New Contributor
•
6 Messages
unable to disable outbound nat on SMCD3G-CCR?
Hi, I am trying to disable all the firewalling and network address translation features on the smc router, as I will be using my entire static ip pool for physical devices, and I do not want any sort of firewalling or security of any sort enabled.
I seem to have successfully done so, as hosts external from my network are able to communicate to hosts on my network and reach their respective services, but what is not working properly are outbound initiated sessions from hosts on my network sitting behind the SMC. When any ip traffic is sourced from a host behind the SMC, it nats it to its public ip address.
How do I disable this?
I have 'disable gateway smart packet detection' selected, I've also tried 'disable firewall for true static ip subnet only.' Also, 'disable all port forwarding rules' is selected.
thanks
Accepted Solution
CC_John
Retired Employee
•
1.9K Messages
12 years ago
Welcome Switchninga. Outbound traffic initiated from a device that has a true public static IP assigned will display that IP as the source address. If your device is set to obtain an address automatically, ie. DHCP, then the IP address of the public facing network device will display as the source. In any event all of your outbound traffic will display either the IP of the SMC gateway, or of your router / firewall or the assigned public static IP of the device the initiated the session depending upon your actual setup. As you stated that you are assigning IP addresses from your static pool no additional address translation takes place. Let us know if you need further assistance.
Thank You.
0
0
switchninja
New Contributor
•
6 Messages
12 years ago
Yes, that is exactly what I expect to have happening, however, that is not what is actually occuring.
As I said, outbound initiated sessions -are- being natted.
Here is a sample tcp session being originated from my internal network (public ip host of 173.14.252.237)
host01--> ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:19:99:cf:37:7d
inet addr:173.14.252.237
Yet when I query a public host on the internet for my public ip, I get:
host01--> wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
173.14.252.238
When I originate an SSH session to a host I control on the internet, you clearly see packets coming from 173.14.252.238, which is the LAN ip on the SMC. This host resides on the internet at 207.188.18.50:
nms01:~# tcpdump -i eth1 -n host 207.188.18.50 and net 173.14.252.224/28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:15:27.580676 IP 173.14.252.238.46896 > 207.188.18.50.22: S 1645471568:1645471568(0) win 14600
17:15:27.580718 IP 207.188.18.50.22 > 173.14.252.238.46896: S 84519607:84519607(0) ack 1645471569 win 5792
17:15:27.593361 IP 173.14.252.238.46896 > 207.188.18.50.22: . ack 1 win 457
17:15:27.600826 IP 207.188.18.50.22 > 173.14.252.238.46896: P 1:33(32) ack 1 win 46
I would expect to see traffic from 173.14.252.237, but instead, it's coming from the LAN ip of the SMC.
The SMC is clearly nat'ing. I would really like this 'feature' to be disabled.
0
0
switchninja
New Contributor
•
6 Messages
12 years ago
Update: Comcast_John provided me the clue to solve this.
The WAN interface is being bridged to the LAN interface. Set the internal LAN ip to a private rfc1918 address, i.e. 10/8, 172.16/12, 192.168/16, and use that private subnet as a transit subnet (if you've got a router that needs a next-hop), or simply set your gateway to be the public ip, and the router will bridge the two interfaces automagically.
If you need to route your static ips to a device behind the SMC, use more specific static routes on the SMC to point to the transit next-hop on the internal network.
thanks comcast_john!
0
0