Now, I'm sure this is down to the router running NAT and when I run NAT, I'm actually connected to the network and can browse the internet etc via our dns & gateway.
Now, the problem with NAT is that we can't initiate a connection from outside to the LAN which we need to do. We don't want to port forward, open ports etc as we need full unrestricted access to the LAN.
I would have though that routing only would have did this but when i enable it, I get nowhere and lose all connectivity.
MPLS NETWORK >>>> PE Router 81.x.x.x >>>> CE Router WAN IP 172.31.255.0/32 LAN 10.1.100.0/24 (router address is 10.1.100.1)
So, the 2 issues are:
1. To use routing only, what would I set and where?
2. And (if anybody knows about MPLS & BGP),why is the BGP routing table only showing 10.1.100.1/32 (the LAN ip of the router) instead of 10.1.100.0/24 (the LAN subnet of the router)
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank you received: 0
23 Jun 2013 20:30 #76778
by admin
Forum Administrator
Replied by admin on topic Re: for NAT usage, for ROUTING usage
I might have misunderstood here but I think Voodle introduced VPN in error but you were just asking about the regular Internet access... You MUST use NAT unless your wan/Internet connection provides multiple IP addresses (a subnet). NAT provides a one-to-many translation to a created locally subnet otherwise.
Forum Administrator
Please Log in or Create an account to join the conversation.
- iswizzle
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 21
- Thank you received: 0
24 Jun 2013 02:52 #76782
by iswizzle
Replied by iswizzle on topic Re: for NAT usage, for ROUTING usage
Yes, we definately do not require a VPN of any sort as this is done at a higher level due to the MPLS network. It is in effect, it's own private cloud due to the MPLS wrapper etc.
So, what we really need is regular access to another network which some would probably class as "double nat" which we don't want to do.
Basically, imagine you have a router at home (we will call this the PE Router) and then into the LAN side of that, you have another router with another LAN behind it (this is the CE Router)
SITE A's LAN subnet (CE Router LAN) should be able to communicate with SITE B's LAN subnet (another CE Router LAN far, far away) eg pc to pc and each site should be able to initiate the connection rather than just respond to a connection.
Now, on a Cisco it's fairly easy...... each router has 2 interfaces eg one for WAN, one for LAN and the routers communicate with each other via the WAN's and each LAN can talk to each other without the use of NAT.
It's bog standard routing and as long as each router has a next hop, it's easily achievable.
Surely the drayteks can do this? I realise that NAT can't be turned off on them so I would have thought that you could put a dummy subnet (one that you will never use) into the first subnet (which is forced to use NAT)
Then enter a second subnet for ROUTING usage and use this.
At the moment, the drayteks are communicating with the MPLS network but they are only showing 1 address eg 10.1.100.1/32 (which is the internal address of the CE router) and I suspect this is down to using NAT ie only showing 1 address with many behind it. It really should show 10.1.10.0/24 rather than 10.1.100.1/32. Admittedly, the Cisco's do advertise their sub-nets into the VRF via BGP which the Drayteks do not support.
Ultimately, the question I'm asking is:
Can the Drayteks be used on an MPLS network as a CE Router?
Breaking that down into simpler terms is:
Can the Drayteks use a private range eg 172.31.255.0/30 on the WAN interface and another private range on the LAN interface eg 192.168.1.0/24 and the LAN interface communicate with another similar LAN interface without the need for open ports, port forwarding etc.
In effect:
SITE A LAN 10.1.100.0/24 >>>> SITE A WAN 172.31.255.1/30 >>>> PE ROUTER LAN 172.31.255.2/30 >>>> MPLS CORE NETWORK >>>> PE ROUTER LAN 172.31.255.7/30 >>>> SITE B WAN 172.31.255.6/30 >>>> SITE B LAN 10.1.101.0/24
So, what we really need is regular access to another network which some would probably class as "double nat" which we don't want to do.
Basically, imagine you have a router at home (we will call this the PE Router) and then into the LAN side of that, you have another router with another LAN behind it (this is the CE Router)
SITE A's LAN subnet (CE Router LAN) should be able to communicate with SITE B's LAN subnet (another CE Router LAN far, far away) eg pc to pc and each site should be able to initiate the connection rather than just respond to a connection.
Now, on a Cisco it's fairly easy...... each router has 2 interfaces eg one for WAN, one for LAN and the routers communicate with each other via the WAN's and each LAN can talk to each other without the use of NAT.
It's bog standard routing and as long as each router has a next hop, it's easily achievable.
Surely the drayteks can do this? I realise that NAT can't be turned off on them so I would have thought that you could put a dummy subnet (one that you will never use) into the first subnet (which is forced to use NAT)
Then enter a second subnet for ROUTING usage and use this.
At the moment, the drayteks are communicating with the MPLS network but they are only showing 1 address eg 10.1.100.1/32 (which is the internal address of the CE router) and I suspect this is down to using NAT ie only showing 1 address with many behind it. It really should show 10.1.10.0/24 rather than 10.1.100.1/32. Admittedly, the Cisco's do advertise their sub-nets into the VRF via BGP which the Drayteks do not support.
Ultimately, the question I'm asking is:
Can the Drayteks be used on an MPLS network as a CE Router?
Breaking that down into simpler terms is:
Can the Drayteks use a private range eg 172.31.255.0/30 on the WAN interface and another private range on the LAN interface eg 192.168.1.0/24 and the LAN interface communicate with another similar LAN interface without the need for open ports, port forwarding etc.
In effect:
SITE A LAN 10.1.100.0/24
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek