cwager990 wrote:

x64 wrote: From my experience with a 2862.I've had significant issues some of which involve NAT loopback.

Consider the following possibilities.
Default firewall rule set to BLOCK might affect reverse NAT include NAT loopback I found that I'ls impossible to write a rule to 're-allow' the traffic. (This WAS an issue for me in 2.8.9.2_BT- not sure if it was fixed in 3.8.9.3_BT). In the 2862 this does seem better in 3.9.0_BT. I worked around this by leaving the rule to allow and writing explicit f/w rules to block other traffic (in addition of course to rules to allow the traffic I wanted to pass)

Interaction of Use of multiple external IP addresses, IP Aliases to support them, and IP routed subnet (to a separate network LAN definition), alongside 'normal' NAT. The underlying issue remains even to 3.9.0_BT on the 2862. With the IP routed subnet configuration, NAT loopback from a device behind NAT on the default IP could not access a device published behind reverse NAT on an alias.

Okay, well that made some difference as you said I changed the default rule to pass, and then WAN > LAN Block if not further matches with all my allow rules below.

LOOPBACK now works for the main WAN IP Address but as you say not for any of the VIP's regardless of weather they are in the nat pool or not, is this the point at which I raise a support request with draytek? this was an expensive router that can not do something most basic models can do, really makes me mad.

x64 wrote:

cwager990 wrote:

x64 wrote: From my experience with a 2862.I've had significant issues some of which involve NAT loopback.

Consider the following possibilities.
Default firewall rule set to BLOCK might affect reverse NAT include NAT loopback I found that I'ls impossible to write a rule to 're-allow' the traffic. (This WAS an issue for me in 2.8.9.2_BT- not sure if it was fixed in 3.8.9.3_BT). In the 2862 this does seem better in 3.9.0_BT. I worked around this by leaving the rule to allow and writing explicit f/w rules to block other traffic (in addition of course to rules to allow the traffic I wanted to pass)

Interaction of Use of multiple external IP addresses, IP Aliases to support them, and IP routed subnet (to a separate network LAN definition), alongside 'normal' NAT. The underlying issue remains even to 3.9.0_BT on the 2862. With the IP routed subnet configuration, NAT loopback from a device behind NAT on the default IP could not access a device published behind reverse NAT on an alias.

Okay, well that made some difference as you said I changed the default rule to pass, and then WAN > LAN Block if not further matches with all my allow rules below.

LOOPBACK now works for the main WAN IP Address but as you say not for any of the VIP's regardless of weather they are in the nat pool or not, is this the point at which I raise a support request with draytek? this was an expensive router that can not do something most basic models can do, really makes me mad.

Do you use a mix of public IP routed subnet and NAT/reverse NAT configurations? If so, I might have a workaround to provide limited functionality.....

x64 wrote: OK,

Draytek support passed me a partial workaround. Obviously everyone's situation is different so this might or might not be of use to you as it does limit both how many addresses can be allocated to the NAT/reverse NAT system, and to the routed IPs. Additionally my router is a 2862ac. Additionally, you may also need to juggle the external IPs that you allocate to your services. Your public allocation might be larger than mine, which would (if this is any use to you at all) give you more flexibility.

My goal was to allocate my public range to one or the routers LAN subnets (LAN8), and to use a VLAN (VLAN7) to present that on a physical LAN port.

You might want to get a pencil and paper to map out the idea below - it will make more sense then, and you will be able to figure out how to apply it to your situation.

The IP range allocated by my ISP is a /29, and the seventh IP address (the one just below the broadcast address) is the IP address of the outside of the WAN1 configuration. If we call the individual IPs in my range IP0 to IP7, then that makes it my default ext IP IP6. My range is therefore written as IP0/29.

In an ideal world we allocate my entire range IP0/29 to LAN8 and everything would work... Of course it does not - that's why we're here.

Instead we think of my public IP range as half of that range - as a /30. The IPs NOT in that range work correctly for reverse NAT. Those in that range will fail[*]. For the /30, the gateway needs to match the ISPs default IP, so that defined which half of my range I had to overlay with the sawn-off public subnet. For me it was the upper half of my assignment, so the public range was entered as IP4/30 in the LAN8 configuration. As it is not a 'real' subnet - you can use IP4 as well as IP5 for the systems not behind NAT. (IP4 would usually be the 'subnet address' and not configurable for devices - in this case that does not mater - you can use it.

That leaves IP6 as the default NAT IP, and IP1, IP2 and IP3 available for aliases (for NAT/reverse NAT).

As this workaround dictates which half of your range has to be public IPs and which can have NAT aliases, you may need to juggle your allocations.

[edited for spelling and to add the following qualification]
[*] - I've not tried it, but reverse NAT to the gateway IP might work even though that IP is in the sawn-off public subnet range. My tests were against reverse NAT on alias IPs