Domain Names/Static IP
Managing, controlling, and support for Custom Domain Names
Back to Top

unable to disable outbound nat on SMCD3G-CCR?

SOLVED
Highlighted
switchninja
Occasional Visitor

unable to disable outbound nat on SMCD3G-CCR?

Hi, I am trying to disable all the firewalling and network address translation features on the smc router, as I will be using my entire static ip pool for physical devices, and I do not want any sort of firewalling or security of any sort enabled. 

 

I seem to have successfully done so, as hosts external from my network are able to communicate to hosts on my network and reach their respective services, but what is not working properly are outbound initiated sessions from hosts on my network sitting behind the SMC.  When any ip traffic is sourced from a host behind the SMC, it nats it to its public ip address.  

 

How do I disable this?

 

I have 'disable gateway smart packet detection' selected, I've also tried 'disable firewall for true static ip subnet only.'  Also, 'disable all port forwarding rules' is selected.

 

thanks

Accepted Solution

Re: unable to disable outbound nat on SMCD3G-CCR?

Welcome Switchninga. Outbound traffic initiated from a device that has a true public static IP assigned will display that IP as the source address.  If your device is set to obtain an address automatically,  ie. DHCP, then the IP address of the public  facing network device will display as the source.   In any event all of your outbound traffic will display either the IP of the SMC gateway, or of your router / firewall or the assigned public static IP of the device the initiated the session depending upon your actual setup.  As you stated that you are assigning IP addresses from your static pool no additional address translation takes place.  Let us know if you need further assistance.

 

Thank You.

View solution in context
Community Manager
Community Manager

Re: unable to disable outbound nat on SMCD3G-CCR?

Welcome Switchninga. Outbound traffic initiated from a device that has a true public static IP assigned will display that IP as the source address.  If your device is set to obtain an address automatically,  ie. DHCP, then the IP address of the public  facing network device will display as the source.   In any event all of your outbound traffic will display either the IP of the SMC gateway, or of your router / firewall or the assigned public static IP of the device the initiated the session depending upon your actual setup.  As you stated that you are assigning IP addresses from your static pool no additional address translation takes place.  Let us know if you need further assistance.

 

Thank You.

switchninja
Occasional Visitor

Re: unable to disable outbound nat on SMCD3G-CCR?

Yes, that is exactly what I expect to have happening, however, that is not what is actually occuring.

 

As I said, outbound initiated sessions -are- being natted.

 

Here is a sample tcp session being originated from my internal network (public ip host of 173.14.252.237)

 

host01--> ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:19:99:cf:37:7d
inet addr:173.14.252.237

 

Yet when I query a public host on the internet for my public ip, I get:

 

host01--> wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
173.14.252.238

 

When I originate an SSH session to a host I control on the internet, you clearly see packets coming from 173.14.252.238, which is the LAN ip on the SMC.  This host resides on the internet at 207.188.18.50:

 

nms01:~# tcpdump -i eth1 -n host 207.188.18.50 and net 173.14.252.224/28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:15:27.580676 IP 173.14.252.238.46896 > 207.188.18.50.22: S 1645471568:1645471568(0) win 14600 <mss 1460,sackOK,timestamp 881175576 0,nop,wscale 5>
17:15:27.580718 IP 207.188.18.50.22 > 173.14.252.238.46896: S 84519607:84519607(0) ack 1645471569 win 5792 <mss 1460,sackOK,timestamp 640545432 881175576,nop,wscale 7>
17:15:27.593361 IP 173.14.252.238.46896 > 207.188.18.50.22: . ack 1 win 457 <nop,nop,timestamp 881175579 640545432>
17:15:27.600826 IP 207.188.18.50.22 > 173.14.252.238.46896: P 1:33(32) ack 1 win 46 <nop,nop,timestamp 640545437 881175579>

 

I would expect to see traffic from 173.14.252.237, but instead, it's coming from the LAN ip of the SMC.

 

The SMC is clearly nat'ing.  I would really like this 'feature' to be disabled.

 

switchninja
Occasional Visitor

Re: unable to disable outbound nat on SMCD3G-CCR?

Update: Comcast_John provided me the clue to solve this.

 

The WAN interface is being bridged to the LAN interface.  Set the internal LAN ip to a private rfc1918 address, i.e. 10/8, 172.16/12, 192.168/16, and use that private subnet as a transit subnet (if you've got a router that needs a next-hop), or simply set your gateway to be the public ip, and the router will bridge the two interfaces automagically.

 

If you need to route your static ips to a device behind the SMC, use more specific static routes on the SMC to point to the transit next-hop on the internal network.

 

thanks comcast_john!