Multi NAT Router Networking Connectivity

September 15, 2010 at 02:51:57
Specs: Windows XP SP3, 4000+ / 2gb DDR
Hello, I am networking 2 routers together to have one semi-secure LAN for ftp server and voice chat server, we can call this a semi-secure LAN which is linked through a Second NAT router for a highly secure LAN for protection of high value machines from infection of virus's that may otherwise be compromised by the semi-secure LAN.

I have had partial success, the problem is that both LAN's need Internet access through both routers fed by the top level semi-secure LAN, I do not use the wireless as all my machines are wired. I seem to be having a conflict with the Internet on either router when both are connected together and I do not know why this is happening, I have tried disabling the DHCP on the secure LAN but this does not seem to work, I think I am getting my routing messed up somewhere.

I will give a list here of the machines and IP addresses.
TOP ROUTER (semi-secure) connected to PC1 192.168.1.13
TOP ROUTER (semi-secure) connected to (2nd router) @ 192.168.1.1
ALTERNATE DNS = 192.168.1.3

(2nd Router) connected to other machines i.e. 192.168.2.x
Problem other machines have Internet connectivity problems.

I have tried setting a ROUTING TABLE but might have done it wrong
I routed both routers to each other, each one via its DNS IP to the Others DNS IP
Is this correct ?

I have also set up static routes to each router using the MAC code addressing, I feel I am almost their but not quite, frankly I'm stuck right now :/

I can provide links below to PDF files for both routers, to be honest I am confused as to what is causing the conflict, if someone can advise me it would be much appreciated.

I have the following routed and basically the plan is to accomplish this below the heading.

( What can be done to improve LAN security with multiple machines?
https://www.grc.com/nat/nat.htm )

My newest router is this one.Make: ZyXEL Model: P-660HW-T1 v3
Version 3-40_Ed1 and the PDF file is at
http://www.zyxel.co.uk/web/download...

My Other Router which has a better website filter blocking feature is this one.
NETGEAR DG834GSP v3 and the closest Manual I can find is here
http://kb.netgear.com/app/answers/d...

Maybe I am overlooking something, but as both routers have a WAN port it seems as though I am getting a conflict or collision somewhere, I set one router in the range 192.168.1.x and the other Router was on 192.168.2.x is this where I am going wrong or is it something else ?

NOTE: Both routers claim to support the MULTI NAT-ROUTING feature

Regards Michelle xxx

PS, Please feel free to ask me more questions, I will try to give as much detail as I can as I know their are many others out their wanting similar answers based on the many posts I have studied so far.



See More: Multi NAT Router Networking Connectivity

Report •


#1
September 15, 2010 at 06:46:32
Other than port trojans virus's have to be invited in by users. Unless the router/firewall has a antivirus subscription and the virus is known, the router setup will not protect your secure lan from virus's. The main reason to do double nat is to detect hackers before they compromise your secure lan.

Is your configuation as follows:

internet<>[wanip address]router1[lan ip 192.168.1.?]<>[wanip 192.168.1.?]router2[lan ip 192.168.2.x]

post a tracert from a pc connected to router2 to yahoo.com to see where it fails

is this a mistype?
ALTERNATE DNS = 192.168.1.3
I don't see a mention of a gateway or dns server at that ip


Report •

#2
September 15, 2010 at 08:21:07
Hey WANDERER thanks for a speedy reply ;)

Your Question:
"Is your configuation as follows:

internet<>[wanip address]router1[lan ip 192.168.1.?]<>[wanip 192.168.1.?]router2[lan ip 192.168.2.x]"

My Answer not exactly no, I am just routing PC1 Domain to PC2 Domain and vice versa like this.

XyXEL Router

----NAME --------DESTINATION ---- GATEWAY ------ SUBNET
NETGEAR --------10. 10. 2. 1 ------- 192.168. 1. 1 ---- 255. 0. 0. 0

and on the Netgear Router

NAME ----DESTINATION ---- GATEWAY ----- SUBNET
ZYXEL -- 192.168.1.1 --------- 10.10.2.1 ---- 255.255.255.0

Because I am still setting firewall rules on the new XyXEL router I have temporarily swapped them around as the new router has less clutter so is easier to work with, it came pre-set with 2 DNS IPs 192.168.1.3 and 192.168.1.70 not sure why possibly because it has some sort of relay functions as extra.

I have also changed my IP range on the Netgear from 192.168.2.x range to 10.10.2.1 to try and separate the subnet better which is now 255.0.0.0

I did a tracert here is the result.

Tracing route to yahoo.com [72.30.2.43]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 192.168.1.1
2 192.168.1.1 reports: Destination host unreachable.

Trace complete.

that was with DHCP turned off with the XyXEL router
Been working on this all night so will need to sleep soon, perhaps we can figure out what's going wrong tomorrow ?

Michelle xxx


Report •

#3
September 15, 2010 at 08:41:49
I would suggest you set the routers back to defaults and don't do any route adds since nat will work out of the box.

"2 DNS IPs 192.168.1.3 and 192.168.1.70 "

Those are private ips and unless you have a local dns server are invalid as dns servers.

I need you to confirm or correct this
internet<>[wanip address]router1[lan ip 192.168.1.?]<>[wanip 192.168.1.?]router2[lan ip 192.168.2.x]

I am around M-F 8-3pm PST so tomorrow is just fine


Report •

Related Solutions

#4
September 15, 2010 at 10:30:10
Ah I am not sure what the <> means ? I will send you all my ADSL in a private message, then you can pick out what it is your looking for then we can narrow down what it is we need for posting here :)

My ADSL is Dynamic anyway so that's no big secret :)

Michelle xxx


Report •

#5
September 15, 2010 at 11:24:47
Got your PM

The ZyXEL wan interface does not appear to be set to get a dhcp ip from the netgear. It's ips are all 000000

What ips do you get if you plug a pc into the modem the zyxel is now connected to?

Those private ips for dns on the netgear routers wan port don't look right either.
On the same port the wan ip and gateway on in completely different subnets and not supernettable so I don't see how that can be working either.


Report •

#6
September 16, 2010 at 03:40:18
ok will try to answer what you said below:

1
> The ZyXEL wan interface does not appear to be set to get a dhcp ip from the
> netgear. It's ips are all 000000
A: yes perhaps this needs to be pointed at the netgears ip ?

2
> What ips do you get if you plug a pc into the modem the zyxel is now connected
> to?
A: Sorry you lost me here, only one internal router/modem is connected to the WAN though the ADSL port !

3
> Those private ips for dns on the netgear routers wan port don't look right either.
those adsl WAN ip's are assigned by my isp

> On the same port the wan ip and gateway on in completely different subnets and > not supernettable so I don't see how that can be working either.
from what I have read the Internet and LAN are always on different subnets thats what separates WAN from LAN is that what you mean ?

I will try linking the zyxel through to the netgear just need the right IP ?
I linked up some PDF files earlier in my post I am currently looking at the MORE CONNECTIONS tab below the menu NETWORK ; WAN ; in the zyxel settings it has BRIDGE mode and a few other settings should these be configured to point to the netgear router ?

Michelle


Report •

#7
September 16, 2010 at 03:50:51
oops typo
3
> Those private ips for dns on the netgear routers wan port don't look right either.
I changed the LAN ip range to a new subnet to prevent conflicts from the DHCP if both running as each would only operate within it's own ip range, because the IP ranges are kept apart their is less chance of an overlap. as I read from this article here! Public and Private IPs
2 thirds down the page it talks about seperating LAN networks by using other IP ranges.

Michelle xxx


Report •

#8
September 16, 2010 at 08:19:19
Let's get the netgear router working before we add the Zyxel.

If you connect a pc to the netgear do you get on the internet?

Reason I don't think you can is the ip addressing
IP Address 86.xxx.xxx.xxx
IP Subnet Mask 255.255.255.255
Gateway IP Address 213.xxx.xxx.xxx

A gateway ip needs to be in the same subnet as the ip address. 86x and 213x are not even close which is why I ask the above question. I would expect a 86x range for gateway ip.

The reason a gateway entry exists is in the situation where a request for say yahoo.com is not found locally, the request is sent to the gateway ip with the expectation something will come back.

The mask 255.255.255.255 means one host one subnet which is fine for a single wan interface.

Can you get to the internet via the netgear?

Please list what you have planned for the netgear's lan subnet. What ips are in its dhcp scope and what ips are not.

Also why the two routers? What is the need?


Report •

#9
September 16, 2010 at 10:26:31
Dear wanderer,
I am on the netgear at this moment, and it self configures itself to those gate way IP's via my ISP so the following:

Q: If you connect a pc to the netgear do you get on the internet?
A: yes

Q: Reason I don't think you can is the ip addressing
IP Address 86.xxx.xxx.xxx
IP Subnet Mask 255.255.255.255
Gateway IP Address 213.xxx.xxx.xxx

A: all this is assigned by my isp so it does work, what I need is routing of the Internet from a connected router on one LAN network to a second more secure LAN network, the problem is routing the Internet through both and I am not sure how to configure the other router's ADSL port to pickup the Internet from the top level router, this is my main problem, from what I understand from reading Steve Gibsons article is the Internet can be carried VIA the standard LAN ports, this makes sense as this is where computers connect to the internet over the LAN, basically it is like ICS via LAN I believe.

both of my PC's have 2 separate (Network adapters) also which are currently disabled, these can later be used for temporary linking between both networks in the event I want to share files between the two networks during router problems which I have, just thought I would mention this. But at the moment we can ignore those for clarity reasons as they are disabled under networking on 2 of my machines, one on each network.

Q: Can you get to the internet via the netgear?
A: yes I can

Q: Also why the two routers? What is the need?

A: As I explained earlier I want one LAN network for more public file sharing the machines on this network are running servers 24/7/265 and on a few occasions my other machines on this network HAVE BEEN ATTACKED through tunneling, no easy solution except 2 NATS, if the machine/s were to be compromised by a hacker my other machines on the second LAN would be much more secure this is explained here What can be done to improve LAN security with multiple machines

I understand the difference with subnets, but is that not the whole point? A WAN subnet is supposed to be different from a LAN subnet it is explained on Steve Gibson's site! a WAN subnet is on the other side of the firewall I believe ?

The IP ranges currently assigned on the netgear are from:
10.10.2.1 -10.10.2.100 ( can revert this to 192.168.2.1 - 192.168.2.100)
if you think this will be better ?

Michelle xxx


Report •

#10
September 16, 2010 at 10:51:13
I understand.

Double nat is good but just doing routers doesn't cut it. You need firewall routers. For example we use a front end Sonicwall TZ-170, than a Cisco Pix, then our intranet. The sonicwall has av and spam subscriptions and it sends logs we review daily to a ViewPoint server.

In the meantime lets get your double nat in place.

How many devices are you hanging off the netgear?
If none I would disable dhcp on the netgear. Assign 10.10.2.1 as a static ip to the netgear lan interface.

On the zyxel wan interface assign 10.10.2.2 as a static ip with 10.10.2.1 as gateway.
The zyxel lan can be dhcp enable in a ip range of your choice other than the 10.10.2.x subnet

Do understand that even with double NAT users can "invite" the bad guys in by downloading things that contain rootkits, hacker call home tools. This is where monitoring the logs is really important along with a strong computer usage policy.


Report •

#11
September 16, 2010 at 12:13:54
wanderer wrote In the meantime lets get your double nat in place.

How many devices are you hanging off the netgear?
If none I would disable dhcp on the netgear. Assign 10.10.2.1 as a static ip to the netgear lan interface.

Q: How many devices are you hanging off the netgear?
I do a few PC repairs, and often my Daughter connects to my network via wireless which I turn on ONLY when needed by her or other friends, I have about 3 PC's I want on the safe network, and when I fix PC's that I KNOW might be infected with malware I want them isolated on the less secure LAN (My Server PC can be unplugged or routed elsewhere perhaps during those times) or as the ZyXEL claims it supports Virtual LAN networks this might allow total isolation of one machine from the rest, but clearly needing Internet access during a repair or system clean, often in the past I have had to completely unplug sensitive machine from my network during a machine clean-up, this is often inconvenient when doing research about a machine.

wanderer wrote: Do understand that even with double NAT users can "invite" the bad guys in by downloading things that contain rootkits, hacker call home tools. This is where monitoring the logs is really important along with a strong computer usage policy.

This is why I have some heavy firewall rules on my netgear (OUT / IN BOUND) to block many ports from going out over the Internet such as 130-140 (TCP/UDP) and 445 etc.

OK I will add these per your instructions
I do regular scans also, and my main machine's Primary Partition is stored on a DVD backup as a bookable restore disk.

Michelle <3


Report •

#12
September 16, 2010 at 12:50:02
Dear Wanderer

I am not sure what to do with the other settings ?
I made a screen shot can you see this ? I set it to none public but the link below is a direct link.

ZyXEL Wan Interface

Michelle xxx


Report •

#13
September 16, 2010 at 12:57:58
Before you block ports did you see if they were open?

If you go to Shields UP! and do a port scan. Most routers out of the box block the trojan attack ports.

It was not clear from your posts you were more concerned about interior exposure. I would suggest a managed switch with vlan capability would be the best way to isolate the pc repair traffic from your personal lan traffic.

Way I would suggest you set this up is as follows

internet<>netgear router<>managed switch

Off the managed switch you would have:
vlan1 - ports configured only for your private lan
vlan2 - ports configured only for your pc repair lan
vlan3 - port with the zyxel wireless router configured for "guest' access. Guest access would be a wpa/wpa2 simple phrase they can easily use when on location.

The amount of ports in the switch would be determined by how many pcs max you plan to hookup.

With vlans there is no way the other two vlans could get to your private vlan but all would have internet access.


Report •

#14
September 16, 2010 at 13:29:17
wanderer: that sounds cool, and my brain is hurting :p so can we deal one step at a time as you might overwhelm my little brain lol

What about those other settings and the virtual channel stuff and protocol ?
LINK:> http://farm5.static.flickr.com/4152...


Report •

#15
September 16, 2010 at 13:33:36
Q: Before you block ports did you see if they were open?
A: Yes I like the shields UP on GRC it's cool, but as you know outbound traffic is allowed by default in routers, so what can happen is a web-script can load and active-x control that sends out malicious code via out bound ports to bring nasties which is why I block certain OUT BOUND PORTS.

Michelle <3


Report •

#16
September 16, 2010 at 14:59:46
Dear wanderer, I don't seem to be having much luck, tried those settings but still no joy, I wonder are you familiar with Team-viewer ? I would be willing to let you have a look at my set-up via team viewer if that will help you see where I am going wrong with my settings as I use it all the time usually, it can be used in view only mode as well and has a chat function so we can talk in real time, we can share the results later on here.

http://www.teamviewer.com/index.aspx

Let me know if you can do this and I will pm you with my ID and Dynamic password.

Just going to make some food.

Michelle <3


Report •

#17
September 16, 2010 at 15:16:01
I had to download and read the zyxel manual since every router manufacturer, ever between their own models, like to call things differently than other manufacturers.

ftp://ftp.zyxel.com/P-660HW-T1/user_guide/P-660HW-T1_3.40.pdf

you are not doing multiplexing. Is there a choice of none?
manual says to use enet encap if doing static ip which you are

I am going home to finish a 180 sq ft patio before the rains start. See you tomorrow.


Report •

#18
September 16, 2010 at 15:35:43
OK I got some partial success here, I am running some tests, I have my daughters netbook here with me and thought I would try running the wireless on the ZyXEL router which is the second in line connected to the netgear which is hooked to the ADSL line, and I am getting Internet through the wireless, only problem is it is showing on my netgear on the wrong ip range 10.10.2.4 :/ it's being relayed by the looks of it so I am not getting the isolation I need here, it should be on the 192.168.1.4 range

Michelle


Report •

#19
September 16, 2010 at 15:39:51
(smile) well good luck with your patio, I need some fresh air myself it's been raining and muggy here all day (rolls-eyes) I will play around a bit and keep you posted, will check those settings you suggested :)

Michelle <3


Report •

#20
September 16, 2010 at 17:00:53
Q: you are not doing multiplexing. Is there a choice of none?
I saw that somewhere I think it is turned off will double check :)

WW: manual says to use enet encap if doing static ip which you are
OK will check that

Michelle <3


Report •

#21
September 17, 2010 at 03:13:07
Dear wanderer Well I have been up all night, fixing my daughters laptop, yes I got stuck with the router then got side tracked as her laptop needed fixing too :p so may not be on until tomorrow now, just an update I swapped a few things in the routing seems a bit better but needs more testing, the main problem is I am not on separate subnets so I got something set wrong somewhere, I think it's stuck in relay mode, I am not getting the network separation I need :( Every-time I switch the ZyXEL from relay DHCP to server I get cut off on the second router, so more reading to do, oh thanks for that PDF I had already downloaded 3 PDF's but the one you posted does seem to have more useful information.

Chat tomorrow <3

Michelle


Report •

#22
September 17, 2010 at 08:08:04
The zyxel should not be set for bridging [what I believe you mean by relay] but nat. Fact you are getting a netgear lan ip says the zyxel is bridging.

What is the netgear's dhcp scope set to?

Before you move on to wireless on the zyxel lets have wired working correctly first.

Vlans are way easier :-)


Report •

#23
September 17, 2010 at 23:26:45
Dear Wanderer, So you think it would be easier then to use he ZyXEL as the main router connected by the ADSL and configure it for VLAN and one of those VLAN connected to the Netgear, making the netgear as the inside lan server ? not sure how to do this either but if that the plan we can try that perhaps?

Michelle


Report •

#24
September 18, 2010 at 12:00:28
Dear Wanderer, after looking through the manual you posted I think it's the wrong one!
This is the one I have.
http://www.zyxel.co.uk/web/download...

I think I crashed my ZyXEL today might have to reset as can't get back in doh! oops

Michelle <3


Report •

#25
September 18, 2010 at 14:41:36
I had to reset my router, lucky I saved my settings, the ZyXEL is still using the ip addressing of the Netgear though so the networks are not isolated.

Here is a tracert I have done.

tracert yahoo.com

Tracing route to yahoo.com [209.191.122.70]
over a maximum of 30 hops:

1 1 ms <10 ms <10 ms www.routerlogin.com [10.10.2.1]
2 29 ms 29 ms 30 ms 213.123.110.186
3 28 ms 29 ms 27 ms 213.123.110.161
4 28 ms 29 ms 28 ms 217.47.110.10
5 28 ms 29 ms 28 ms 217.47.111.50
6 28 ms 28 ms 28 ms 217.32.171.233
7 34 ms 32 ms 33 ms core1-pos-0-14-5-0.ilford.ukcore.bt.net [62.172.
102.53]
8 33 ms 33 ms 32 ms core1-pos9-1.telehouse.ukcore.bt.net [194.74.65.
114]
9 33 ms 32 ms 33 ms ge-1-1-0.pat1.the.yahoo.com [195.66.224.129]
10 111 ms 113 ms 112 ms as-0.pat1.nyc.yahoo.com [66.196.65.13]
11 113 ms 114 ms 114 ms ae-8.pat1.dcp.yahoo.com [216.115.101.157]
12 114 ms 111 ms 160 ms as-4.pat1.da3.yahoo.com [216.115.96.111]
13 179 ms 161 ms 168 ms ae-1-d120.msr1.mud.yahoo.com [216.115.104.81]
14 173 ms 163 ms 180 ms ae-1-d101.msr1.mud.yahoo.com [216.115.104.99]
15 165 ms 172 ms 178 ms te-6-1.fab1-a-gdc.mud.yahoo.com [209.191.78.129]

16 162 ms 167 ms 170 ms te-8-2.bas-c1.mud.yahoo.com [209.191.78.173]
17 159 ms 170 ms 174 ms ir1.fp.vip.mud.yahoo.com [209.191.122.70]

Trace complete.



Report •

#26
September 18, 2010 at 15:05:55
Q: What is the netgear's dhcp scope set to?

I have uploaded some more screen shots here
These links have a Guest pass included. I just don't want to flood my movie making credit scores with too much clutter :oD

http://flickr.com/gp/11416512@N00/y...
http://flickr.com/gp/11416512@N00/1...
http://flickr.com/gp/11416512@N00/8...

Michelle <3


Report •

#27
September 18, 2010 at 15:09:24
OH I forgot to mention RIGHT CLICK the image's to view in full size.

Report •

#28
September 20, 2010 at 08:39:19
IP addressing needs correction;

Netgear wan:
IP Address 86.xxx.xxx.xxx
IP Subnet Mask 255.255.255.255
Gateway IP Address 213.xxx.xxx.xxx

Netgear lan:
Gateway IP Address 10.10.2.1
IP Subnet Mask 255.0.0.0
DHCP scope should be:
10.10.1.3 to 10.10.1.20 [since you don't have that many ports to support 100]
note: you exclude the gateway ip and the ip assigned to the Zyxel wan interface.
so you exclude x.x.x.1 and x.x.x.2 from the scope.

Zyxel Wan
IP Address 10.10.2.2 [not 192.168.5.1]
IP Subnet Mask 255.0.0.0
Gateway IP Address 10.10.2.1
note: your gateway is the lan port [gateway ip] of the netgear.

You do not want to have VC selected. This should be just NAT with a static ip assignment for the wan interface in the Netgears lan subnet.

Zyxel Lan:
Gateway IP Address 192.168.1.1
DHCP scope should be:
192.168.1.2 to 192.168.1.20

These are invalid dns entries:
192.168.1.3 and .70
These are invalid gateway and wan entries;
10.10.2.1 and 192.168.5.1

You have two choices with listing dns. Use the gateway entry. So on the zyxel wan interface use the gateway of the netgear. On the zyxel lan interface use the lan gateway.

Or list the primary and secondary DNS server listed from the ISP
I would suggest just use the gateway ip


Report •

#29
September 20, 2010 at 10:59:53
Thanks Wanderer I will try that amazing :) sorry it took me a while to answer you been Building another PC today ;)

Will try this out asap THANK YOU :)

Michelle <3


Report •

#30
September 21, 2010 at 07:13:16
Dear wanderer, I do not see any option to disable VC it only has 2 options either VC or LLC ?

Michelle <3


Report •

#31
September 21, 2010 at 08:18:15
In going thru the manual there is not one scenerio listed of this router being a gateway device. That is being a router behind a router.

This is covered in chapter 7 wan setup

The setup I would suggest is;
7.1.6 nailed up connection
7.1.7 nat.

Otherwise don't put a static ip in but let the netgear provide a dhcp ip and use the automatic detection 7.4 to see if that will work.

Otherwise you may need to swap routers around and put the zyxel facing the internet.


Report •

#32
September 21, 2010 at 11:42:12
OK I am reading that now

Report •

#33
September 21, 2010 at 12:16:50
I am going to try the PPOE method as you suggest, on most of these screens I see under Advanced the options for RIP & Multicast Setup & ATM Qos

Do these need any specific settings ? Currently Multicast is disabled I have tried RIP1 and 2B not sure if these help ?

I have noticed some network drop outs on the primary Netgear when under some settings, I can only believe this is due to my misconfiguration somewhere.

Michelle


Report •

#34
September 21, 2010 at 15:52:14
PPOE does not apply to your setup.

if you can't do straight nat with a static ip assigned [this router is solely geared to talk to various ISP methods /atm-ppoe-dsl etc] then try the chapter 7.4 of letting the routers wan interface do its detection.

Once you have the netgear working make no changes to it or you muddy the waters troubleshooting the zyxel router.


Report •

#35
September 23, 2010 at 13:51:50
Hi wanderer, ahh sorry my misunderstanding, can we take a break until Monday just got some other PC work ongoing for the next few days, I seem to be having drop outs on the Netgear network when ever the inside network ZyXEL is active, we may need to go for the alternative configuration with the Netgear on the inside LAN and the ZyXEL as the ADSL outside as you suggested earlier, as it seems I am just not getting routing stability here.

I really appreciate your time and patience with me. <3

Michelle


Report •

#36
September 23, 2010 at 14:05:37
I was wondering what had happened to you. Not a problem. See you monday.

Report •

#37
September 28, 2010 at 03:07:30
Sorry Wander a few things came up for this week, darn well had to visit the Doctor Early today be in touch asap <3

Michelle


Report •


Ask Question