Seeing outside IP address when inside

At the risk of plagiarising William Shatner, I want to
be able to use my ISP-assigned static IP address from inside
my network.

I can't do this at the moment, because my modem/router only
performs NA Translation on stuff that originates the other
end of the broadband line.

I've got a partial solution at the moment involving the windows
registry, static routes, and multihoming but this is not really on.

My router is a Zoom X4. They (Zoom) confirm that all their products
work that way: i.e. can't see the outside IP address from the inside.

It appears that all other "domestic" broadband routers work this way
as well. Short of setting up a linux box to do the job, can anyone
recommend any make/model of BB router that does NAT properly.

Richard [in SG19]



--
Posted via a free Usenet account from http://www.teranews.com

"Richard M Willis" <(E-Mail Removed)> wrote in message
news:44a26b7f$0$9831$(E-Mail Removed)...
> At the risk of plagiarising William Shatner, I want to
> be able to use my ISP-assigned static IP address from inside
> my network.
>
> I can't do this at the moment, because my modem/router only
> performs NA Translation on stuff that originates the other
> end of the broadband line.
>
> I've got a partial solution at the moment involving the windows
> registry, static routes, and multihoming but this is not really on.
>
> My router is a Zoom X4. They (Zoom) confirm that all their products
> work that way: i.e. can't see the outside IP address from the inside.
>
> It appears that all other "domestic" broadband routers work this way
> as well. Short of setting up a linux box to do the job, can anyone
> recommend any make/model of BB router that does NAT properly.
>
> Richard [in SG19]
>

What do you want to use if for - can't you just use port forwarding or the
router's DMZ?

Richard wrote on Wed, 28 Jun 2006 13:42:12 +0100:

> At the risk of plagiarising William Shatner, I want to
> be able to use my ISP-assigned static IP address from inside
> my network.
>
> I can't do this at the moment, because my modem/router only
> performs NA Translation on stuff that originates the other
> end of the broadband line.
>
> I've got a partial solution at the moment involving the windows
> registry, static routes, and multihoming but this is not really on.
>
> My router is a Zoom X4. They (Zoom) confirm that all their products
> work that way: i.e. can't see the outside IP address from the inside.
>
> It appears that all other "domestic" broadband routers work this way
> as well. Short of setting up a linux box to do the job, can anyone
> recommend any make/model of BB router that does NAT properly.
>
> Richard [in SG19]
>


This is common across many devices - for instance, the PIX we use at work
won't do this either out of the box. It's one of the anti-spoofing
features - all packets at the WAN interface with a LAN IP address are
dropped. When you make a request to the external IP address, the packet is
passed out of the WAN interface (as it's outside of your LAN), and then the
interface on the router/firewall drops it. Luckily the PIX has a way to
handle this using the "alias" command.

Have you looked for a router that can run in bridging mode? This would
necessitate all PCs on your LAN having their own static public IP address,
or you could move any PCs that don't need to be able to connect to one of
your public IPs to their own NAT router.

If you just want to connect to public hostnames that are mapped to public
IPs on your router, why not run your own forwarding DNS server and set up
those hostnames on it to return the internal IP addresses, or even just edit
your hosts file (the former being the better solution for dealing with this
on multiple PCs on your LAN as you only have to maintain the mappings in one
place).

The only other thing I can think of is asking your ISP if they have a proxy
you can use.

Dan

Richard M Willis wrote:
> At the risk of plagiarising William Shatner, I want to
> be able to use my ISP-assigned static IP address from inside
> my network.
>
> I can't do this at the moment, because my modem/router only
> performs NA Translation on stuff that originates the other
> end of the broadband line.
>
Why do you need this? If it's to let internal hosts access the same
services that are available from outside without changing hostnames then
the quickest kludge is to either provide them all with hosts entries for
those server names mapped to the internal NAT addresses for the servers
and/or to run an internal DNS that maps the hostnames to the correct
internal server IPs. That works quite happily here, if I take my laptop
elsewhere and connect back to home, it works just fine without havnig to
tweak anything.

--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org
So many gadgets, so little time

On Wed, 28 Jun 2006 13:42:12 +0100, "Richard M Willis"
<(E-Mail Removed)> wrote:

>At the risk of plagiarising William Shatner, I want to
>be able to use my ISP-assigned static IP address from inside
>my network.
>
>I can't do this at the moment, because my modem/router only
>performs NA Translation on stuff that originates the other
>end of the broadband line.
>
>I've got a partial solution at the moment involving the windows
>registry, static routes, and multihoming but this is not really on.
>
>My router is a Zoom X4. They (Zoom) confirm that all their products
>work that way: i.e. can't see the outside IP address from the inside.
>
>It appears that all other "domestic" broadband routers work this way
>as well. Short of setting up a linux box to do the job, can anyone
>recommend any make/model of BB router that does NAT properly.
>
>Richard [in SG19]

I think what you are after is refered to as NAT hairpin or loopback.

If that is the case you can find that supported on all the new
SpeedTouch routers. Just make sure "config natloopback=enabled" is set
in the IP configuration section.

"Dave {Reply Address In.sig}" <"noone$$"@llondel.org> wrote in message
news:u5qan3-

> Why do you need this? If it's to let internal hosts access the same
> services that are available from outside without changing hostnames then

The main motivation for doing this is access to my (passive) FTP server:
it opens the data connexion from the server end by saying "call me back
on www.xxx.yyy.zzzppp." This message is passed in plain text across the
control connexion and won't get translated by any Natterbox. (Well, it
could,
but I'd rather it left that sort of thing alone).

I know there are all sorts of ways of surmounting this problem but it's just
so damn stupid. The whole point of the internet is that you're supposed to
be able to connect from anywhere to any given destination transparently
(assuming
the server wants you to connect).

Having this restriction is crazy and I can see no reason for it.

If there is a good reason for a modem/router (which knows its external IP
address) preventing intra-LAN IP packets being subject to the same
port-forwarding
and address translation as traffic from the outside, then I really would
like to
know what it is.

There may be a damn good reason for it, but I can't for the life of me see
what it
is.

I want to be able to do all this in one box (modem/router/fw). Hence the
request for a model which does the job properly.

Richard [in SG19]



--
Posted via a free Usenet account from http://www.teranews.com

"Moonshine" <(E-Mail Removed)> wrote in message

>I think what you are after is refered to as NAT hairpin or loopback.
>
> If that is the case you can find that supported on all the new
> SpeedTouch routers. Just make sure "config natloopback=enabled" is set
> in the IP configuration section.

OK. Thanks for the information. I'll look-up speedtouch soon.

I'm still interested though as to why this is not provided by on
all routers (even if disabled by default). I understand the
argument of extra through-router traffic and sort of understand the spoofing
arguments, but it seems such an easy thing to do, I wonder why it's
not a standard item (!?)

Richard [in SG19]



--
Posted via a free Usenet account from http://www.teranews.com

Richard wrote on Thu, 29 Jun 2006 09:07:52 +0100:

>
> "Dave {Reply Address In.sig}" <"noone$$"@llondel.org> wrote in message
> news:u5qan3-
>
>> Why do you need this? If it's to let internal hosts access the same
>> services that are available from outside without changing hostnames then
>
> The main motivation for doing this is access to my (passive) FTP server:
> it opens the data connexion from the server end by saying "call me back
> on www.xxx.yyy.zzzppp." This message is passed in plain text across the
> control connexion and won't get translated by any Natterbox. (Well, it
> could,
> but I'd rather it left that sort of thing alone).

Ah, right. I never get that problem as I do allow my router to edit the FTP
packets, so my FTP server uses a LAN IP address.

> I know there are all sorts of ways of surmounting this problem but it's
> just so damn stupid. The whole point of the internet is that you're
> supposed to be able to connect from anywhere to any given destination
> transparently (assuming
> the server wants you to connect).
>
> Having this restriction is crazy and I can see no reason for it.

Most simple NAT routers are designed for getting connected to the internet
to access data on it, not use it to run services.

> If there is a good reason for a modem/router (which knows its external IP
> address) preventing intra-LAN IP packets being subject to the same
> port-forwarding
> and address translation as traffic from the outside, then I really would
> like to
> know what it is.
>
> There may be a damn good reason for it, but I can't for the life of me see
> what it
> is.

As I mentioned in my post, it's a simple way to prevent one type of spoofing
attack. If a packet enters the router on the WAN interface with a source
from the LAN IP range, it drops it. Doing more than this (checking against
internal state tables, passing it back out on the LAN interface to the NAT'd
IP, and doing the same with the return packets) requires more complexity in
the OS, and more processing. This often equates to a more expensive unit as
it'll have SPI and a bunch of other features (no point just adding an SPI
table and doing very little with it), and so takes it out of the realms of a
consumer grade appliance.

> I want to be able to do all this in one box (modem/router/fw). Hence the
> request for a model which does the job properly.

I'd look for a box that has zone segmentation (eg. LAN, DMZ, WAN, where the
DMZ is actually on it's own interface) and so won't see packets on the WAN
interface that are sourced from the LAN interface, or set up a Linux box
that will do it all for you. A PIX might also work with the alias command,
but I've only ever used it to map public IPs to private IPs on an alternate
interface (my PIX has 3 interfaces, with publicly accessible servers on
their own "DMZ"), I'm not sure if it'll even work mapping IPs back to the
same interface.

Dan

Richard wrote on Thu, 29 Jun 2006 09:11:15 +0100:

> "Moonshine" <(E-Mail Removed)> wrote in message
>
>> I think what you are after is refered to as NAT hairpin or loopback.
>>
>> If that is the case you can find that supported on all the new
>> SpeedTouch routers. Just make sure "config natloopback=enabled" is set
>> in the IP configuration section.
>
> OK. Thanks for the information. I'll look-up speedtouch soon.
>
> I'm still interested though as to why this is not provided by on
> all routers (even if disabled by default). I understand the
> argument of extra through-router traffic and sort of understand the
> spoofing arguments, but it seems such an easy thing to do, I wonder why
> it's not a standard item (!?)

It might sound easy, but lets say you have an 8 port router with 8 machines
connected to it, and they're all using the WAN IPs of the other machines to
talk to each. Maintaing a large state table like this takes resources - so
the unit needs more memory, a faster CPU, and a more complex OS. All that
equates to a higher priced unit. If you spend the money you'll find routers
that will do this - if you go for cheap units, they most likely won't.

Dan

"Spack" <(E-Mail Removed)> wrote in message

> It might sound easy, but lets say you have an 8 port router with 8
machines
> connected to it, and they're all using the WAN IPs of the other machines
to
> talk to each. Maintaing a large state table like this takes resources - so
> the unit needs more memory, a faster CPU, and a more complex OS. All that
> equates to a higher priced unit. If you spend the money you'll find
routers
> that will do this - if you go for cheap units, they most likely won't.

OK. I hadn't thought about the extra resources for maintaining extra
state tables. I sort of understand now.

I will go for a machine that is less consumer grade.

Richard [in SG19]



--
Posted via a free Usenet account from http://www.teranews.com