NAT, DHCP Server, DHCP Client and DMZ in SM
The system provides NAT (network address translation) for SMs in the following combinations of NAT and DHCP (Dynamic Host Configuration Protocol):
- NAT Disabled
- NAT with DHCP Client (DHCP selected as the Connection Type of the WAN interface) and DHCP Server
- NAT with DHCP Client(DHCP selected as the Connection Type of the WAN interface)
- NAT with DHCP Server
- NAT without DHCP
NAT isolates devices connected to the Ethernet/wired side of a SM from being seen directly from the wireless side of the SM. With NAT enabled, the SM has an IP address for transport traffic (separate from its address for management), terminates transport traffic, and allows you to assign a range of IP addresses to devices that are connected to the Ethernet/wired side of the SM.
In the Cambium system, NAT supports many protocols, including HTTP, ICMP (Internet Control Message Protocols), and FTP (File Transfer Protocol). For virtual private network (VPN) implementation, L2TP over IPSec (Level 2 Tunneling Protocol over IP Security) and PPTP (Point to Point Tunneling Protocol) are supported.
When NAT is enabled, a reduction in throughput is introduced at the SM (due to processing overhead).
DHCP enables a device to be assigned a new IP address and TCP/IP parameters, including a default gateway, whenever the device reboots. Thus DHCP reduces configuration time, conserves IP addresses, and allows modules to be moved to a different network within the Cambium system.
In conjunction with the NAT features, each SM provides:
- A DHCP server that assigns IP addresses to computers connected to the SM by Ethernet protocol.
- A DHCP client that receives an IP address for the SM from a network DHCP server
In conjunction with the NAT features, a DMZ (demilitarized zone) allows the assignment of one IP address behind the SM for a device to logically exist outside the firewall and receive network traffic. The first three octets of this IP address must be identical to the first three octets of the NAT private IP address.
Developing an IP addressing scheme
Network elements are accessed through IP Version 4 (IPv4) addressing. A proper IP addressing method is critical to the operation and security of a network.
Each module requires an IP address on the network. This IP address is for only management purposes. For security, you must either:
- Assign a non-routable IP address.
- Assign a routable IP address only if a firewall is present to protect the module.
You assign an IP addresses to computers and network components by either static or dynamic IP addressing. You will also assign the appropriate subnet mask and network gateway to each module.
Address Resolution Protocol
As previously stated, the MAC address identifies a module in:
- Communications between modules.
- The data that modules store about each other.
The IP address is essential for data delivery through a router interface. Address Resolution Protocol (ARP) correlates MAC addresses to IP addresses.
For communications to outside the network segment, ARP reads the network gateway address of the router and translates it into the MAC address of the router. Then the communication is sent to MAC address (physical network interface card) of the router.
For each router between the sending module and the destination, this sequence applies. The ARP correlation is stored until the ARP cache times out.
The subnet mask is a 32-bit binary number that filters the IP address. Where a subnet mask contains a bit set to 1, the corresponding bit in the IP address is part of the network address.
Example IP address and subnet mask
In Figure 28, the first 16 bits of the 32-bit IP address identify the network:
Selecting non-routable IP addresses
The factory default assignments for network elements are:
- Unique MAC address
- IP address of 169.254.1.1
- Subnet mask of 255.255.0.0
- Network gateway address of 169.254.0.0
For each radio and CMMmicro and CMM4, assign an IP address that is both consistent with the IP addressing plan for your network and cannot be accessed from the Internet. IP addresses within the following ranges are not routable from the Internet, regardless of whether a firewall is configured:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
You can also assign a subnet mask and network gateway for each CMMmicro and CMM4.
Optionally, you can configure the AP to change the source MAC address in every packet it receives from its SMs to the MAC address of the SM that bridged the packet, before forwarding the packet toward the public network. If you do, then:
- Not more than 10 IP devices at any time are valid to send data to the AP from behind the SM.
- AP populates the Translation Table tab of its Statistics web page, displaying the MAC address and IP address of all the valid connected devices.
- Each entry in the Translation Table is associated with the number of minutes that have elapsed since the last packet transfer between the connected device and the SM.
- If 10 are connected, and another attempts to connect:
o If no Translation Table entry is older than 255 minutes, the attempt is ignored.
o If an entry is older than 255 minutes, the oldest entry is removed and the attempt is successful.
- the Send Untranslated ARP parameter in the General tab of the Configuration page can be:
o Disabled, so that the AP overwrites the MAC address in ARP packets before forwarding them.
o Enabled, so that the AP forwards ARP packets regardless of whether it has overwritten the MAC address.
This is the Translation Bridging feature, which you can enable in the General tab of the Configuration web page in the AP. When this feature is disabled, the setting of the Send Untranslated ARP parameter has no effect, because all packets are forwarded untranslated (with the source MAC address intact).