Thomson Gateways and Multiple IP Adresses

Transcription

1 Thomson Gateways and Multple IP Adresses Date: June 2007 Verson: v1.0 Abstract: Applcablty: Ths applcaton note provdes techncal nformaton on how the Thomson Gateway DSL routers can be ntegrated n varous scenaros where more than 1 publc IP address s offered to the customer. A multtude of concepts exsts, combnng dfferent ways of how the IP ranges are offered to the customer (dynamcally or statcally) and how the IP addresses wll be ntegrated at the customers premses (routed by the Thomson Gateway to a local publc subnet or termnated on the Thomson Gateway and redrected to specfc hosts by Hyper-NAT. Thomson Gateway DSL Gateways and Routers R6.2.x Updates: THOMSON contnuously develops new solutons, but s also commtted to mprovng ts exstng products. For more nformaton on THOMSON's latest technologcal nnovatons, documents and software releases, vst us at

2 Contents 1 Introducton Statc Subnet wth Numbered WAN Lnk Scenaro Overvew Practcal Realsaton Statc Subnet wth Unnumbered WAN Lnk Scenaro Overvew Practcal Realsaton Statc Subnet n Full Unnumbered mode Scenaro Overvew Practcal Realsaton Subnet wth IPCP Subnet Mask Opton Scenaro Overvew Practcal Realsaton Mult-NAT Scenaro Overvew Practcal Realsaton Transparent NAT Scenaro Overvew Practcal Realsaton X+n NAT Scenaro Overvew Practcal Realsaton

3 Contents 9 Publc IP address Dstrbuton by Hyper-NAT Scenaro overvew Practcal Realsaton

4 Chapter 1 Introducton 1 Introducton Purpose of ths Applcaton Note Ths applcaton note provdes a gude on how to confgure the Thomson Gateway n all knds of dfferent scenaros where multple publc IP addresses are to be used by the customer. The goal s to explan how the Thomson Gateway has to be confgured n all these dfferent scenaros. In practce, only one setup wll be applcable, as the Thomson Gateway has to ft n a model that s mposed by the Servce Provder. Document Overvew A bref overvew of the sectons avalable n ths Applcaton Note: > 2 Statc Subnet wth Numbered WAN Lnk on page 6 Ths s the most basc model that exsts. The complete range of publc IP addresses s located n a local subnet, and ths subnet s connected to the Internet Servce Provder (ISP) through the Thomson Gateway by means of a connecton whch has ts own IP defnton. > 3 Statc Subnet wth Unnumbered WAN Lnk on page 11 When pont to pont lnks are used, t can be nterestng to put these lnks n unnumbered mode to avod the waste of IP addresses, or to avod the confguraton of prvate, dummy, routng networks. However, ths has a few sde-effects, such as source IP selecton of Thomson Gateway orgnated traffc. > 4 Statc Subnet n Full Unnumbered mode on page 17 When remote access to the Thomson Gateway s not requred, the fully unnumbered mode s a very nterestng soluton. In ths mode, one of the avalable publc IP addresses that would normally be used on the Thomson Gateway s now avalable for use by a local host. > 5 Subnet wth IPCP Subnet Mask Opton on page 22 Another opton s to mplement a (sem-)dynamc publc subnet model. On top of the extra functonalty offered by PPP by means of authentcaton and accountng, an extenson s also avalable to dynamcally offer a whole subnet to the PPP clent. An example s provded on how to enable ths feature on a Thomson Gateway, and how the dstrbuton of the subnet towards the other devces has to be handled. > 6 Mult-NAT on page 28 Wth Mult-NAT, pure NAT s appled, meanng that there s a 1-1 relaton between a prvate and publc IP address. The Mult n Mult-NAT means that ths 1-1 relaton does not have to be defned n advance, hence, there can be more prvate hosts than publc IP addresses. The relaton wll be establshed when the frst packet s sent. From then on, a specfc publc address s reserved for the related prvate host. > 7 Transparent NAT on page 32 Ths type of NAT s mostly used n combnaton wth other flavours, as t s qute a specal one. The strange thng s that no NAT s performed, but the packets are transparently forwarded from the publc nto the prvate segment of the network, where a host s confgured wth that partcular publc IP address. Ths feature s useful when an nterface s n NAT mode, but part of the IP addresses on t should not be translated. In that case, for these IP addresses, a transparent NAT entry should be defned. > 8 X+n NAT on page 37 Ths feature can be useful when a range of IP addresses has to be dynamcally assgned to a certan customer, but the protocol used for the dynamc dstrbuton (typcally PPP-IPCP) does not support the offerng of more than 1 IP address. Some solutons defne that f IP address X s offered, the next n IP addresses are also avalable for use. To handle these knd of forced IP range defntons, the use of N+x NAT templates s needed. 4

5 Chapter 1 Introducton > 9 Publc IP address Dstrbuton by Hyper-NAT on page 41 The Thomson Gateway NAT mplementaton, Hyper-NAT, offers many types of NAT confguraton. One of the powerful capabltes of Hyper-NAT s that all these dfferent NAT flavours can be used n a mxed mode. Ths can be very nterestng n case a user has a range of publc IP addresses avalable, and wants to use each one of them to fulfl a specfc need. 5

6 Chapter 2 Statc Subnet wth Numbered WAN Lnk 2 Statc Subnet wth Numbered WAN Lnk Introducton Ths chapter descrbes the most basc model that exsts. In ths model, the complete range of publc IP addresses s located n a local subnet, and ths subnet s connected to the ISP through the Thomson Gateway by means of a connecton whch has ts own IP defnton 2.1 Scenaro Overvew Concept In ths scenaro the ISP provdes the followng confguraton parameters to the customer: > The ATM connecton parameters (VPI/VCI, encapsulaton type, connecton type), > A range of publc IP addresses (the MyIP addresses), > An addtonal IP address to be used for nterconnectng wth the ISP (the Route-IP ), > The IP address of the gateway, > Probably some extra parameters as DNS and other servers IP addresses (or host names). NOC IP addresses used for these networks can be prvate Internet Route-IP MyIP3 MyIP4 Web Gateway 1 PVC SpeedTouch MyIP1 MyIP2 Mal My Publc Subnet Prxy Fgure 1 Concept drawng of subnet wth routng IP The route-ip address can be a publc IP address, but often the ISP wll prefer to use prvate IP ranges for ths ntermedary routng network. The advantage of usng prvate ranges s that: > If the Network Operatons Centre (NOC) of the ISP s also located n ths prvate subnet, only the ISP s able to access the Thomson Gateway tself from the WAN-sde. Ths means that f specfc servces (thnk of remote access, SLA montorng and so on) are enabled on the WAN sde they wll not be accessble by every host on the Internet. > No valuable publc IP addresses are wasted smply to establsh Internet connectvty. 6

7 Chapter 2 Statc Subnet wth Numbered WAN Lnk Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet My Publc Subnet / Route: /29 > PVC: 8/35 SpeedTouch Default Route > Fgure 2 Scenaro example of subnet wth routng IP The followng sectons wll descrbe all the confguraton steps needed: To... See page... Create the Uplnk Interface 8 Defne the Local Publc Subnet 9 Defne the Routng towards the Internet 9 Enable DNS Forwardng 9 Set the Correct Frewall Level 10 7

8 Chapter 2 Statc Subnet wth Numbered WAN Lnk 2.2 Practcal Realsaton Create the Uplnk Interface Frst of all, we have to create the WAN-nterface that wll be used to connect to the ISP. For ths scenaro we wll use the IP over ATM (IPoA) connecton servce, often used n these knd of setups. The example wll be confgured wth VPI/VCI values 8/35, usng LLC/SNAP encapsulaton. Usng any other type of statcally confgured uplnk nterface does not mpact the other steps durng confguraton. The only tem to watch s that the IP address of the gateway and the route-ip have to be n the same subnet for non pont-to-pont connecton models. Ths s not an ssue for pont-to-pont connectons, as they just need a local and remote IP address whch are not bound to subnets. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myipoa: :atm phonebook add name=phone_myipoa addr=8.35 :atm fadd ntf=atm_myipoa :atm fconfg ntf=atm_myipoa dest=phone_myipoa encaps=llc ulp=p :atm fattach ntf=atm_myipoa 2 Create an IP nterface. Execute the followng CLI commands to create IP nterface p_myipoa and to assgn an IP address to t: :p fadd ntf=p_myipoa dest=atm_myipoa :p padd ntf=p_myipoa addr= pontopont= In ths last command you can see how the IP addresses on the WAN sde of the Thomson Gateway are assgned as defned n Fgure 2. The addr parameter sets the local address (the route-p as we called t conceptually); the address of the Broadband Access Server (BAS) s defned through the pontopont parameter. 3 Enable the IP nterface. Execute the followng CLI command to enable IP nterface p_myipoa: :p fattach ntf=p_myipoa 4 Check the ntal connectvty. Execute the followng CLI command to check whether basc connectvty s avalable between the Thomson Gateway and the gateway of the ISP: =>:p debug png addr= bytes from : cmp_d=27, cmp_seq=0 => When the CLI command does not generate any feedback (9 bytes from...), ths means that the test s falng. Be aware that ths test wll only succeed f the BAS s not confgured to dscard ICMP echo requests. 8

9 Chapter 2 Statc Subnet wth Numbered WAN Lnk Defne the Local Publc Subnet All publc IP addresses that were assgned to us by the ISP wll have to be confgured manually on each host. We wll also assgn one of the IP addresses of our publc subnet to the Thomson Gateway. Ths IP address wll serve as the gateway for all other hosts on our local publc subnet. Execute the followng CLI command to assgn the IP address to the local Ethernet nterface: :p padd ntf=lan1 addr= netmask= addroute=enabled Wth the addroute=enabled parameter, a route s automatcally njected n the routng table. Ths route ndcates that subnet /29 s drectly connected va nterface lan1, beng the local Ethernet nterface. Defne the Routng towards the Internet Now that all IP addresses are confgured, we have to defne the routng towards the Internet. As the Thomson Gateway s actng as a pure router n ths scenaro, ths s qute straghtforward. Execute the followng CLI command to nject a default route towards the Internet n the routng table: :p rtadd dst= /0 gateway= Enable DNS Forwardng Optonally, t s possble to let the Thomson Gateway act as the default DNS server for all local hosts. If the Thomson Gateway cannot resolve the DNS request from ts own database, t wll forward the request to a DNS server of your ISP. Execute the followng CLI command to confgure the external DNS server to whch your Thomson Gateway can forward DNS queres that t cannot resolve by tself: :dns server route add dns= ntf=lan1 All hosts wll need to confgure the IP address of the Thomson Gateway as ther prmary DNS server (that would be for ths scenaro). The IP address of the DNS server that s used n the CLI command ( ) wll be provded by your ISP. 9

10 Chapter 2 Statc Subnet wth Numbered WAN Lnk Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall so that t only allows connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check the current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If your current level s not as desred, execute the followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. But stll the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and others stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, please refer to the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 10

11 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk 3 Statc Subnet wth Unnumbered WAN Lnk Introducton When pont-to-pont lnks are used t can be nterestng to put these lnks n unnumbered mode to avod the waste of valuable IP addresses. However, when there s no IP nterface on a lnk, some sde-effects have to be looked at. Possble hccups are source IP selecton of Thomson Gateway orgnated traffc towards the WAN and defnng nterface routes nstead of gateway routes. 3.1 Scenaro Overvew Concept In ths scenaro the ISP provdes the followng confguraton parameters: > The ATM connecton parameters (VPI/VCI, encapsulaton type, connecton type IPoA), > A range of publc IP addresses (the MyIP addresses), > Probably some extra parameters as DNS and other servers IP addresses (or host names), > Optonally, the IP address of the gateway. The WAN lnk wll be confgured n unnumbered mode. Ths mples that the IP nterface tself wll exst, but wll not have an IP address assgned to t. When forwardng traffc ths s no ssue at all, as a router does not change any packets but just sends them out on a certan nterface. In case the Thomson Gateway wants to generate traffc tself, however, t wll have to choose a source IP address to use n the IP packet that t s gong to send. How ths selecton s made, and how we can make sure a correct address s used wll be descrbed later n ths chapter. Internet NO IP! MyIP3 MyIP4 Web Gateway 1 PVC SpeedTouch MyIP1 My Publc Subnet MyIP2 Mal Fgure 3 Concept drawng of unnumbered WAN nterface Prxy 11

12 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk In addton, the lack of havng the gateway IP address s not really an ssue. The advantage of IPoA s that t s a pont-to-pont connecton model. As n any pont-to-pont model on the Thomson Gateway, t s possble to forward traffc to an nterface rather than to the IP address of the next hop. The man reason s that these two mean the same n a pont-to-pont model, because there s only one host on the other sde on each lnk. So f you forward a packet on a lnk, or to the IP address of the remote peer, t always ends up at the same destnaton. 12

13 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet NO IP! My Publc Subnet / Route: /29 > IPoA... PVC: 8/35 SpeedTouch Default Route > IP_MyIPoA Fgure 4 Scenaro example of unnumbered WAN nterface The followng sectons descrbe all the confguraton steps needed: To... See page... Create the Uplnk Interface 14 Defne the Local Publc Subnet 14 Defne the Routng towards the Internet 15 Set the Default IP Address 15 Enable DNS Forwardng 16 Set the Correct Frewall Level 16 13

14 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk 3.2 Practcal Realsaton Create the Uplnk Interface Frst of all, we have to create the WAN nterface that wll be used to connect to the ISP. For ths scenaro we wll use the IP over ATM (IPoA) connecton servce. The example wll be confgured wth VPI/VCI values 8/35, and usng LLC/SNAP encapsulaton. Usng PPP as uplnk nterface does not mpact the other steps to be done durng the confguraton. An example of unnumbered PPP confguraton can be found n 4.2 Practcal Realsaton on page 19. Proceed as follows to create the IPoA uplnk nterface: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myipoa: :atm phonebook add name=phone_myipoa addr=8.35 :atm fadd ntf=atm_myipoa :atm fconfg ntf=atm_myipoa dest=phone_myipoa encaps=llc ulp=p :atm fattach ntf=atm_myipoa 2 Create an IP nterface. Execute the followng CLI commands to create IP nterface p_myipoa: :p fadd ntf=p_myipoa dest=atm_myipoa No IP address s assgned to ths IP nterface. 3 Enable the IP nterface. Execute the followng CLI command to enable IP nterface p_myipoa: :p fattach ntf=p_myipoa Defne the Local Publc Subnet All publc IP addresses that were assgned to us by the ISP wll have to be confgured manually on each host. We wll assgn one of the IP addresses of our publc subnet to the Thomson Gateway. Ths IP address wll serve as the gateway for all other hosts on our local publc subnet. Next to the default gateway functon, ths IP address wll offer the possblty to remotely access the Thomson Gateway. Execute the followng CLI command to assgn the IP address to the local Ethernet nterface: :p padd ntf=lan1 addr= netmask= addroute=enabled By the addroute=enabled parameter, automatcally a route s njected n the routng table ndcatng that the subnet /29 s drectly connected to nterface lan1, beng the local Ethernet nterface. 14

15 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk Defne the Routng towards the Internet As descrbed above, we can make use of a so called nterface route nstead of the usual gateway route n case of pont-to-pont connectons. Execute the followng CLI command to nject an nterface based default route nto the routng table: :p rtadd dst= /0 ntf=my_ipoa Set the Default IP Address When usng an unnumbered nterface, we have to take care of traffc generated by the Thomson Gateway tself on ths nterface. As the IP nterface has no IP address assgned to t, the Thomson Gateway wll have to use another IP address that s set on one of the other IP nterfaces. When a packet s to be sent out on an unnumbered nterface, the Thomson Gateway wll automatcally use the prmary IP address of ts prmary IP nterface as source IP address. Both of these parameters are confgurable, whch means that an nterface can be set as the prmary of all nterfaces, and an IP address can be set to be the prmary of all IP addresses (per nterface, that s). For ths scenaro, t s mportant that the publc IP address that wll be assgned to the Thomson Gateway on the LAN-sde s set to be the prmary address of that nterface. Secondly, the local IP nterface that we use (n our scenaro, t s IP nterface lan1) has to be confgured as the default nterface of all IP nterfaces. Execute the followng CLI commands to set our local publc IP address to be the prmary IP address of the whole Thomson Gateway confguraton: :p pconfg addr= prmary=enabled :p fconfg ntf=lan1 prmary=enabled Execute the followng CLI command to verfy the default IP addresses of the Thomson Gateway IP nterfaces: =>:p plst Interface Type IP-address Pont-to-pont/Mask 5 guest1 Ethernet * dmz1 Ethernet * lan1 Ethernet * lan1 Ethernet loop Internal => The IP-address preceded by an astersk (*) s the prmary address of an nterface. Execute the followng CLI command to verfy the default IP nterface of the Thomson Gateway: =>:p flst expand=enabled Interface Group MTU RX TX TX-Drop Status HW-address... 2 lan1 lan [UP] 00:0e:50:34:00:f2 BRHW-address : ff:ff:ff:ff:ff:ff RX uncastpkts: brcastpkts : 5716 TX uncastpkts: brcastpkts : 2855 droppkts:0 Oper state : UP Admn State: UP Flags : PRIMARY ARP BROADCAST BOUND ARPTABLE MULTICAST NAT TRANSNAT STATIC... => All IP nterfaces that are confgured on the Thomson Gateway wll be dsplayed, but only one wll have the prmary flag set. 15

16 Chapter 3 Statc Subnet wth Unnumbered WAN Lnk Enable DNS Forwardng Optonally, t s possble to let the Thomson Gateway act as the default DNS server for all local hosts. If the Thomson Gateway cannot resolve the DNS request from ts own database, t wll forward the request to a DNS server of your ISP. Execute the followng CLI command to confgure the external DNS server to whch your Thomson Gateway can forward the DNS queres that t cannot resolve by tself: :dns server route add dns= ntf=lan1 All hosts wll need to confgure the IP address of the Thomson Gateway as ther prmary DNS server (for ths scenaro, that would be ). The IP address of the DNS server used n the CLI command ( ) wll be provded by your ISP. Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall so that t only allows connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as desred, execute the followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. Nevertheless, the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and others stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 16

17 Chapter 4 Statc Subnet n Full Unnumbered mode 4 Statc Subnet n Full Unnumbered mode Introducton When remote access to the Thomson Gateway s not requred, the fully unnumbered mode s a very nterestng soluton. In ths mode, one of the avalable publc IP addresses that would normally be used on the Thomson Gateway s now avalable for use by a local host. When the ISP offers very small ranges of IP addresses, for example four IP address subnets (where of the 4 IP addresses one s the netid, one s the broadcast address, and a thrd one s used on the Thomson Gateway), only one address can actually be used. By confgurng the Thomson Gateway n fully unnumbered mode, a second IP address becomes avalable for customer use. 4.1 Scenaro Overvew Concept In ths scenaro the ISP provdes the followng confguraton parameters: > The ATM connecton parameters (VPI/VCI, encapsulaton type, connecton type PPP), > A range of publc IP addresses (the MyIP addresses), > The user name and password for the PPP connecton, > Probably some extra parameters as DNS and other servers IP addresses (or host names). The complete devce wll be n unnumbered mode. For the WAN sde ths means that the pont to pont lnk wll be n unnumbered mode. For the LAN sde ths means that there wll be no publc IP address confgured here ether, but the prvate range IP confguraton wll preferably stay avalable to allow local admnstraton of the Thomson Gateway. Internet Gateway 1 PVC NO IP! SpeedTouch MyIP1 NO IP! Proxy -ARP for Gateway My Publc Subnet MyIP2 MyIP3 Web Mal Fgure 5 Concept drawng of full unnumbered mode Prxy 17

18 Chapter 4 Statc Subnet n Full Unnumbered mode The local hosts wll have to be manually confgured wth the publc IP addresses as provded by the ISP. They wll have the IP address of the BAS confgured as default gateway. Locally all hosts are on an Ethernet network, so f they want to send traffc, they wll send out an ARP (Address Resoluton Protocol) message to resolve the Ethernet-address (MAC address) to whch they have to drect ther packets. As ARP messages are Ethernet packets, they cannot pass a router (n ths case the Thomson Gateway), meanng the BAS tself wll never receve any ARP request. The soluton s to let the Thomson Gateway respond to the ARP requests for the Gateway IP. Ths s called a proxy-arp entry. Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet NO IP! My Publc Subnet / /24, GW= Route : /29 > PPP... PVC: 8/35 SpeedTouch Default Route > IP_MyPPP NO IP! Proxy -ARP for /24, GW= /24, GW= Fgure 6 Scenaro example of full unnumbered mode The specal part of ths confguraton s the default gateway s IP address s not located n the subnet that s avalable for the customer ( /29). Therefore all local clents must be confgured as f they were part of a larger subnet ( /24) to enable connectvty wth ther default gateway. The followng sectons wll descrbe all confguraton steps needed: To... See page... Create the Uplnk Interface 19 Defne the Local Publc Subnet 20 Proxy ARP for the Gateway 20 Check Connectvty 20 Set the Correct Frewall Level 21 18

19 Chapter 4 Statc Subnet n Full Unnumbered mode 4.2 Practcal Realsaton Create the Uplnk Interface The current scenaro allows the use of both IPoA and PPP nterfaces. As an example we wll make use of a PPP connecton. Proceed as follows to create the PPP uplnk nterface: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myppp: :atm phonebook add name=phone_myppp addr=8.35 :atm fadd ntf=atm_myppp :atm fconfg ntf=atm_myppp dest=phone_myppp encaps=vcmux ulp=ppp :atm fattach ntf=atm_myppp For IPoA, the correspondng commands are the same, but the ulp parameter s ulp=p 2 Create a PPP nterface. Execute the followng CLI commands to create PPP nterface ppp_myppp: :ppp fadd ntf=ppp_myppp :ppp fconfg ntf=ppp_myppp dest=atm_myppp user=myusername password=mypassword unnumbere d=enabled The values MyUsername and MyPassword should be replaced by the actual PPP connecton credentals that are offered by your ISP. For IPoA the correspondng commands are :p fadd and p fattach. The unnumbered=enabled parameter of the PPP nterface s reflected n IPoA by not addng an IP address to the IP nterface you are creatng. 3 Defne a route to the nternet. Execute the followng CLI command to nject a default route nto the routng table from the moment the PPP lnk s connected and the IP negotaton was successful: :ppp rtadd ntf=ppp_myppp dst= /0 For IPoA the correspondng command would be :p rtadd 4 Connect the PPP nterface. Execute the followng CLI commands to connect the PPP nterface: :ppp fattach ntf=ppp_myppp 19

20 Chapter 4 Statc Subnet n Full Unnumbered mode Defne the Local Publc Subnet All publc IP addresses that were assgned to us by the ISP wll have to be confgured manually on each host. As we wll not assgn any publc IP address to the Thomson Gateway, t s not aware that the / 29 subnet s used on the local segment. To make sure that arrvng packets are forwarded correctly we wll have to explctly defne va whch nterface of the Thomson Gateway our publc subnet s reachable. Execute the followng CLI command to nject a route nto the routng table that defnes our publc subnet s reachable va nterface lan1: :p rtadd dst= /29 ntf=lan1 Proxy ARP for the Gateway All hosts on the local segment wll have the IP address of the BAS (Gateway) set as ther default gateway. As the local segment s not drectly connected to the BAS, we have to foresee a proxy-arp entry n the Thomson Gateway for the IP address of the BAS, because ARP requests cannot pass routers. In case a host on the local segment wants to send traffc va ts default gateway, t wll frst send an ARP request to resolve the MAC address that s related wth the default gateway IP address. An ARP request s an Ethernet broadcast packet, whch cannot pass a router. So by default, the ARP would never be able to reach the BAS. What actually happens wth a proxy ARP entry, s that the Thomson Gateway wll present tself as f t has the IP address of the BAS. The result s that f there s an ARP request for the IP address of the BAS on the local Ethernet segment, our Thomson Gateway wll answer the ARP request wth ts own MAC address. The local devce wll then start sendng ts packets wth the Ethernet destnaton set to the MAC address of our Thomson Gateway. Subsequently, the Thomson Gateway wll process the packets as f they were any other packet, meanng that they wll be routed to the BAS. Proceed as follows to make the Thomson Gateway proxy ARP for the BAS IP address: 1 Create the Proxy-ARP entry. Execute the followng CLI command to confgure the proxy ARP for the IP address of the BAS: :p arpadd ntf=lan1 p= hwaddr=$_macaddr The value $_MACADDR wll automatcally resolve the MAC address of your Thomson Gateway and enter t n the command. 2 Check the result. Execute the followng CLI commands to verfy whether the proxy-arp entry has been added: =>:p arplst Interface IP-address HW-address Type 2 lan :0e:50:34:00:f2 PROXY... => Check Connectvty From now on, all clents should be able to connect to the Internet. As an ntal test, try to send a png to the default gateway that s set on the clents ( n case of ths scenaro). 20

21 Chapter 4 Statc Subnet n Full Unnumbered mode Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall to only allow connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check the current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as desred, execute the followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually, the level Dsabled means that all traffc comng n on one nterface and gong out on another s allowed. Nevertheless, the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents only. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and other stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 21

22 Chapter 5 Subnet wth IPCP Subnet Mask Opton 5 Subnet wth IPCP Subnet Mask Opton Introducton In some scenaros t mght be nterestng to mplement a (sem-) dynamc publc subnet model. On top of the basc functonalty offered by PPP such as authentcaton, peer confguraton and accountng, an extenson s also avalable to dynamcally offer a whole subnet to the PPP clent. It s descrbed how to enable ths feature on a Thomson Gateway, and how the dstrbuton of the subnet towards the other devces has to be handled. 5.1 Scenaro Overvew Concept In ths chapter, the confguraton of how to use the PPP IPCP subnet-mask opton s explaned. Ths functonalty offers the dynamc confguraton of the local publc subnet by means of PPP IPCP confguraton optons exchanged durng the setup of the PPP sesson. A conceptual example s shown n the fgure below: PPP server Offers IPCP subnetmask calculates subnet (1->n) - uses MyIP 1 for tself - populates DHCP server wth MyIP2 -> MyIPn Internet Web Gateway 1 PVC SpeedTouch DHCP server Mal My Publc Subnet Prxy Fgure 7 Concept drawng of subnet wth IPCP subnet mask opton When dallng nto the network va PPP, the Thomson Gateway wll not only receve ts usual PPP parameters such as IP address, gateway address and DNS. The IPCP subnet mask opton wll also be ncluded durng the IPCP negotaton process. Ths parameter contans the subnet mask of the network the peer can use. By combnng the IP address and the subnet-mask, the Thomson Gateway can derve what the boundares are (start / end addresses) of the subnet that s offered. > The frst address of the subnet wll be used by the Thomson Gateway tself. We wll choose to put the address on the PPP nterface rather than assgn t to the local nterface of the Thomson Gateway. The reason s to avod all knds of ssues for traffc that wll orgnate from the Thomson Gateway tself towards the WAN (such as ICMP, SNMP traps,...). In a dynamc model, the source-ip address selecton for an unnumbered nterface (as used n chapter 3.2 on page 15) s dffcult to control. 22

23 Chapter 5 Subnet wth IPCP Subnet Mask Opton > The rest of the IP addresses from the subnet wll be put n a DHCP pool and offered on the local LAN segment. The DHCP clents wll receve the IP address of the BAS as default gateway. To allow ths constructon to work, a proxy-arp entry for ths IP address wll be automatcally added to the Thomson Gateway confguraton when the PPP sesson s establshed. Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet Route : /29 > PPP IPCP offer IP@= Mask=29 GW= PVC: 8/35 SpeedTouch Default Route > PPP ntf My Publc Subnet /29 DHCP pool Fgure 8 Scenaro example of subnet wth IPCP subnet mask opton The followng sectons wll descrbe all confguraton steps needed: To... See page... Confgure the DHCP Server 24 Create the Uplnk Interface 25 Create the Uplnk Interface 25 Verfy the Connecton 27 23

24 Chapter 5 Subnet wth IPCP Subnet Mask Opton 5.2 Practcal Realsaton Confgure the DHCP Server Proceed as follows: 1 Create a new DHCP pool va whch the IPCP subnet wll be made avalable on the local network segment. Enter the followng CLI commands to create the DHCP pool: :dhcp server pool add name=ipcp_pool ndex=0 :dhcp server pool confg name=ipcp_pool leasetme=60 unnumbered=enabled 2 Adjust the lease tme of the DHCP pool that has second prorty to a low value. In ths example we make use of the pool that s avalable by default on the Thomson Gateway, named LAN_prvate. When the PPP lnk s not up, all local hosts (beng DHCP clents) wll receve an address from ths pool. As soon as the lnk s up and the DHCP pool IPCP_pool s populated, the clents wll get a publc address. To make sure ths change does not take too long, lease tmes should be kept low. A DHCP clent wll check whether ts lease s stll vald after half of ts lease tme. In the current scenaro we wll confgure that every 30 seconds, each DHCP clent wll check whether ts lease s stll vald. If the IPCP_pool n the meantme contans addresses, a lease from that pool wll be offered nstead of (re-)approvng the old lease. Execute the followng CLI commands to set the lease tme of the default pool to 60 seconds: :dhcp server pool confg name=lan_prvate leasetme=60 3 Make sure the DHCP server s runnng. Execute the followng CLI command to check the status of the DHCP server: =>:dhcp server confg State: enabled => Execute the followng command to enable the DHCP server f needed: :dhcp server confg state enabled 24

25 Chapter 5 Subnet wth IPCP Subnet Mask Opton Create the Uplnk Interface Create the WAN nterface that wll be used to connect to the ISP, whch s PPP n the current scenaro. Whether the PPP protocol runs drectly on top of ATM (PPPoA) or wth an Ethernet layer n between (PPPoE), s completely transparent for the IPCP subnet mask opton. The example wll be confgured wth VPI/VCI values 8/35, VCMUX encapsulaton, usng the PPPoA connecton servce. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myppp: :atm phonebook add name=phone_myppp addr=8.35 :atm fadd ntf=atm_myppp :atm fconfg ntf=atm_myppp dest=phone_myppp encaps=vcmux ulp=ppp :atm fattach ntf=atm_myppp 2 Create a PPP nterface. The confguraton of the PPP nterface requres some specfc parameters for the subnet mask opton. Therefore, t wll be splt-up n the basc part and the subnet mask specfc part. Execute the followng commands to create the PPP nterface: :ppp fadd ntf=ppp_myppp :ppp fconfg ntf=ppp_myppp dest=atm_myppp user=myusername password=mypassword The values MyUsername and MyPassword are to be replaced by the actual PPP connecton credentals that are offered by your ISP. 3 Enable IPCP subnet maskng. Execute the followng CLI commands to set all necessary parameters of the PPP nterface to actvate IPCP subnet maskng: :ppp fconfg ntf=ppp_myppp format=cdr pool=ipcp_pool As the PPP IPCP subnet mask opton s not completely standardsed, both > dotted, noted as e.g and > cdr (Classless Inter-Doman Routng), noted as e.g. /24 (also referred to as masked ) notatons of the subnet mask parameter are supported. 4 Enable the PPP nterface. Execute the followng CLI command to enable the PPP nterface: :ppp fattach ntf=ppp_myppp 25

26 Chapter 5 Subnet wth IPCP Subnet Mask Opton Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall so that t only allows connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check the current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as desred, execute the followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that the frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually, the level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. But stll the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and others stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 26

27 Chapter 5 Subnet wth IPCP Subnet Mask Opton Verfy the Connecton Proceed as follows to see f the connecton s workng correctly: 1 Execute the followng CLI command to check the status of the PPP nterface: =>:ppp flst ppp_myppp: dest : atm_myppp [00:06:13] Retry : 10 mode = IP unnumbered + DHCP [-> IPCP_pool] flags = echo magc accomp restart mru addr savepwd chap [.] dns metrc = 0 mru = 1500 RxTx nactvty = 60s left = 0s auth = auto user = MyUsername password = ******** admn state = up oper state = up lnk state = connected LCP : state = opened retransm = 0 term. reason = IPCP: state = opened retransm = 10 term. reason = => Verfy that the connecton s establshed by the parameter oper state, whch has to be up, and the parameter lnk state, whch has to be connected. 2 Execute the followng CLI command to verfy the IP nterfaces on the Thomson Gateway: =>:p plst Interface Type IP-address Pont-to-pont/Mask 5 guest1 Ethernet * dmz1 Ethernet * lan1 Ethernet * ppp_myppp Seral loop Internal => Verfy that a new (publc) IP address s confgured on nterface ppp_myppp, and no extra IP address s confgured on any other of the LAN nterfaces. 3 Execute the followng CLI command to check the content of the DHCP pool: =>:dhcp server pool lst name=ipcp_pool Pool Start End Intf State 0 IPCP_pool lan1 UP DHCP server = [unnumbered] Netmask = Leasetme = 60 Gateway = DNS doman = lan DNS metrc = 0 DNS address lst: (local DNS) => Verfy that the publc IP addresses are avalable n the DHCP pool. The range should begn behnd the IP address that s located on the PPP nterface (as seen n the prevous step). 4 Connect a clent to the local subnet and see whether t receves an IP address from the DHCP pool wth publc IP addresses. When an address s receved, the clent should be able to make any connecton to the nternet. 27

28 Chapter 6 Mult-NAT 6 Mult-NAT Introducton Wth Mult-NAT, pure NAT s appled, meanng that there s a 1-1 relaton between a prvate and publc address. The Mult n Mult-NAT means that ths 1-1 relaton does not have to be defned n advance, hence there can be more prvate hosts than publc IP addresses. The relaton wll be made at the frst packet sent. From then on, a specfc publc address s reserved for the related prvate host. 6.1 Scenaro Overvew Concept Another way of handlng multple IP addresses s to make them avalable to prvate hosts by means of NAT. A possble mplementaton s to make a mappng between an nternal and external IP address. Two dfferent flavours exst: > N-N NAT, where a chosen range of nsde hosts (N nsde IP addresses) can be mapped to an equal range of outsde IP addresses (N outsde IP addresses) for nbound and outbound traffc. > M-N NAT, also called Mult-NAT, where a chosen set of nsde hosts (M nsde IP addresses) can be mapped to a set of outsde IP addresses (N outsde IP addresses) for outbound traffc only. Ths feature s called Many-to-Few NAT (where M s bgger than N). As M-N NAT s a more realstc approach, we wll focus on that scenaro. NAT confg : PubIP _X -> PubIP _Y are avalable for PrvateIP _A -> PrvateIP_Z Frst come, frst served Internet PRIVATE subnet PrvateIP_A Gateway 1 PVC SpeedTouch PrvateIP_B 2 publc IP addresses -PubIP_X -PubIP_Y PrvateIP_C Fgure 9 Concept drawng of M-N NAT In the fgure above you see that there s no strct relaton between an nternal (prvate) IP address and the publc IP addresses. There just s a range of publc IP address (N) avalable for use to perform NAT on another range of prvate addresses (M). Ths s also the reason why no nbound (WAN to LAN) sessons can be nstantated. The relaton between a publc IP address and a prvate IP address s only made when a prvate host makes a connecton to the publc network. 28

29 Chapter 6 Mult-NAT Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet NAT confg : [16..17] avalable for [ ] My Prvate Subnet / PVC: 8/35 SpeedTouch Fgure 10 Scenaro example of M-N NAT The followng sectons wll descrbe all confguraton steps needed: To... See page... Create the Uplnk Interface 30 Defne M-N NAT 31 Set the Correct Frewall Level 31 29

30 Chapter 6 Mult-NAT 6.2 Practcal Realsaton Create the Uplnk Interface Frst of all, we have to create the WAN-nterface that wll be used to connect to the ISP, whch n the current scenaro s IPoEoA (IP over Ethernet over ATM, also referred to as ETHoA or MER). We wll create one IPoEoA nterface and assgn two publc IP addresses to t. Usng any other type of statcally confgured uplnk nterface does not mpact the other steps to be done durng the confguraton. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myethoa: :atm phonebook add name=phone_myethoa addr=8.35 :atm fadd ntf=atm_myethoa :atm fconfg ntf=atm_myethoa dest=phone_myethoa encaps=llc ulp=mac :atm fattach ntf=atm_myethoa 2 Create an Ethernet nterface. Execute the followng CLI commands to create Ethernet nterface eth_myethoa: :eth fadd ntf=eth_myethoa :eth fconfg ntf=eth_myethoa dest=atm_myethoa :eth fattach ntf=eth_myethoa 3 Create an IP nterface. Execute the followng CLI commands to create IP nterface IP_MyETHoA and assgn the two publc IP addresses to t: :p fadd ntf=p_myethoa dest=eth_myethoa :p padd ntf=p_myethoa addr= /24 addroute=enabled :p padd ntf=p_myethoa addr= /24 addroute=enabled :p fattach ntf p_myethoa For IPoA nterfaces t s even not necessary to confgure the IP addresses on the IP nterface, as they can be used n unnumbered mode. Ths technque wll be used n 9 Publc IP address Dstrbuton by Hyper-NAT on page Create a route to the Internet. Execute the followng CLI commands to nject a default route nto the routng table: :p rtadd dst= /0 gateway=

31 Chapter 6 Mult-NAT Defne M-N NAT To proceed we have to create the NAT entry that wll enable the M-N NAT functonalty. We wll use the by default avalable prvate subnet of IP range /24. Execute the followng CLI command to enable NAT on our IPoEoA nterface: :nat fconfg ntf=p_myethoa translaton=enabled Execute the followng CLI command to confgure the M-N NAT that maps all nternal addresses to the two publc IP addresses: :nat mapadd ntf=p_myethoa type=nat outsde_addr= [16-17] access_lst= [1-153] The access_lst parameter s not requred. It only restrcts the use of ths NAT-entry to a certan range of nternal IP addresses. Be aware that n ths confguraton the Thomson Gateway wll not be able to send traffc tself, as ts IP address s not wthn the range of the access-lst. Set the Correct Frewall Level In ths setup, where no lnk exsts between the publc IP addresses and the nternal hosts untl an outbound sesson s made, we could state that the model mplcates that the local hosts are always clents. When your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall so that t only allows connectons that are ntated from the local network towards the publc network. By default, the Thomson Gateway has several levels defnng that only outbound sessons can be made. Ths restrcton starts from the level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If your current level s not Standard or any hgher-securty level, execute the followng CLI command: :frewall level set name=medum For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 31

32 Chapter 7 Transparent NAT 7 Transparent NAT Introducton Ths type of NAT s mostly used n combnaton wth other flavours, as t s qute a specal one. The strange thng s actually that no NAT s performed; the packets are transparently forwarded from the publc nto the prvate segment of the network, where a host s confgured wth that partcular publc IP address. Ths feature s useful n cases where an nterface s n NAT mode, but some of the IP addresses on t should not be translated. In that case, for these IP addresses, a transparent NAT entry should be defned. 7.1 Scenaro Overvew Concept As mentoned above, n the case of transparent NAT, no NAT s performed. Ths can be useful when NATunfrendly protocols are used by certan devces n the nternal network. A good example are devces that use secure communcaton and do not allow a change n the packets they exchange. In ths case the publc IP address should be avalable on the devce n the prvate network. A common example of a NAT unfrendly protocol s IPSec AH (Authentcaton Header). AH s a possble use of the IPSec protocol where most of the IP packet s sgned, ncludng the IP source and destnaton address. Ths means that f NAT would change the IP addresses n the IP header, the sgnature check would fal at the destnaton. When usng IPSec AH, t s mandatory to have a publc IP address on both sdes of the tunnel. A conceptual example s shown n the fgure below: NAT confg : PubIP _[X.. Y] should be transparantly forwarded towards PubIP _[X.. Y] Internet PRIVATE subnet PubIP_X Gateway 1 PVC SpeedTouch PubIP_Y 2 publc IP addresses -PubIP_X -PubIP_Y PrvateIP_C Fgure 11 Concept drawng of transparent NAT Wth transparent NAT, t s mandatory to have a one-to-one lnk between an nternal and the external IP address. Qute logcal, as both IP addresses are equal! Ths mples that wth transparent NAT connectons can be establshed both nbound and outbound. For more nformaton about the Thomson Gateway and Network Address Translaton, see the Thomson Gateway Hyper-NAT Confguraton Gude. 32

33 Chapter 7 Transparent NAT Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet NAT confg : [16..17] to be forwarded transparantly to [16..17] My Prvate Subnet / PVC: 8/35 SpeedTouch Fgure 12 Scenaro example of transparent NAT The followng sectons wll descrbe all confguraton steps needed: To... See page... Create the Uplnk Interface 34 Defne Transparent NAT 35 Set the Correct Frewall Level 36 33

34 Chapter 7 Transparent NAT 7.2 Practcal Realsaton Create the Uplnk Interface Frst of all, we wll have to create the WAN-nterface that wll be used to connect to the ISP, whch n the current scenaro s IPoEoA (IP over Ethernet over ATM, also referred to as ETHoA or MER). We wll create one IPoEoA nterface and assgn two publc IP addresses to t. Usng any other type of statcally confgured uplnk nterface does not mpact the other steps durng the confguraton. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myethoa: :atm phonebook add name=phone_myethoa addr=8.35 :atm fadd ntf=atm_myethoa :atm fconfg ntf=atm_myethoa dest=phone_myethoa encaps=llc ulp=mac :atm fattach ntf=atm_myethoa 2 Create an Ethernet nterface. Execute the followng CLI commands to create Ethernet nterface eth_myethoa: :eth fadd ntf=eth_myethoa :eth fconfg ntf=eth_myethoa dest=atm_myethoa :eth fattach ntf=eth_myethoa 3 Create an IP nterface. Execute the followng CLI commands to create IP nterface IP_MyETHoA and assgn the two publc IP addresses to t: :p fadd ntf=p_myethoa dest=eth_myethoa :p padd ntf=p_myethoa addr= /24 addroute=enabled :p padd ntf=p_myethoa addr= /24 addroute=enabled :p fattach ntf p_myethoa For IPoA nterfaces t s even not necessary to confgure the IP addresses on the IP nterface, as they can be used n unnumbered mode. Ths technque wll be used n 9 Publc IP address Dstrbuton by Hyper-NAT on page Create a route to the Internet. Execute the followng CLI commands to nject a default route nto the routng table: :p rtadd dst= /0 gateway=

35 Chapter 7 Transparent NAT Defne Transparent NAT In order to proceed, we have to confgure the transparent NAT entry. Proceed as follows to enable transparent NAT on our nterface: 1 Enable NAT on the nterface. Execute the followng CLI commands to enable NAT on nterface p_myethoa: :nat fconfg ntf=p_myethoa translaton=enabled 2 Defne the Transparent NAT entry. Execute the followng CLI command to enable transparent NAT on our IPoEoA nterface for both publc IP addresses: :nat mapadd ntf=p_myethoa type=nat outsde_addr= [16-17] nsde_addr= [16-17] The nsde_addr parameter defnes whch external IP address s related to whch nternal IP address. There wll always be a one-on-one relaton between an external address and an nternal address. In case ranges of IP addresses are used, the frst entry of both ranges map to each other, the second maps to the second, and so on. 3 Add routes to the nternal hosts wth publc IP addresses. To make sure that arrvng packets are forwarded correctly, we wll have to explctly defne the Thomson Gateway nterface va whch our publc hosts are reachable. Execute the followng CLI command to the routes to the publc hosts: :p rtadd dst= /32 ntf=lan1 :p rtadd dst= /32 ntf=lan1 4 Enable Proxy-ARP for the default gateway. The transparent hosts wll have the publc IP addresses manually confgured, and also use the IP address of the BAS as ther default gateway. To allow the local transparent hosts to reach ther default gateway, we need to add a Proxy-ARP entry n the Thomson Gateway. Execute the followng CLI command to defne the Proxy-ARP entry: :p arpadd ntf=lan1 p= hwaddr=$_macaddr 35

36 Chapter 7 Transparent NAT Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall to only allow connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check the current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as desred, execute the followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that the frewall level Dsabled does not mean that the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually, the level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. Nevertheless, the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and others stay enabled as well- as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. 36

37 Chapter 8 X+n NAT 8 X+n NAT Introducton Ths feature can be useful when a range of IP addresses has to be dynamcally assgned to a certan customer, but the protocol used for the dynamc dstrbuton (typcally PPP-IPCP) does not support offerng more than 1 IP address (note that the IPCP subnet mask opton s not standardsed, thus not avalable n all devces). In some mplementatons t defned that f IP address X s offered, the next n IP addresses are also avalable for use. To handle ths knd of forced IP range defntons, the use of N+x NAT templates s needed. 8.1 Scenaro Overvew Concept In ths scenaro only one IP address s offered to the Thomson Gateway by means of dynamc confguraton (DHCP or PPP). Both the Thomson Gateway and the BAS, however, are defned so that the next n IP addresses can also be used, where number n s statcally confgured on both the BAS and the Thomson Gateway. A conceptual example s shown n the fgure below: BAS offers 1 address (IPx) but assgns a range n ts routng table Receves only 1 address but knows by confguraton that t can use a range. Internet Prvate Subnet PrvateIP_A Gateway Route : IP[x..x+n] > ntf to SpeedTouch 1 PVC SpeedTouch Route: Default > ntf to Gateway PrvateIP_B PrvateIP_C Fgure 13 Concept drawng of X+n NAT To enable ths knd of confguraton, one can choose between: > N-N NAT, where a statc lnk exsts between the nternal IP addresses and the publc IP addresses. In ths case that mght sound strange, as the publc IP addresses are dynamcally assgned to the Thomson Gateway. The statc lnk here means that for example PrvateIP_A wll always be mapped to the frst address of the avalable range, PrvateIP_B to the second of the range and so on. > Mult-NAT, where the nternal addresses wll be mapped to a publc IP address from the moment the nternal host starts a connecton. For example, when the host wth PrvateIP_B ntates the frst connecton, t wll be mapped to the frst IP address from the avalable range. For more nformaton about the Thomson Gateway and Network Address Translaton, see the Thomson Gateway Hyper-NAT Confguraton Gude. 37

38 Chapter 8 X+n NAT Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: N-N NAT Internet Offer IP@= GW= [16..22] >> [1..7] Route : [ ] > PPP PVC: 8/35 SpeedTouch Default Route > PPP ntf Fgure 14 Scenaro example of X+n NAT In ths scenaro we wll make use of N-N NAT. The followng sectons wll descrbe all confguraton steps needed: To... See page... Create the Uplnk Interface 39 Defne X+n NAT 39 Set the Correct Frewall Level 40 38

39 Chapter 8 X+n NAT 8.2 Practcal Realsaton Create the Uplnk Interface Create the WAN-nterface that wll be used to connect to the ISP. In current scenaro we wll make use of the PPP connecton model. Whether the PPP protocol runs drectly on top of ATM (PPPoA) or wth an Ethernet layer n between (PPPoE) s completely transparent. The use of another type of dynamc nterface, such as a DHCP clent on top of an ETHoA nterface, does not make a dfference for the X+n mappng that wll be made. The example wll be confgured wth VPI/VCI values 8/35, VCMUX encapsulaton, usng the PPPoA connecton servce. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myppp: :atm phonebook add name=phone_myppp addr=8.35 :atm fadd ntf=atm_myppp :atm fconfg ntf=atm_myppp dest=phone_myppp encaps=vcmux ulp=ppp :atm fattach ntf=atm_myppp 2 Create a PPP nterface. Execute the followng CLI commands to create PPP nterface ppp_myppp: :ppp fadd ntf=ppp_myppp :ppp fconfg ntf=ppp_myppp dest=atm_myppp user=myusername password=mypassword 3 Defne the default route Execute the followng CLI commands to nject a default route nto the routng table from the moment the PPP lnk s connected and the IP negotaton was successful: :ppp rtadd ntf=ppp_myppp dst= /0 Defne X+n NAT The next step s to create the X+n NAT entry that wll enable N-N NAT for n addresses. For the prvate range, we wll use the subnet avalable by default. The local hosts wth the IP addresses to wll get connectvty through N-N NAT. Execute the followng CLI command to confgure the X+n NAT entry: :nat tmpladd ntf=ppp_myppp type=nat outsde_addr=0.0.0.[1-6] nsde_addr= [1-6] In ths case we do not defne a NAT mappng but a NAT template. Ths s needed because of the dynamc behavour of the PPP nterface that we are usng. A NAT template s automatcally establshed (creates an actual NAT mappng) from the moment t receves IP parameters. 39

40 Chapter 8 X+n NAT Set the Correct Frewall Level In ths setup, the frewall level depends on the specfc stuaton: > In the case of changng IP addresses, even though there s a one-to-one lnk between each publc and each prvate address, t does not make a lot of sense to regard t as a regular stuaton where both nbound and outbound sessons are allowed. As the IP addresses mght change regularly, t seems unlkely that servces wll run on the local hosts. For that reason, we could state that all local hosts are clents, and that they are expected to establsh all connectons. Therefore, a frewall level that only permts outbound connectons (as Normal or a hgher securty level) mght be more approprate. > When the ISP always offers the same IP addresses, there are no more restrctons to actually run servces on the local hosts. In ths case also nbound connectons should be possble. To allow all nbound connectons the frewall level should be set to Dsabled. Execute the followng CLI command to check the current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as expected, execute the followng CLI command: :frewall level set name=dsabled It s very mportant to know that frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually, the level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. Nevertheless, the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and other stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. Enable the Dynamc Connecton Now that all these confguraton steps are completed, we can enable the connecton. If the PPP nterface connects before the creaton of the NAT templates, no NAT mappngs wll be establshed. Execute the followng CLI command to make the PPP nterface dal-n: :ppp fattach ntf=ppp_myppp 40

41 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT 9 Publc IP address Dstrbuton by Hyper-NAT Introducton The Thomson Gateway Hyper-NAT mplementaton offers many types of NAT confguraton. One of the powerful capabltes of Hyper-NAT s that all these dfferent NAT flavours can be used n a mxed mode. Ths can be very nterestng n case a user has a range of publc IP addresses avalable, and wants to use each one of them to fulfl a specfc need. 9.1 Scenaro overvew Concept In ths scenaro we have multple publc IP addresses that are avalable for our use. We wll make use of Thomson Gateway Hyper-NAT to assgn each one of them to a specfc servce the local network. A conceptual example s shown n the fgure below: Internet NAT confg : PubIP_X: basc NAPT for LAN PCs PubIP_Y: N-N NAT for Web n LAN >> IP@ of server can stay as before PubIP_Z: Transparent NAT for IPSec GW >> pub -IP@ for publc-sde to avod NAT ssues PCs Gateway 1 PVC SpeedTouch PRIVATE subnet Webserver Any lnk type, statc confguraton IPSec GW Fgure 15 Concept drawng address dstrbuton by Hyper-NAT A typcal example could be: > Use one of the IP addresses to offer shared nternet access to all normal nternal hosts (PCs), by usng regular NAPT on ths IP address. > Lnk publc IP addresses to the nternal servers by N-N NAT entres, and as such avod IP reconfguraton on these hosts. > Use transparent NAT entres to lnk to nternal servers whch use protocols that cannot handle IP address translaton (as IPSec AH). For more nformaton about the Thomson Gateway and Network Address Translaton, please refer to the Thomson Gateway Hyper-NAT Confguraton Gude R

42 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT Scenaro The followng pages wll show how to confgure the Thomson Gateway when you have to connect to ths type of network confguraton. The goal wll be to ntegrate the Thomson Gateway n the followng network structure: Internet NAT confg: > NAPT for local PCs > (Webserver) > (IPSec GW ) PCs x Gateway /29 > PPP lnk PVC: 8/35 SpeedTouch IPSec GW Webserver Fgure 16 Scenaro example of address dstrbuton by Hyper-NAT In ths scenaro we wll make use of an unnumbered PPP connecton as WAN lnk, wth statc IP address confguraton. The followng sectons wll descrbe all confguraton steps needed: To... See page... Create the Uplnk Interface 43 Defne NAT Entres 44 Set the Correct Frewall Level 45 42

43 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT 9.2 Practcal Realsaton Create the Uplnk Interface Create the WAN nterface that wll be used to connect to the ISP. In the current scenaro we wll make use of the unnumbered PPP connecton model. It s completely transparent whether the PPP protocol runs drectly on top of ATM (PPPoA) or wth an Ethernet layer n between (PPPoE). The example wll be confgured wth VPI/VCI values 8/35, VCMUX encapsulaton, usng the PPPoA connecton servce. Proceed as follows: 1 Create an ATM nterface. Execute the followng CLI commands to create ATM nterface atm_myppp: :atm phonebook add name=phone_myppp addr=8.35 :atm fadd ntf=atm_myppp :atm fconfg ntf=atm_myppp dest=phone_myppp encaps=vcmux ulp=ppp :atm fattach ntf=atm_myppp 2 Create a PPP nterface. Execute the followng CLI commands to create PPP nterface ppp_myppp: :ppp fadd ntf=ppp_myppp :ppp fconfg ntf=ppp_myppp dest=atm_myppp user=myusername password=mypassword unnumbere d=enabled The values MyUsername and MyPassword are to be replaced by the actual PPP connecton credentals that are offered by your ISP 3 Defne the default route. Execute the followng CLI commands to nject a default route nto the routng table from the moment the PPP lnk s connected and the IP negotaton was successful: :ppp rtadd ntf=ppp_myppp dst= /0 4 Connect the PPP nterface. Execute the followng CLI command to enable the PPP nterface: :ppp fattach ntf=ppp_myppp 43

44 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT Defne NAT Entres Proceed as follows to confgure the NAT entres that wll handle all dfferent publc IP addresses: 1 Confgure the NAPT mappng for shared nternet access. Publc IP address wll be used to share nternet access for the local PCs. These PCs have nternal IP addresses rangng from up to Ths functonalty can be acheved by creatng a NAPT mappng. Execute the followng CLI command to create ths NAPT mappng: :nat mapadd ntf=ppp_myppp type=napt outsde_addr= ! An optonal parameter when confgurng a NAT mappng s the accesslst, allowng to restrct the use of the NAPT mappng. The Thomson Gateway WAN nterface s unnumbered and wll select the prmary IP address of the prmary IP nterface as source IP address for packets sent out by tself on the WAN nterface. In ths scenaro, a prvate IP address wll be used ntally, and t should be translated to a publc IP address by the NAT engne. Make sure when restrctng the applcablty of NAT mappngs, that ths prmary IP address s also wthn the range of one of the NAT mappngs defned. 2 Confgure the 1-1 NAT mappng for the web server. The publc IP address wll be mapped to the nternal web server wth local IP address Makng an exclusve lnk between a publc and prvate IP address has to be done by defnng a 1-1 NAT mappng. Execute the followng CLI command to create ths 1-1 NAT mappng: :nat mapadd ntf=ppp_myppp type=nat outsde_addr= nsde_addr= Transparent NAT mappng for the IPSec server. The publc IP address has to be transparently forwarded towards the IPSec server whch s located n the prvate network. Despte the fact that ths server s located n the prvate network, t has the publc IP address confgured. Apart from the publc IP address, a prvate IP address could also be confgured on the server, va mult-homng technques or other technques, dependng on the capabltes of the Operatng System. Execute the followng CLI command to create the transparent NAT entry: :nat mapadd ntf=ppp_myppp type=napt outsde_addr= nsde_addr= In transparent mode, the packet s transparently forwarded wthout translaton. That means that the forwardng table needs nformaton on how to reach the transparent host. Execute the followng CLI commands to defne where the transparent host s located: :p rtadd dst= /32 ntf=lan1 The transparent host wll have a publc IP addresses confgured, and also use the publc gateway (n ths scenaro the IP address of the BAS). To allow ths host to reach ts default gateway, we need to add a Proxy-ARP entry n the Thomson Gateway. Execute the followng CLI command to defne the Proxy-ARP entry: :p arpadd ntf=lan1 p= hwaddr=00-0e f2 44

45 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT Set the Correct Frewall Level In ths setup, where both the LAN and WAN sde of the Thomson Gateway are publc, the frewall level should be set to Dsabled. Ths wll allow all nbound and outbound connectons to pass the Thomson Gateway. However, when your local hosts are not supposed to offer servces towards the publc network, t s safer to confgure the frewall so that t only allows connectons that are ntated from the local network towards the publc network. The Thomson Gateway by default has several levels defnng that only outbound sessons can be made. Ths restrcton starts from level standard and s vald for all hgher-securty frewall levels. Execute the followng CLI command to check current level of your frewall: =>:frewall level lst Level Confg ============ Actve Level: Dsabled... => If the current level s not as desred, execute followng CLI command to correct ths: :frewall level set name=dsabled It s very mportant to know that frewall level Dsabled does not mean the complete Thomson Gateway frewall s dsabled. A frewall level only apples to traffc that s forwarded by the Thomson Gateway. So actually, the level Dsabled means that all traffc comng n on one nterface and gong out on another, s allowed. Nevertheless, the Thomson Gateway tself stays protected as t was before, meanng that access to the embedded system servces of the Thomson Gateway (as telnet, web nterface,...) are stll only allowed for LAN orgnatng clents. Apart from protectng the Thomson Gateway host tself, the statefull trackng, TCP checks and others stay enabled as well - as wth any other frewall level that s chosen. For more nformaton on how to confgure the frewall to fulfl your specfc needs, see the Thomson Gateway Statefull Inspecton Frewall Confguraton Gude. Verfy the Connecton Proceed as follows to see f the connecton s workng: 1 Execute the followng CLI command to check the status of the PPP nterface: =>:ppp flst ppp_myppp: dest: atm_myppp [00:06:13] Retry : 10 mode = IP unnumbered + DHCP [-> IPCP_pool] flags = echo magc accomp restart mru addr savepwd chap [.] dns metrc = 0 mru = 1500 RxTx nactvty = 60s left = 0s auth = auto user = cpest@csco password = ******** admn state = up oper state = up lnk state = connected LCP : state = opened retransm = 0 term. reason = IPCP: state = opened retransm = 10 term. reason = => Verfy whether the connecton s establshed. If t s, the parameter oper state has to be up, and parameter lnk state has to be connected. 45

46 Chapter 9 Publc IP address Dstrbuton by Hyper-NAT 2 Execute the followng CLI command to verfy the NAT mappngs: =>:nat maplst expand=enabled Idx Type Interface Outsde Address Insde Address Use... 5 NAT ppp_myppp Access Lst Foregn Address... any Protocol... any Flags... Statc Descrpton... Transparent Two-way NAT Creator Data NAT ppp_myppp Access Lst Foregn Address... any Protocol... any Flags... Statc Descrpton... Two-way NAT Creator Data NAPT ppp_myppp unmapped 0 Access Lst... any Foregn Address... any Protocol... any Flags... Statc Descrpton... Outbound NAPT wthout defserver Creator Data => 46

47 Vst us at: Coordnates THOMSON Telecom Prns Boudewjnlaan 47 B-2650 Edegem Belgum E-mal: Copyrght 2007 THOMSON. All rghts reserved. The content of ths document s furnshed for nformatonal use only, may be subject to change wthout notce, and should not be construed as a commtment by THOMSON. THOMSON assumes no responsblty or lablty for any errors or naccuraces that may appear n ths document. The nformaton contaned n ths document represents the current vew of THOMSON on the ssues dscussed as of the date of publcaton. Because THOMSON must respond to changng market condtons, t should not be nterpreted to be a commtment on the part of THOMSON, and THOMSON cannot guarantee the accuracy of any nformaton presented after the date of publcaton. Ths document s for nformatonal purposes only. THOMSON MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. The names of actual companes and products mentoned heren may be the trademarks of ther respectve owners.