One of the issues I'm experiencing revolves around Port redirection on extra IP addresses.

On my VDSL interface, in addition to the primary IP address, I added two more ip addresses from my range and ticked the enable box against each.

Later when attempting to work around an issue, I was reviewing knowledge base articles that mentioned a "Join NAT pool" setting against each alias. I thought "I don't remember adjusting that" and went back to the IP alias dialog to review it (I don't want the additional addresses included in general outbound NAT). The settings are not there in the current firmware (and the manual confirms the setting is not in the GUI).

I thought - OK use CLI to check it...., and I managed to find a command "IP AUX" in the manual to set/review IP aliases, and that command has a parameter for NAT pool membership. When I logged into the router however, there was no "AUX" sun-command under "IP"

So... How do I set the IP addresses included in the NAT pool and used for outbound NAT?

I've seen mention of using PBR to accomplish the same effect - that seems like a sledgehammer to crack a nut, and for me would be a minefield as I also need to present my WAN range non-nat to another device on a physical port/tagged VLAN.

That particular CLI command was removed because the Join NAT IP Pool functionality isn't particularly useful - what that does is effectively randomise which of your WAN IPs is used for outbound connectivity.

To control which IP address is used for outbound traffic, use the Route Policy rules to specify which local Source IPs and remote Destination IPs / services use which IP address:
https://www.draytek.co.uk/support/guides/kb-policy-routing-guide-v2

Thanks, I’ll read the article when I get home tonight.

So, to get this straight......

I have a primary IP address set on the WAN connection.
I then manually add two aliases and tick their enable boxes.

Are we saying that in the revised arrangement, and if I do nothing else (no PBR rule), Only the Primary IP address will be used for outbound NAT sessions? That’s the way I’d want it.

Or do I still need to take steps to force the issue? i.e are you saung that nat ip pool is deprecated as a default technology? or just the settings to configure it?

The Draytek documentation is so dire, I shudder at the thought!!! The article yo lined might help there. I’ve about 35 year s network implementation and support experience so I understand stuff, but manufacturer specific implementations do need to be documented in a detailed and unambiguous way to be usable. Sime Draytek support articles bridge those gaps , others do not.

x64 wrote: Are we saying that in the revised arrangement, and if I do nothing else (no PBR rule), Only the Primary IP address will be used for outbound NAT sessions? That’s the way I’d want it.

Yes, that's the current behaviour. It would only behave differently if you had "Join NAT IP Pool" option ticked for the WAN IP Alias addresses, in which case it would use any address in the pool (load balancing WAN IPs?)

Or do I still need to take steps to force the issue? i.e are you saung that nat ip pool is deprecated as a default technology? or just the settings to configure it?

The Join NAT IP Pool option was removed with 3.8.7 firmware apparently. The behaviour of switching between WAN IPs for outbound access is now controlled solely by Route Policy rules where there's more than one IP on the WAN interface.

The Draytek documentation is so dire, I shudder at the thought!!! The article yo lined might help there. I’ve about 35 year s network implementation and support experience so I understand stuff, but manufacturer specific implementations do need to be documented in a detailed and unambiguous way to be usable. Sime Draytek support articles bridge those gaps , others do not.

Oh dear, what kind of information was unclear? Your original post suggests that the confusion arose partly from information in older knowledgebase articles?

Firstly, thanks for clarifying the behaviour of the outbound NAT IP addresses. That article does provide more useful information, but if only the primary external IP is used for outbound NAT by default, then I do not need to concern myself with strong-arming the router to do what I want (in that respect).

Apologies for the typos in my post earlier today, using the forum by poking at an iPhone is not too easy.

Before I engage "Victor Meldrew" mode over documentation, let me clear up your query that the NAT pool might be used for "Load Balancing". I've never seen it used for that, it's more usually seen where NAT routers can run out of ports in their external IP addresses. Without a spare port to act as a source port for a new NAT session, there can be no extra sessions. Granted that would be for very large networks or busy systems. Obviously a 2862 is never going to be THAT busy, so I can see why they might deprecate the IP Pool functionality.

As it's off topic, I'll double post, to talk about the the documentation issues..

The off topic bit of my reply to Admin3

So what's wrong with the documentation? Simply, in many places, it writes words that describe a setting without really adding anything to the text label for the setting. In other cases it totally fails to mention some Draytek proprietary way of doing something (where that information is important). Also in many cases an understanding of architecture would help understanding configuration, or again, there are unexpected attributes of that technology. In other cases it is just "sloppy". Some web articles help, but others are just as bad.

A few examples: (no need to answer these - they are only examples)

In the 2862 manual, the Telnet command list is 25% of the manual, but has no index of commands (the main index only lists the section title). That list in inaccurate as it still lists the deprecated "IP Aux" command.

How does "IP Routed Subnet" actually expose the set configuration? I can't find anywhere in the manual to say it actually is an extra subnet alongside the LAN1 configuration (It is mentioned as such in a few words in an old web article).

There is no formal description of what the router considers "Inside" or "Outside" networks - in the case of "IP routed subnet" or a public IP LAN segment, this can be confusing.., and the actual implementation (arguably) makes firewall rules confusing.

In what exact circumstances is the inter LAN routing tick needed? There are cases surrounding non-nat segments where clarification would be very useful.

The fact that "LAN DNS" silently rewrites queries to EXTERNAL servers is very important to know. It's useful, but could be very confusing if you are not expecting that behaviour. Personally I'd have expected that if I referenced the proxy by assigning the router IP ad DNS server for internal clients. As such, if I'm debugging a DNS issue on a client's domain by targeting DiG at specific external servers, I'm no longer seeing WHAT that server is replying, I'm seeing what the V2862 wants to tell me. Doing that silently is wrong, (and not documenting it is crazy).

The interfaces/manual use the term "LAN/DMZ/RT/VPN" - thats's almost self explanatory apart from having to guess what the exact definitions of "RT" is... "Internally Routed?".

In firewall rule sets - "Branch to other filter set" does not mention that it continues to evaluate the CURRENT filter set before going to the specified set.

Many cases of these ambiguities, lack of important detail/architectural information etc, make the documentation far from ideal.