IX. NAT Related Features
ExpiredIP Routing - Configuring non-NAT operation (public subnet)
Click here to return to your search results
If you have multiple public IP addresses (i.e. a subnet allocated by your ISP as opposed to just a single IP address), it is possible to configure the DrayTek units that support multiple IPs in a flexible way using NAT, Multi-NAT/WAN IP Alias and IP Routing. The preferred method is often to use WAN IP Alias to minimise the direct exposure from unsolicitied incoming traffic via NAT but a non-NAT configure can also be setup.
Using IP Routing, IP Addresses can be routed directly through to the LAN side directly without applying NAT to that traffic, which can be useful for placing servers or other devices behind the router; This configuration would mean that the device uses a public IP Address directly.
IP Routing can be used in addition to the WAN IP Alias feature, but IP addresses allocated as IP Aliases are removed from the pool of addresses usable by the IP routed subnet.
This example will use the following IP address details:
Network Address | 198.51.100.152 |
Broadcast Address (Not Used) | 198.51.100.159 |
Subnet Mask | 255.255.255.248 |
First Usable IP | 198.51.100.153 |
Last Usable IP | 198.51.100.158 |
The router will use 198.51.100.153 as the address for IP routing and clients would use an IP address available in that range, with 198.51.100.153 as their gateway.
Client Setup
For instance this server is configured to use one of the IPs available in the range: 198.51.100.154, with the router's IP routing address as the Gateway:
There are two methods to set this up on a DrayTek router:
Dedicated LAN Interface - This uses a separate LAN interface in Routing mode to route the public IP addresses through, this requires either a dedicated LAN port on the router or the use of VLAN tags (on a separate switch)
NAT & Routed Shared LAN Interface - This would add the routed subnet to the router's LAN1 interface, which is a NATted subnet.
Dedicated LAN Interface
Dedicated LAN Interface for Public Subnet
To set up a dedicated LAN interface for routing purposes, the router will first of all need to have VLANs enabled, go to the LAN > VLAN page to configure that. This guide will use LAN2 as the routed subnet, with two ports dedicated to this interface.
A recommended configuration is shown below, with just ports 5 and 6 set as members of VLAN1, which is set to link to LAN2. Please note that VLAN Tag does not need to be enabled for this configuration to operate and on wireless models, each SSID must be a member of a VLAN to apply the changes to the VLAN settings.
Clicking OK on this page will prompt the router to restart, allow it to restart to apply the VLAN changes - please note that ports 5 and 6 are not connected to an enabled network at the moment so will not be usable until this configuration is completed.
Go to LAN > General Setup, on that page, the settings for the additional LANs on the routerwill no longer be greyed-out so click on the LAN2 Details Page button to configure the routing settings for that network.
On that page, set the Network Configuration to Enable and select the For Routing Usage radio button.
The IP routed address in this case is set to 198.51.100.153 and the Subnet Mask is set to 255.255.255.248.
The DHCP Server Configuration can be enabled if required - if that will be used, set the Start IP, IP Pool Count and Gateway IP address to the correct values for the public subnet.
Click OK on that page, at which point the router will prompt to restart, click OK to restart the router and apply the changes:
Once the router has restarted, the IP Routed subnet will be available as part of the LAN2 network and any devices connected to the ports linked to LAN2 will be able to the available addresses in the public subnet, These devices would need to use the router's gateway address of 198.51.100.153 and the subnet mask of 255.255.255.248 to operate.
If DHCP is enabled those will be given out automatically.
To add additional LAN ports to the LAN2 routed subnet network, go to the LAN > VLAN page and set those ports to be members of VLAN1/LAN2 instead of the default of VLAN0/LAN1.
- First Published: 06/01/2015
- Last Updated: 17/12/2021
Comments
07/01/2017
Just configured this on my 2860 with 3.8.4.2 - all working well with web server, mail server and secondary VPN/firewall router behind the 2860, running alongside natted PCs on a private DHCP range.