Just an interesting note.

A *long* while back I asked a question here that was never answered.

The scenario/question was.........

Connected to the ISP's modem is a home rtr. In this case, a wired-only Linksys of which the m/n
escapes me now. The Linksys box is NAT'g for the internal network of 192.168.1.0/24.

Also attached to the network is a 'real' rtr, with 2 eth interfaces. One of the NIC's is on the
192.168.1.0/24 subnet, the other NIC is on the 192.168.2.0/24 subnet connected to a different switch
with a couple PC's attached as well. The 'real' rtr is is configured to a bare minimum, only the IP info
of each interface set and G/W & DNS are pointing to the ISP rtr, 192.168.1.1.

The question was........will the inexpensive consumer rtr properly NAT and pass the 'off-subnet' routed
packets ?

The answer is yes, it will. (This one anyway.) But, one of the requirements is that a route needs to be
placed in the ISP rtr for the 192.168.2.0/24 gateway, being the 192.168.1.x address of the 'real' rtr.

My theory is that if the home rtr that is being used has a section in the setup for entering static routes,
the above scenario will most likely work. To be clear, these entries are not for port mapping in the ISP
rtr, and are usually entitled 'Routes' or 'Routing' in (one of) the 'Advanced' sections.

Just a worthless tidbit, ignore it if you like.

(The history behind the question was that I was thinking about sharing my internet connection with a
relative, but wasn't real keen on the Layer2 bridging way of doing it and having all my LAN traffic up in
the air. Plus, I already have several complete PtP pairs of some (of The Old)Cleawire proprietary
system that operates on Layer3, which would have put the other end on a different subnet.)

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Wed, 22 Oct 2008 22:35:12 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote:
>
>>A *long* while back I asked a question here that was never answered.
>
> Impossible. Someone always answers questions. Sometimes, the answers
> are even correct.
>
>>Connected to the ISP's modem is a home rtr. In this case, a wired-only
>>Linksys of which the m/n escapes me now. The Linksys box is NAT'g for
>>the internal network of 192.168.1.0/24.
>
> Ok, you're off the hook for forgetting to supply the muddle number.
> Just don't make a habit of it.
>
>>Also attached to the network is a 'real' rtr, with 2 eth interfaces.
>
> You mean there are unreal routers out there? Try tapping the router
> with a magic wand. If it disappears in a puff of smog, it's not a
> real router but an illusion. Incidentally, I think your "real" router
> is going to require 3 ethernet interfaces.

I'm sure you know what I mean by 'real' rtr. Ala...Cisco, Cabletron, etc...

>> One of the NIC's is on the
>>192.168.1.0/24 subnet, the other NIC is on the 192.168.2.0/24 subnet
>>connected to a different switch with a couple PC's attached as well.
>>The 'real' rtr is is configured to a bare minimum, only the IP info
>>of each interface set and G/W & DNS are pointing to the ISP rtr,
>>192.168.1.1.
>
> Ummm.... is this in addition to the unspecified model Linksys real
> router, or is this a replacement for the unspecified model Linksys
> real route?
>
>>The question was........will the inexpensive consumer rtr properly NAT
>>and pass the 'off-subnet' routed packets ?
>
> Sure. No problem at all. However, it won't work with your creative
> IP address layout. You cannot have the ISP's router at 192.168.1.1
> and also NAT one of the output ports in the same subnet. Also, if
> it's coming from the ISP's modem, the common input port will probably
> have a routable IP address delivered by the ISP's DHCP server.
>
>>The answer is yes, it will. (This one anyway.) But, one of the
>>requirements is that a route needs to be placed in the ISP rtr for the
>>192.168.2.0/24 gateway, being the 192.168.1.x address of the 'real'
>>rtr.
>
> Huh? Perhaps it would be helpful if you would describe this mythical
> real router of yours. From your muddled description, my guess is that
> it has 3 ports. One for the WAN going to the modem. Two other going
> to two separate subnets. Unless I'm reading this wrong, the Linksys
> just magically became the "real" router in your last statement.

I guess I didn't explain it well....

There is a network @ work. It connects to a cable ISP using the (unamed) consumer grade Linksys
cable/DSL rtr. I had (probably mistakenly) used the phrase ISP rtr meaning the rtr that connects to the
internet. The inside of that rtr is 192.168.1.0/24...the office LAN. The outside is the internet, the WAN
side.

Now, hang a Cisco 1750 (or like) on the 192.168.1.0/24 network, and give the Cisco's other NIC a
192.168.2.0/24 address. Add PC's on the Cisco's 192.168.2.0/24 NIC all addressed for
192.168.2.0/24.

Internet access is from a .2.1 PC --> (.2.222) Cisco rtr (.1.222) --> (.1.1) Linksys (global) ---> Internet

>>My theory is that if the home rtr that is being used has a section in
>>the setup for entering static routes, the above scenario will most
>>likely work. To be clear, these entries are not for port mapping in
>>the ISP rtr, and are usually entitled 'Routes' or 'Routing' in (one
>>of) the 'Advanced' sections.
>
> Static routes are where you want to route an entire subnet *THROUGH* a
> single IP address, usually over the internet. Something like a branch
> office. That will only work if the branch office has yet another
> router.
>
>>Just a worthless tidbit, ignore it if you like.
>
> Right. I should have ignored it. Too late.
>
>>(The history behind the question was that I was thinking about sharing
>>my internet connection with a relative, but wasn't real keen on the
>>Layer2 bridging way of doing it and having all my LAN traffic up in
>>the air. Plus, I already have several complete PtP pairs of some (of
>>The Old)Cleawire proprietary system that operates on Layer3, which
>>would have put the other end on a different subnet.)
>
> Huh 2.0? *ALL* wireless is Layer 2 (MAC layer) bridging. However,
> this isn't really a wireless question so you have some room to screw
> things up.

Come on Jeff.....maybe ALL consumer grade 802.x wireless is L2, but not ALL wireless, and certainly
ALL wireless isn't 802.x. The equipment I have is L3 based, *proprietary*, and designed for cell site
use with up to 24 sectors and is GPS synchronized as well. Yes, synchronized, and completely legal,
by way of how the gear is FCC licensed.

And, the entire reason I did this setup was for testing a 900Mhz ISM L2 IP bridge that was being
clobbered by the 'other' network traffic, because, well, it was L2 and not L3. I needed isolation.

(The L2 vs L3 discussion was a couple of months ago if you recall.)

> You can split the network using two different class C networks, but
> methinks that's too much work. It's easier with a subnet and this is
> a job for routing. Split the subnet in half with two /25 networks.
> Alias your default gateway (IP address of the "real" router) to two
> different IP addresses, one each inside each subnet. Setup netmask
> and routing so that each subnet doesn't see the other. You might be
> able to avoid the aliasing trick if your PC's support a default
> gateway that's not inside their netmask.

A subnet's a subnet's, whether is a /24 or /25, and still requires some type of routing. I've never seen a
piece of IP equipment that allowed me to set a default gateway that was not within it's subnet.

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Thu, 23 Oct 2008 01:32:26 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote:
>
>>I'm sure you know what I mean by 'real' rtr. Ala...Cisco, Cabletron,
>>etc...
>
> Of course. However, I'm rather partial to specifics, such as maker,
> model number, options, firmware version, etc. This is not a
> theoretical or general question, so there is no benefit in leaving out
> the specifics. The litany is always the same:
> 1. What are you trying to accomplish?
> 2. What do you have to work with?
> You kinda messed up on both.
>
>>I guess I didn't explain it well....
>
> I can assure you that you're guess is correct.
>
>>There is a network @ work. It connects to a cable ISP using the
>>(unamed) consumer grade Linksys cable/DSL rtr. I had (probably
>>mistakenly) used the phrase ISP rtr meaning the rtr that connects to
>>the internet. The inside of that rtr is 192.168.1.0/24...the office
>>LAN. The outside is the internet, the WAN side.
>
> So far so good. Basically, you don't have access to the WAN side of
> the unspecified Linksys router. I'll assume it's IP address is
> 192.168.1.1.

And that is a good assumption.

>>Now, hang a Cisco 1750 (or like) on the 192.168.1.0/24 network, and
>>give the Cisco's other NIC a 192.168.2.0/24 address. Add PC's on the
>>Cisco's 192.168.2.0/24 NIC all addressed for 192.168.2.0/24.
>
> No problem. That's called "double NAT". It works but has problems
> with some protocols that need port forwarding from the internet
> through both routers. For example, if you wanted to use some remote
> control software to your desktop, you would need to port forward in
> BOTH routers.

You were with me up to this point.

It's NOT double NAT.....and that was my reason for posting the info.
There was no NAT at the Cisco rtr, only the actual IP routing functions.

An internet bound packet from the .2.0 subnet is sent to the default g/w,
the Cisco rtr. The Cisco rtr then sends that packet to its default G/W,
..1.1, the consumer grade Linksys rtr that DOES provide NAT for the
network.

At the Linksys rtr, that IS the internet connection, the packet is STILL
addressed as being from the .2.0 network, then NAT'd and sent to wherever
on the internet.

This is where the static route comes in. The Linksys rtr needs to know
how to get back to the .2.0 subnet, so a static route is set in the
Linksys rtr having the Cisco as the g/w for .2.0.

As for incoming connections. A port only needs to be mapped at the
Linksys internet router. For instance, a web server on port 80, needs to
be forwarded to 192.168.2.100. And that's it, since it's got a static
route back to .2.0. There's nothing to do in the Cisco rtr.

So, in conclusion, the Linksys BEFSR41 wired-only rtr properly NAT's
'off-subnet' traffic.

Jeff Liebermann <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Fri, 24 Oct 2008 16:40:27 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote:
>
>>>>Now, hang a Cisco 1750 (or like) on the 192.168.1.0/24 network, and
>>>>give the Cisco's other NIC a 192.168.2.0/24 address. Add PC's on the
>>>>Cisco's 192.168.2.0/24 NIC all addressed for 192.168.2.0/24.
>>>
>>> No problem. That's called "double NAT". It works but has problems
>>> with some protocols that need port forwarding from the internet
>>> through both routers. For example, if you wanted to use some remote
>>> control software to your desktop, you would need to port forward in
>>> BOTH routers.
>
>>It's NOT double NAT.....and that was my reason for posting the info.
>>There was no NAT at the Cisco rtr, only the actual IP routing
>>functions.
>
> Then say so.

I did in the OP.

> When you generalized with translating 192.168.1.0/24 to
> 192.168.2.0/24, I assumed you intended to use NAT. However, we're now
> talking Cisco-speak, so that's really PAT (port address translation).
> NAT (network address translation) is a 1:1 IP to IP translation. So,
> you assign a block of IP's on the outside (WAN) port of the Cisco
> router, which maps to a corresponding list of IP's on the inside (LAN)
> port. No need for port forwarding with that arrangement.
>
> I think this covers Cisco style 1:1 NAT:
> <http://www.cisco.com/en/US/technolog...8/technologies
> _white_paper09186a0080091cb9.html>
>
>>An internet bound packet from the .2.0 subnet is sent to the default
>>g/w, the Cisco rtr. The Cisco rtr then sends that packet to its
>>default G/W, .1.1, the consumer grade Linksys rtr that DOES provide
>>NAT for the network.
>
> Agreed. The outside port of the Cisco may have a block of IP
> addresses, but all of them have a default gateway pointing to the
> Linksys LAN side IP address.
>
>>At the Linksys rtr, that IS the internet connection, the packet is
>>STILL addressed as being from the .2.0 network, then NAT'd and sent to
>>wherever on the internet.
>
> Agreed. That's the way the Linksys works.
>
>>This is where the static route comes in. The Linksys rtr needs to know
>>how to get back to the .2.0 subnet, so a static route is set in the
>>Linksys rtr having the Cisco as the g/w for .2.0.
>
> No it does not. The default gateway of any device plopped onto the
> LAN side of the Linksys router has a default route set to the LAN side
> IP address of the Linksys.

What does not ?

In the Linksys rtr (effectively, if it had a cmd prompt).....

route add 192.168.2.0 mask 255.255.255.0 192.168.1.222

This is absolutely needed in the Linsys so packets will get back to the
..2.0 subnet.

> Meanwhile, the outside (WAN) port of the Cisco router has a block of
> IP addresses available but all of them have a default route pointing
> to the Linksys LAN side IP address. Actually, that's not quite
> correct. There is a block of IP's, but only one default route for the
> Cisco which points to the Linksys IP (192.168.1.1).

The Cisco has no blocks of IP addresses. All it has it 2 eth
interfaces...one on each subnet.

>>As for incoming connections. A port only needs to be mapped at the
>>Linksys internet router. For instance, a web server on port 80, needs
>>to be forwarded to 192.168.2.100. And that's it, since it's got a
>>static route back to .2.0. There's nothing to do in the Cisco rtr.
>
> Yep, with 1:1 NAT, that's the way it works.
>
>>So, in conclusion, the Linksys BEFSR41 wired-only rtr properly NAT's
>>'off-subnet' traffic.
>
> Sure, with the help of an additional router.

Well there would be no other way to get a routed packet from a different
subnet onto the Linksys LAN otherwise.

> Incidentally, make sure that the block of ouside (WAN) side IP's on
> the Cisco do not land inside the DHCP assigned area on the Linksys.

Uh.......am I confused...or you ?

As I said in the OP...."The 'real' rtr is is configured to a bare
minimum, only the IP info of each interface set and G/W & DNS are
pointing to the ISP rtr, 192.168.1.1."

I don't know where you are getting 'blocks of IP address' from . The
Cisco rtr was:

1. Turned on to it's default unconfigured state.
2. Had ether1 set to: 192.168.1.222/24 g/w:192.168.1.1
3. DNS was set to 192.168.1.1 (and to forward DNS requests)
4. Then ether2 set to 192.168.2.222/24
5. Save changes.

The Linksys rtr then had a static route added:

192.168.2.0/24 g/w'd to 192.168.2.222

And that's it. No DCHP. Just plain routing, no additional addressing of
any kind, or additional configuration.

Now, any device plugged into the 192.168.2.0 side of the Cisco needs
obviously an IP in the .2.0/24 range, and DNS & G/W set to 192.168.2.222
(the Cisco rtr), and that's it.

And I was shocked when the Linksys NAT'd this properly.

On Fri, 24 Oct 2008 20:52:23 +0000 (UTC), DanS
<(E-Mail Removed)> wrote:

>Jeff Liebermann <(E-Mail Removed)> wrote in
>news:(E-Mail Removed) :
>
>> On Fri, 24 Oct 2008 16:40:27 +0000 (UTC), DanS
>> <(E-Mail Removed)> wrote:
>>
>>>>>Now, hang a Cisco 1750 (or like) on the 192.168.1.0/24 network, and
>>>>>give the Cisco's other NIC a 192.168.2.0/24 address. Add PC's on the
>>>>>Cisco's 192.168.2.0/24 NIC all addressed for 192.168.2.0/24.
>>>>
>>>> No problem. That's called "double NAT". It works but has problems
>>>> with some protocols that need port forwarding from the internet
>>>> through both routers. For example, if you wanted to use some remote
>>>> control software to your desktop, you would need to port forward in
>>>> BOTH routers.
>>
>>>It's NOT double NAT.....and that was my reason for posting the info.
>>>There was no NAT at the Cisco rtr, only the actual IP routing
>>>functions.
>>
>> Then say so.
>
>I did in the OP.
>
>> When you generalized with translating 192.168.1.0/24 to
>> 192.168.2.0/24, I assumed you intended to use NAT. However, we're now
>> talking Cisco-speak, so that's really PAT (port address translation).
>> NAT (network address translation) is a 1:1 IP to IP translation. So,
>> you assign a block of IP's on the outside (WAN) port of the Cisco
>> router, which maps to a corresponding list of IP's on the inside (LAN)
>> port. No need for port forwarding with that arrangement.
>>
>> I think this covers Cisco style 1:1 NAT:
>> <http://www.cisco.com/en/US/technolog...8/technologies
>> _white_paper09186a0080091cb9.html>
>>
>>>An internet bound packet from the .2.0 subnet is sent to the default
>>>g/w, the Cisco rtr. The Cisco rtr then sends that packet to its
>>>default G/W, .1.1, the consumer grade Linksys rtr that DOES provide
>>>NAT for the network.
>>
>> Agreed. The outside port of the Cisco may have a block of IP
>> addresses, but all of them have a default gateway pointing to the
>> Linksys LAN side IP address.
>>
>>>At the Linksys rtr, that IS the internet connection, the packet is
>>>STILL addressed as being from the .2.0 network, then NAT'd and sent to
>>>wherever on the internet.
>>
>> Agreed. That's the way the Linksys works.
>>
>>>This is where the static route comes in. The Linksys rtr needs to know
>>>how to get back to the .2.0 subnet, so a static route is set in the
>>>Linksys rtr having the Cisco as the g/w for .2.0.
>>
>> No it does not. The default gateway of any device plopped onto the
>> LAN side of the Linksys router has a default route set to the LAN side
>> IP address of the Linksys.
>
>What does not ?
>
>In the Linksys rtr (effectively, if it had a cmd prompt).....
>
>route add 192.168.2.0 mask 255.255.255.0 192.168.1.222
>
>This is absolutely needed in the Linsys so packets will get back to the
>.2.0 subnet.
>
>> Meanwhile, the outside (WAN) port of the Cisco router has a block of
>> IP addresses available but all of them have a default route pointing
>> to the Linksys LAN side IP address. Actually, that's not quite
>> correct. There is a block of IP's, but only one default route for the
>> Cisco which points to the Linksys IP (192.168.1.1).
>
>The Cisco has no blocks of IP addresses. All it has it 2 eth
>interfaces...one on each subnet.
>
>>>As for incoming connections. A port only needs to be mapped at the
>>>Linksys internet router. For instance, a web server on port 80, needs
>>>to be forwarded to 192.168.2.100. And that's it, since it's got a
>>>static route back to .2.0. There's nothing to do in the Cisco rtr.
>>
>> Yep, with 1:1 NAT, that's the way it works.
>>
>>>So, in conclusion, the Linksys BEFSR41 wired-only rtr properly NAT's
>>>'off-subnet' traffic.
>>
>> Sure, with the help of an additional router.
>
>Well there would be no other way to get a routed packet from a different
>subnet onto the Linksys LAN otherwise.
>
>> Incidentally, make sure that the block of ouside (WAN) side IP's on
>> the Cisco do not land inside the DHCP assigned area on the Linksys.
>
>Uh.......am I confused...or you ?
>
>As I said in the OP...."The 'real' rtr is is configured to a bare
>minimum, only the IP info of each interface set and G/W & DNS are
>pointing to the ISP rtr, 192.168.1.1."
>
>I don't know where you are getting 'blocks of IP address' from . The
>Cisco rtr was:
>
>1. Turned on to it's default unconfigured state.
>2. Had ether1 set to: 192.168.1.222/24 g/w:192.168.1.1
>3. DNS was set to 192.168.1.1 (and to forward DNS requests)
>4. Then ether2 set to 192.168.2.222/24
>5. Save changes.
>
>The Linksys rtr then had a static route added:
>
>192.168.2.0/24 g/w'd to 192.168.2.222
>
>And that's it. No DCHP. Just plain routing, no additional addressing of
>any kind, or additional configuration.
>
>Now, any device plugged into the 192.168.2.0 side of the Cisco needs
>obviously an IP in the .2.0/24 range, and DNS & G/W set to 192.168.2.222
>(the Cisco rtr), and that's it.
>
>And I was shocked when the Linksys NAT'd this properly.

When I read your first post in this thread the other day, I silently
nodded to myself and said of course that will work, why wouldn't it,
it's fairly straightforward. As I understand it, you have a LAN that
is separated from the WAN by a Linksys NAT router, and you have a
second network hanging off your LAN, separated from your LAN by a
Cisco-like router (no NAT). That second network needs to traverse your
LAN to get out to the Internet, and the Linksys needs a static route
to know how to forward packets back to the second network rather than
spitting them back out to its default gateway, which would be in the
wrong direction out on the WAN. All in all, simple and
straightforward, I was thinking. Assuming I have it right, of course.

And then Jeff started asking questions and talking about double NAT,
Cisco PAT/NATP, mapping sets of IP's to other sets of IP's and so on,
and I started to get all confused. <G>

I still think what you're doing is fairly simple and straightforward,
despite the twists and turns the discussion has taken.

Char Jackson <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>>And that's it. No DCHP. Just plain routing, no additional addressing of
>>any kind, or additional configuration.
>>
>>Now, any device plugged into the 192.168.2.0 side of the Cisco needs
>>obviously an IP in the .2.0/24 range, and DNS & G/W set to
192.168.2.222
>>(the Cisco rtr), and that's it.
>>
>>And I was shocked when the Linksys NAT'd this properly.
>
> When I read your first post in this thread the other day, I silently
> nodded to myself and said of course that will work, why wouldn't it,
> it's fairly straightforward. As I understand it, you have a LAN that
> is separated from the WAN by a Linksys NAT router, and you have a
> second network hanging off your LAN, separated from your LAN by a
> Cisco-like router (no NAT). That second network needs to traverse your
> LAN to get out to the Internet, and the Linksys needs a static route
> to know how to forward packets back to the second network rather than
> spitting them back out to its default gateway, which would be in the
> wrong direction out on the WAN. All in all, simple and
> straightforward, I was thinking. Assuming I have it right, of course.
>
> And then Jeff started asking questions and talking about double NAT,
> Cisco PAT/NATP, mapping sets of IP's to other sets of IP's and so on,
> and I started to get all confused. <G>
>
> I still think what you're doing is fairly simple and straightforward,
> despite the twists and turns the discussion has taken.

Well at least someone understood. Although I probably could have
explained a bit better. Diagram's and graphcs go a long way in describing
technical stuff like this, but this is a non-binary group. Even trying to
put together a crude diagram using text is a futile effort now-a-days
with newsreaders using variable width fonts.

(OT- ASCII Art anyone ? http://chris.com/ascii/ , or this is neat
http://www.glassgiant.com/ascii/ , you can u/l an image and get an ASCII
Art representation of it back.)

But I digress.....the reason I wasn't sure it would work was because the
Linksys is just a standard commodity home cable/DSL router and the
ultimate source/destination is a subnet that is not connected to the
Linksys directly.

I don't think my home D-Link rtr will do this, as there is no entry for
static routes in the setup pages, only for port forwarding. The D-Link
DI-604 may not do it either. I was using one of those as a switch only to
connect devices to the inside-the-inside LAN, and that didn't have static
route entry either.(I subsequently removed the 604 and in it's place am
now using a chessy 10mbps hub device there.....I need to sniff packets to
devices on the extra LAN, and a switch just won't get that job done.)