Double NAT problem - public IP through NAT

Hi guys

we are a small italian WISP building a wireless network on rural zones.
I would like to show you the model I’m using to distribute Internet connection to our customers:

Internet <–> ISP router <–> firewall/router (NAT) <–> AP <–> SM

firewall/router acts as firewall / QoS management / session logging (it’s mandatory for recent italian laws)
We just have few public IP, so we do NAT on the firewall/router

WAN: 11.22.33.44

LAN (2 subnets):
192.168.1.0/24
192.168.32.0/24

Even every customer SM canopy has NAT enabled, so we configure an SM this way:

NAT Private Network Interface Configuration: 192.168.11.0/24
NAT Public Network Interface Configuration: 192.168.32.x
Radio Public Network Interface Configuration: 192.168.1.x
DHCP server on SM is on.

All is working fine… The customer just connects his pc to the SM, gets an IP (192.168.11.x) and can browse the Internet.
Every customer is isolated from the others. If they change IP on the SM side there is no problem on my LAN. No IP conflicts and so on…
I can log their sessions without problems, as they appear using 1 private IP (192.168.32.x) even if they have more pc connected to the SM.

Now I have two problems:

1) Being the fact that it is a double NAT, there are some protocols difficult to work. e.g. IPSEC VPNs

2) Some advanced customer asked a “public IP option”. How can I supply them?
I have some public IP on the WAN interface. Could I use VLANs to supply that IP to the SM side? How?

Has anyone a better solution for my needs?

thank you
Massimo

hi, if you have a cisco router or fw you can translate your internal host in external static host ! otherwise i think you can use pppoe server with radius (never tested) …

ciao …
:stuck_out_tongue:

If you want to be ISP you will have to have public IPs. NAT, or even double NAT will cause only problems.

In the mean time you can assign on you router vlan100, for example, some pool of IPs you have on that interface, enable vlan on AP, then on the SM side set the untagged ingress vid to be 100. This way SM can have public IP.

PPPoE is good thinking for the future. With the filters on the Canopy is almost perfect solution for avoiding broadcast storms and logging sessions. From there you can manage the IPs depending on customers type of service.

erkan wrote:
In the mean time you can assign on you router vlan100, for example, some pool of IPs you have on that interface, enable vlan on AP, then on the SM side set the untagged ingress vid to be 100. This way SM can have public IP.


That was what I was actually thinking about.
If I enable VLAN on AP, do I have to enable VLAN on all the SM? I hope not.
So, I could setup a VLAN for every advanced customer or even use a unique VLAN for all the customers requesting public IP and configure the main router to act as a bridge between WAN and wireless VLAN (tagging the traffic with the correct VID), right?

And about using public IP for everybody... apart from the fact that public IPs cost a lot (if your network is small), how can I solve the problem of customers using more PCs connected through a single SM?
I cannot constraint them to buy a router on their side just to connect one more notebook...

Thanks for suggestions
Massimo
spokke wrote:
hi, if you have a cisco router or fw you can translate your internal host in external static host ! otherwise i think you can use pppoe server with radius (never tested) ....


spokke
yes, I could map NAT 1:1 between public and private IPs on the main router/fw and disable NAT on the SM.
The only drawback would be that the customer will be unable to share the SM among more than one computer (unless using a supplementary equipment). I also tried to use NAT on the SM with DMZ feature but I found that some protocols don't work this way (IPSEC).

About PPPoE, it could be an interesting solution but... is it supported by all the operating systems? (older PC, MAC, ...). And it requires some operations on the customer side that I would prefere to avoid.
You know... more simple is... less problems you'll have.

Ciao ciao :)

if you disable nat let’s install a router … or enable the nat on sm and open ports …
i don’t know if sm support directly pppoe but you could open always the ports …
:stuck_out_tongue:

BigTrumpet wrote:

If I enable VLAN on AP, do I have to enable VLAN on all the SM? I hope not.


No. Your SMs should have at least ver. 6 software.

BigTrumpet wrote:
So, I could setup a VLAN for every advanced customer or even use a unique VLAN for all the customers requesting public IP and configure the main router to act as a bridge between WAN and wireless VLAN (tagging the traffic with the correct VID), right?


Yes you can.

BigTrumpet wrote:

And about using public IP for everybody... apart from the fact that public IPs cost a lot (if your network is small), how can I solve the problem of customers using more PCs connected through a single SM?


You can use pppoe, each computer different session.

And probably you can rent couple of C classes from your ISP until you get your own?

BigTrumpet wrote:

I cannot constraint them to buy a router on their side just to connect one more notebook...


Why not? They will have wi-fi in the toilet :)
spokke wrote:
.
i don't know if sm support directly pppoe but you could open always the ports .....
:P


P11 will have PPPoE support.