Use of NAT, routers, and public vs private IP addresses

I really prefer to use the SM for DHCP at the customer premise and putting the public IP address at the SM. It minimizes the usage of public IP addresses. It also cuts the layer two traffic. (ARP). My questions are: What IP addresses are you handing to the SM - public or private. With a DHCP server in place to hand out IP addresses to the customer’s PC, if NAT is “on” the SM will get the public IP address. (My thought was that this was frowned on in the Canopy manuals - even though I am doing it). Or are you using two different DHCP servers for a public and private range. Or are you applying a private static IP to the SM that matches your private management network, then using a DHCP server to apply a public IP address to the customer? I assume I will be going this direction soon since Prizm assigns a private IP address to each SM. If you are using DHCP to assign public IP addresses to the customer and using NAT at the SM, could you use public IP ranges for the SM configured DHCP server for that customer? This would entail routing a public IP from the customer through a private management network that is now layer 3 to my gateway…This would allow me to control how many public IP addresses that each SM handed out. It would also essentially give each customer a static IP with one major exception. If I gave the customer a static IP for use on their equipment it would require a truck roll to change if I ever changed network info. If I do it a the SM then Prizm can change all info which would be updated via DHCP from the SM. No truck roll needed.
Well, this conversation can go many directions. What are some of the things being done with respect to assignment of IP addresses, public or private and NAT - No NAT?

Dont use prizm too expensive. I dont know the size of most people’s Canopy networks on this forum but I would tend to think mine is rather large. It covers the whole South East corner of the state. rough guess 20 or more City’s and town’s. We don’t use NAT on the SM’s. All Canopy modules are assigned a private static IP including SM’s. Each customer gets a DLink router. The DLink issues the customers computers ip addresses in the default 192.168.x.x range. The Wan port of the router is set to automatically detect settings from dhcp. At each tower site we install a MikroTik router Its dhcp server will assign a private ip address to the DLink router’s at the customers house. These private ip addresses are masquraded into Public ip addresses or NATed. I normally use 1 public address for every subnet of 254 private addresses. If the customer requires a public address the dhcp server will assign the same public address to that customer every time using their MAC address or the MAC address of the DLink router. The MikroTik also has a very robust firewall. We have 3 internet connections feeding the system and yes all 20 towns are connected together so we have one at each connection protecting our network from the internet. And having one at every tower site protects our network from our customers. We control bandwidth per ip address at the MikroTik and we can monitor bandwidth from their also. You asked HA! HA!.

The problem with public IPs in Canopy is that the web interface locks up and you have to telnet to the radios and reboot it to get into the web interface. This is a pain especially when you want to roll out updates using CNUT and causes downtime. Public IPs also degrade the performance of the Canopy radios.

We use a private network for all Canopy, and then each customer gets a router (Linksys, dlink, whatever) and we install a static public IP on the WAN interface. The CPE router provides DHCP, sets up a home network for internet sharing, and provides a first line of defence for the customer.

We have a Windows 2003 server set up as the gateway at, and all of the backhauls are on the 10.0.1.x subnet. Each AP gets a subnet, for example AP1 is, and each of the SM’s under it are 10.0.2.x. The next AP is, etc, etc. If I am outside our network, I RDP into the 2003 server and can manage all of the Canopy radios on the network. Inside the network I can just log into the radio.

This has been working extremely well however we are not as big as others, and when we run out of IP’s we will need to start NAT’ing our residential customers to free up IP’s, or router another Class C. Since we have a /16 network, we have plenty of private IPs to go around (65k +). Our business customers will always get public routable IP’s.

We get around the truck roll by enabling the remote management feature on the router (we didn’t do this early on so now that we in fact have changed the network, I have to call 30 customers and have them change it but that’s not too bad.) We can log into their router and change the IP info any time.

We manage the customers bandwidth at the SM - this works so well I can’t justify the cost to do it any other way.

We use Solarwinds Orion to monitor as Canopy is SNMP v2 only. I know exactly what is going on on my network, we are running 100% uptime, customers are happy and we are in the black. What more can you ask for?

Hi all. I´m new to this forum and I´m trying to get as more information as possible about Canopy platform, as I´m about to acquiring a cluster with 6 APs and a pack with 50 SMs initialy.

I got very disapointed reading this topic…It´s very bad that Canopy has this problem about setting it to use Public IP address and that it´s not (already) able to do static routing. It´s driving me to think again about buying Canopy.

As I´m a Wisp, I think the best solution would be having the SMs with public IP address in it´s WAN (radio interface) and a Private IP address in the Lan iface, doing NAT for customers and, when needed, making port forwarding for internal services.

I started my wisp using 2.4 radios/cpes. They´re very cheap radios, with embedded linux and they have all these featurs and even more…

To not be unfair with Canopy (witch is known to be a very robust solution), is there a firmware upgrade that addresses those issues?

Maybe you aren’t understanding what is being said…

We use the canopy radios in NAT mode. In NAT mode, it actually has three IPs assigned. One internal on the ethernet for the client, yes implementing a DHCP server for the client’s network. Then there is the management interface IP, which should be a non-routable address so the world can’t poke the webserver process in the canopy radio in the eye. The third address is the NAT address that your client appears to be coming from to the outside world. That can be a public IP, or in our case, another private network, which I then NAT at our border router. This possibility was what first sold us on canopy and we’ve never looked back. Just passed the 250 client mile marker.

Now you got me to the point! and now I’m going to purchase the canopy solution!

As I’m starting to canopy world, I didn’t notice the existence of this “third” IP address for management in the manual.

Thanks a lot for your answer.

Welcome to the world of Canopy. You will find that Canopy is very easy to get up and running. I highly recommend Motorola Training - it will save you a great deal of time getting your network dialed in and optimized.

A bit of useful info: there are actually four IP addresses when the SM is in NAT

1 - Management IP - should be private (something like a 10.x.x.x)
2 - NAT WAN IP -can be public or private
3 - NAT LAN IP - private (default is but can be changed to whatever you want - we use the standard range)

4 - RF IP - private between AP and SM. This is a 192.168.101.x address given to the SM when it registers. The AP is and each SM is the next IP in order of registration - also corresponds to the LUID number in session page in the AP.

When you select a LUID from the AP, and then view that LUID you are actually using the RF IP to access the radio.

This information has saved me truck rolls. I have had SMs that the web interface locked up, but it was still registered. I looked at the LUID number in the AP, then used telnet to access the AP management IP, then used telnet to access the SM RF IP. Allowed me to reboot the SM.

Jerry, very great info…

As much as I run into canopy’s documentation/information, I get very excited of it’s capability…

And I’m also enjoying very much this forum…very helpful.


I agree, great info. Thanks

roneyeduardo wrote:

I started my wisp using 2.4 radios/cpes. They´re very cheap radios, with embedded linux and they have all these featurs and even more...

Do you mind me asking what 2.4Ghz radios you were using? I am looking for reliable 2.4 kit beside Canopy and have had no luck so far.

Sure I don’t mind :slight_smile:

We use Ovislink 5460 AP (, make a home made outdoor enclosure and put it up and running. It’s original firmware is good, but it doesn’t have ssh and it’s not possible to customize it by editing its boot scripts…So I use brazilian’s ApRouter firmware.

You can get more informations at (there’s an english page version)

I’ve used MikroTik in the past it worked fine, but now I just stick to Canopy, better the devil you know and understand. It may be expensive compared to alternatives but I have less headaches.

chrisopq, let me be more clear… I use Ovislink as client/CPE…for AP, I use Mikrotik OS…for plain 802.11x, I don’t know any other better system.

As Mikrotik base station, you can go 2 directions: Use a routerboard with mini-pci (I recommend R52 from Mikrotik or CM9 mini pcis)…or you can arrange a pc motherboard into an weatherproof enclosure and use PCI cards…

This kind of setup (usind pc mobos) is very used here in Brazil…if its of your interest, I can post some images of mobos into an “outdoor enclosure”…

But if this conversation goes ahead, it’s going to get off-topic… :stuck_out_tongue:

First off, I know little about networking and wish I knew more. I have read how others interface/telnet to the customers SM and wonder if we have set our system up the best way possible. We have each Canopy SM on a 10.10.xx.xx private network and each time it registers to an AP it gets assigned an IP from the server (the clients computer is set to automatic). When each block of 60 IPs is close to being used up, we simply request another block and reconfigure the servers. When we want to check on an SM we simply use one of our machines at the shop set on the 10.10.xx.xx network to access the SM. Is there a better way to setup the networking scheme and are there any draw backs to the way we are doing it? Today is the first time I have run into a customer who wants to tie an XBox into the Canopy connection and it is not working…off to figure that one out I hope :slight_smile: