Canopy setup without NAT

Greetings all - first, please forgive the newness. I am not a router guru (yet).

Here is my current setup:

SM - gets private IP from FreeBSD DHCP. SM is also running DHCP/NAT. (192.168.2.xx)
AP - assigned private IP. (192.168.2.x).
remote backhaul radio - assigned private IP (192.168.2.x).
main backhaul radio - assigned private IP (192.168.2.x).
FreeBSD box - public IP - hands out private IP pool above.

I have some gamers that are complaining b/c they cannot play most online games. From my previous posts I understand that my NATed IPs are probably causing this.

Having said that, I want to assign a public IP (either DHCPed or statically assigned in the SM) to each customer.

Most of my customers thus far only have a single PC. So… If I setup this way, will each customer take 2 public IPs? (one for the SM, and one for the PC)? If so, is there a way to use only one to conserve IPs?

Please forgive the newness, again. Those of you that have been-there-done-that, please enlighten me…

Right now you are double NAT and that causes issues with some client/servers including VPN and gaming.

If you assign them a single public IP, put the SM into bridge and have them supply their own router (that they are responsible for if it breaks) they will not have problems.

There is nothing inherently wrong with “double NAT”. All this stuff would still fail even if he had the Motorola SMs doing NAT with a public IP address on the outside (and no FreeBSD NAT router.)

The problem is that your customers’ computers (and xbox 360s) talk UPNP to their upstream routers box to open up ports through NAT, but Motorola doesn’t implement UPNP. (BTW, Motorola, there is a freely BSD licensed implementation called miniupnp that would work here:)

The solution is to give your customers a public IP address pool for DHCP, turn off NAT on the SMs, and to put the SM management IPs in a private IP range (preferrablly on their own VLAN that customers can’t talk to.) That way you only burn up public IPs for customer equipment.

Also make sure the SMs are set to filter “bootp server” packets (otherwise your customers could put their own DHCP servers on the network, usually accidentally, and cause trouble for everyone else)

We do this for customers who need their linksys router to have a public IP address. This is the only way to handle Apple iChat, and various games.

Also, Moto NAT fails on some type of traffic that other NAT implementations can pass properly, like IPsec ESP. But, with game and iChat failures, the problem is that Motorola’s SM doesn’t implement UPNP.

Jerry, here’s where the double NAT comes in - even if Moto did implement UPNP, the FreeBSD NAT router still wouldn’t pass the traffic to the Moto SM. Because the Moto SM wouldn’t do UPNP upstream. But IF it did UPNP, and upstream UPNP, then even double NAT would work fine (assuming you had UPNP support, like miniupnpd, installed on the FreeBSD router!)

Jerry Richardson wrote:
If you assign them a single public IP, put the SM into bridge and have them supply their own router

Hi Jerry
is really this the only possible solution?
How can I assign a public IP to every customer? Using PPPoE?
If not using PPPoE, should I filter on MAC address of customer's router in order to avoid use of others public IPs?


Thanks for the posts on this.

I have another routing situation I need some advice on.

I have switched from FreeBSD to a Mikrotik router box. MUCH easier to manage!

Anyway, I have a content filtering server that I need to be able to put select wireless customers through. As of right now, every user is getting private IP from same pool from Mikrotik. (I have not changed them to public yet).

I need to route some users (without them being able to change it) through the filter so they can’t get porn, etc… basically, route them through a gateway…

What is the best way to go about this?

Thanks everyone.

Assigning a public IP either statically or via PPPoE to a customer is a quick way to get around the UPNP/Gaming issues.

Even if we use NAT on the SM we give the computer behind the SM the DMZ so it forwards everythings to it.

With the Mikrotik handing out DHCP assigned addresses, you could put a rule in the MT box to forward sepecific customers to your proxy to filter.

You will have to get familiar with the src and dst forwarding features of Mikrotik and test it a while to make sure you are getting the effect you want.

This is actually one of the ways we block non-paying users.
Our billing system automagically talks to our MT router and puts a forwarding entry with walled garden so the user gets a Pay Now screen, but can still access our own web site to pay their bill online. Which promptly removes the rule and they get back online.

Another thing you can do for filtering is have them use a DNS IP’s that filter DNS requests to bad sites. Not a perfect solution, but it’s a good top level feature. I forget what some of the DNS IP’s are off hand that do this.