Reply
hugh7
Posts: 10
Registered: ‎12-12-2007
Accepted Solution

firewall to router Nat

I've connected a firewall to a linksys BEFSR41 router.

 

I put the BEF on a separate subnet

wan : static 192.168.1.2   ( on same subnet as firewall)

gateway: 192.168.1.1     ( firewall inside address )

dns  : 192.168.1.1

 

Lan :

192.168.2.1

 

NAT is enabled.

I have the ethernet cable from the firewall connected to the WAN port of the BEF

 

This  works fine to go through the firewall to the internet ( which also has nat;--  I can't quite imagine how it works with the two nats.  )

 

Problem: If i disable NAT on the BEF I can't get through to the internet .

 

The question:  Isn't there a way to configure the BEF with NAT disabled and still get through to the internet?

 

I've tried various settings for the WAN on the BEF ( besides the one listed above)  but haven't hit on the correct one.

 

Any suggestion would be appreciated.

 

hugh

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: firewall to router Nat

No. There is no way to disable NAT unless you can reconfigure the firewall to route the 192.168.2.* subnet and to do NAT for these addresses. In other words: after disabling NAT on the BEF all other changes must be done on your firewall router 192.168.1.1!

Why do you want to disable NAT anyway? There is usually no reason to do that.
hugh7
Posts: 10
Registered: ‎12-12-2007

Re: firewall to router Nat

Not sure but I presumed that since the 'enable' nat button is deselected for the LAN to LAN router configuration that it should be  for the WAN to LAN  router configuration.

 

Secondly , I presumed that if I try to reach this subnet from 'outside' the main firewall that the NAT on the BEF would prevent this.  (I haven't actually tried to reach it yet from the 'outside')

 

Basically,  I want the computers behind the BEF to be on different subnet  and at least one of them reachable from the 'outside' via the main firewall.

 

 

 

thanks for your reply

 

hugh

Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: firewall to router Nat

If you connect a second outer through a LAN port to another (main) router the NAT settings is actually irrelevant. I don't know why various FAQs mention to disable NAT (switch to router mode). It does not make a difference. NAT is only relevant for packets running through the routing component, i.e. travel from the LAN side to the WAN port or back. Thus, it's irrelevant for a LAN-LAN setup.

The default setting for a normal router is NAT enabled because you use private IP addresses inside the LAN which must be mapped to the public IP address on the WAN port. That's what NAT does. Internally you have private IP addresses. In the internet only the public IP address is seen.

It's correct that with NAT enabled the LAN side is inaccessible from the WAN side (except for port forwardings etc.). DIsabling NAT is only one prerequisite to make a LAN side fully accessible from the WAN side. As NAT is disabled now the LAN IP addresses are routed to the WAN side. This means that the WAN side must understand and also route those IP addresses correctly. In your case, with NAT disabled the WAN side router and computers must know where to route packets 192.168.2.*. If you don't set up a route for 192.168.2.0/255.255.255.0 on the main router all packets for 192.168.2.* will simply sent to the default gateway, i.e. into the internet where they are quickly discarded.

To make a computer connected to the BEF accessible from the internet you have to options:

1. You can expose some ports through port forwarding and keep NAT enabled on the BEF. You have to forward those ports on the firewall and the BEF. The firewall forwards to the WAN IP address 192.168.1.2 of the BEF. The BEF forwards to the LAN computer address, e.g. 192.168.2.50.

2. If you want to disable NAT on the BEF you have to configure a static route on the firewall to route 192.168.2.0/255.255.255.0 to gateway 192.168.1.2. In addition, you may have to adjust the NAT rules to include 192.168.2.0/255.255.255.0 for NAT (NAT rules define which IP addresses are mapped to the public IP address and which not).

If you want to make the computer accessible from the internet you still have to set up port forwarding on the firewall (because the firewall does NAT and thus makes the LAN side of the firewall inaccessible from the internet). Depending on the firewall this may not be possible: some firewalls/routers only allow you to set up port forwarding to their own LAN IP subnet and not to arbitrary IP addresses, i.e. the firewall might only forward to 192.168.1.* but not to 192.168.2.*.

Maybe you could explain why you must have some computers on a different subnet.
hugh7
Posts: 10
Registered: ‎12-12-2007

Re: firewall to router Nat

Thank you for this thorough response.     It explains a lot. 

It seems I can accomplish what  I want by following the instructions in #1 of your reply.

 

As for your question about "why computers" on different subnet the answer is basically I just wanted one subnet open to the 'outside' .    Given my limited understanding of how this all works this may have no real benefit re security.

 

thanks again

 

hugh