MultiNAT firewalling

Hi Guys,

One of our sites has BT Business Internet with MultiNAT - ie: 5 public
IP Addresses.

I am trying to setup some improved firewalling on a Draytek 2600 but the
problem I have is that outbound packets are seen as coming from an
arbitrary gateway address at BT rather than one of our 5 IP addresses
and while I have tried various combinations of DMZ and NAT Pooling I
cannot seem to get to a state where I can fix the perceived outbound IP
address from one of our servers.

I have had a look around for some guidance on this without much success
so can anyone offer some advice or point me towards any useful sites etc.

As far as I can see, if I cannot resolve this I will have to setup
around 30 VPNs instead!?

Many thanks

Linker3000 wrote:
> Hi Guys,
>
> One of our sites has BT Business Internet with MultiNAT - ie: 5 public
> IP Addresses.
>
> I am trying to setup some improved firewalling on a Draytek 2600 but the
> problem I have is that outbound packets are seen as coming from an
> arbitrary gateway address at BT rather than one of our 5 IP addresses
> and while I have tried various combinations of DMZ and NAT Pooling I
> cannot seem to get to a state where I can fix the perceived outbound IP
> address from one of our servers.
>
> I have had a look around for some guidance on this without much success
> so can anyone offer some advice or point me towards any useful sites etc.

Have you tried the Draytek support site/forum?

I am sure I saw this mentioned before - and yes I understand the issue
you are having with BT and the dynamic address they allocate.

On Tue, 24 Oct 2006 10:09:36 +0100, Linker3000
<(E-Mail Removed)> wrote:

>Hi Guys,
>
>One of our sites has BT Business Internet with MultiNAT - ie: 5 public
>IP Addresses.
>
>I am trying to setup some improved firewalling on a Draytek 2600 but the
>problem I have is that outbound packets are seen as coming from an
>arbitrary gateway address at BT rather than one of our 5 IP addresses

That's the WAN address on the router.


>and while I have tried various combinations of DMZ and NAT Pooling I
>cannot seem to get to a state where I can fix the perceived outbound IP
>address from one of our servers.

Disable NAT and run a firewall on the LAN side of the router.


greg



>
--
"Give her a few years and she'll be ramming aubergines up her plampf on hairyweehoors.com"

Greg Hennessy wrote:
> On Tue, 24 Oct 2006 10:09:36 +0100, Linker3000
> <(E-Mail Removed)> wrote:
>
> Disable NAT and run a firewall on the LAN side of the router.
>
>
Yep - probably going to put the server in a DMZ and use a Draytek 2910.

Thanks

Linker3000 wrote:

> I am trying to setup some improved firewalling on a Draytek 2600 but the
> problem I have is that outbound packets are seen as coming from an
> arbitrary gateway address at BT rather than one of our 5 IP addresses

Traffic is appearing from your WAN address not your routed subnet
because your local network setup is NAT'ing things.

> and while I have tried various combinations of DMZ and NAT Pooling I
> cannot seem to get to a state where I can fix the perceived outbound IP
> address from one of our servers.

Follow the link below. BT have given you a router IP address and a
subnet mask of 255.255.255.248, put these in the appropriate field in
your router and that's it.

Assign your devices your fixed IPs, give them the same subnet mask, set
the default GW address as BT have given you, assign some BT DNS servers
and go to whatismyip.com on these client devices and you will see that
they are not coming from the peer address.

> I have had a look around for some guidance on this without much success
> so can anyone offer some advice or point me towards any useful sites etc.

http://www.draytek.co.uk/support/kb_...2ndsubnet.html

> As far as I can see, if I cannot resolve this I will have to setup
> around 30 VPNs instead!?

If you *NEED* a single static IP on the WAN side of your router you
need to regrade to a single static IP which BT will assign
automatically to your WAN side when you connect. If this is the case
you will need to speak to the customer options team to get that.

HTH

Kind Regards

William MacLeod