This is not an issue with PMP450. I've also see it on PMP430 as well as FSK.
We have most of our subscribers set up with NAT in Canopy. We also configure the DMZ, and arrange the Canopy-NAT such that the subscriber's router's public IP is on the Canopy DMZ.
What we typically see in this configuration is a Canopy NAT table with zero entries. Perfect!
However, in some circumstances, the private IPs of client devices behind their router "leak" into the Canopy NAT table. WTF?!?!
For example, we typically set the LAN gateway on the Canopy SM to 172.16.1.1/24, and set the first DHCP address to 172.16.1.52/24 AND the DMZ address to 172.16.1.52/24. The Canopy GUI complains, but we ignore it.
When the router behaves properly, it gets a WAN IP of 172.16.1.52/24, and the Canopy NAT table remains empty. What we've seen lately is IP addresses like 192.168.0.X in the Canopy NAT table. I presume these are IP addresses on the other side of the customer router.
I think we've seen this on Netgear as well as D-Link routers, but I have not recorded the instances. Also, as I mentioned above, I've seen this on all hardware and many, if not most, firmware versions, including the latest 13.4 general release.
It is a side item to the main discussion but are you using the DMZ address. Being you have it in the DHCP pool and a router, I am not understanding the use.
As for the 192.168.0.x showing up in the NAT table, is it a full entry with the Final IP and Remote IP? If you could attach a screen print of the NAT table, it may help understand. My first thought is the SM cannot control what anything leaked over from the attached router and if the address is from the other side of the router then the routers would be bridging. Being the SM NAT would need the packets directed to it's LAN IP address 172.16.1.1, 192.168.0.x cannot be forwarding to it. Maybe seeing the NAT table can help me understand what your seeing.
What type of protocol filtering do you use on your customer SMs?
I might not be understanding you correctly, but if you filter Bootp Server, IPv4 Multicast and SMB Upstream direction your customers will not leak onto your network.
If one of your customers plugs into his LAN port which is running a DHCP server wouldnt it start handing out addresses to anything that is asking for it?
I know what he means. The customer's router is leaking the LAN IPs through the WAN. I've seen this with Linksys, Belkin, Netgear, you name it. This is a symptom of the router simply over-running it's NAT table size. Consumer routers suck.
Is that what it is? The customer router is over-running it's NAT table, and then it's LAN IPs get leaked into the SM NAT table?
From what I've seen, it's never a huge number. I've never seen more than a few dozen entries, but it was unexpected, as when the customer's router was on the DMZ, I "expect" the NAT table to be empty.
Now with 13.4, we can monitor the NAT table, so when we get those calls about the "internet stopped working", we can see that they've maxed out the NAT table.
We continue to see a lot of Apple "i" products seem to never close connections, and they can fill a 4,000+ sized NAT table in no time.
I still wish there were a way to just do a 1:1 NAT to teh customer's router, and not have to deal with this type of thing.
Yup. When the router's NAT table is full, there's nothing else it can do but route (instead of NAT) the LAN packets out of the WAN and that's why you see it as a leak. Think of websites these days loading tons of ads and other useless junk. Or BitTorrent. Gmail running on phones and tablets in the background all the time. 10 devices in a house and I wouldn't be surprised to see a 1024 NAT table over ran.
One thing that's pretty cool about the new Cambium C3VoIP routers is you can define the NAT table size just like on the SM itself. It allows up to 8192 entries. Take a MikroTik though, even with limited RAM, you can still get something like 64k or more. I'm sure a Blinksys or Netgear has more like 16 or 32MB of RAM though so the NAT table is not going to be capable of anywhere near that.
It is a side item to the main discussion but are you using the DMZ address. Being you have it in the DHCP pool and a router, I am not understanding the use.
As for the 192.168.0.x showing up in the NAT table, is it a full entry with the Final IP and Remote IP? If you could attach a screen print of the NAT table, it may help understand. My first thought is the SM cannot control what anything leaked over from the attached router and if the address is from the other side of the router then the routers would be bridging. Being the SM NAT would need the packets directed to it's LAN IP address 172.16.1.1, 192.168.0.x cannot be forwarding to it. Maybe seeing the NAT table can help me understand what your seeing.
Dave,
We haven't switched to NAT on our SMs yet, but have it planned once 13.4.1 is cooked. We currently have a very archaic MAC authentication scheme (to authorize customer access to the network). I'm planning on following Bill's NAT setup on SMs. Have the SM assign one IP which is also the DMZ. This allows customers to change their equipment without our intervention (adding their new WAN MAC to our DHCP database goes away). All they will have to do is power-cycle the SM and they get back online with the new device.
I think Bill's particular issue is indeed the customer's NAT device running out of table entries. And when the SM sees "foreign" addresses (i.e. outside of the SM's LAN), then it obviously won't forward, NAT, etc.
Hope this gives you a clearer general idea of the configuration and desired operation.