Hi, I am trying to disable all the firewalling and network address translation features on the smc router, as I will be using my entire static ip pool for physical devices, and I do not want any sort of firewalling or security of any sort enabled.
I seem to have successfully done so, as hosts external from my network are able to communicate to hosts on my network and reach their respective services, but what is not working properly are outbound initiated sessions from hosts on my network sitting behind the SMC. When any ip traffic is sourced from a host behind the SMC, it nats it to its public ip address.
How do I disable this?
I have 'disable gateway smart packet detection' selected, I've also tried 'disable firewall for true static ip subnet only.' Also, 'disable all port forwarding rules' is selected.
Solved! Go to Solution.
Welcome Switchninga. Outbound traffic initiated from a device that has a true public static IP assigned will display that IP as the source address. If your device is set to obtain an address automatically, ie. DHCP, then the IP address of the public facing network device will display as the source. In any event all of your outbound traffic will display either the IP of the SMC gateway, or of your router / firewall or the assigned public static IP of the device the initiated the session depending upon your actual setup. As you stated that you are assigning IP addresses from your static pool no additional address translation takes place. Let us know if you need further assistance.
Yes, that is exactly what I expect to have happening, however, that is not what is actually occuring.
As I said, outbound initiated sessions -are- being natted.
Here is a sample tcp session being originated from my internal network (public ip host of 188.8.131.52)
host01--> ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:19:99:cf:37:7d
Yet when I query a public host on the internet for my public ip, I get:
host01--> wget -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//'
When I originate an SSH session to a host I control on the internet, you clearly see packets coming from 184.108.40.206, which is the LAN ip on the SMC. This host resides on the internet at 220.127.116.11:
nms01:~# tcpdump -i eth1 -n host 18.104.22.168 and net 22.214.171.124/28
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:15:27.580676 IP 126.96.36.199.46896 > 188.8.131.52.22: S 1645471568:1645471568(0) win 14600 <mss 1460,sackOK,timestamp 881175576 0,nop,wscale 5>
17:15:27.580718 IP 184.108.40.206.22 > 220.127.116.11.46896: S 84519607:84519607(0) ack 1645471569 win 5792 <mss 1460,sackOK,timestamp 640545432 881175576,nop,wscale 7>
17:15:27.593361 IP 18.104.22.168.46896 > 22.214.171.124.22: . ack 1 win 457 <nop,nop,timestamp 881175579 640545432>
17:15:27.600826 IP 126.96.36.199.22 > 188.8.131.52.46896: P 1:33(32) ack 1 win 46 <nop,nop,timestamp 640545437 881175579>
I would expect to see traffic from 184.108.40.206, but instead, it's coming from the LAN ip of the SMC.
The SMC is clearly nat'ing. I would really like this 'feature' to be disabled.
Update: Comcast_John provided me the clue to solve this.
The WAN interface is being bridged to the LAN interface. Set the internal LAN ip to a private rfc1918 address, i.e. 10/8, 172.16/12, 192.168/16, and use that private subnet as a transit subnet (if you've got a router that needs a next-hop), or simply set your gateway to be the public ip, and the router will bridge the two interfaces automagically.
If you need to route your static ips to a device behind the SMC, use more specific static routes on the SMC to point to the transit next-hop on the internal network.