NAT Tutorial

This is a tutorial to explain how to use your own private lan range for network and NAT network address translation This means, for example, that in your private network you can have whatever private IP you want which is then in turn translated to the public network IP (WUG IP) given to you by your WUG Admin. This tutorial can thus be used by wuggers who dont want to change the internal IP addressing of their LAN.

Description

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

There are two types of NAT:

• source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
• destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.

In tutorial we are using the following ips:

• Highsite IP: 172.18.100.254
• Wugger RB IP: 172.18.100.6Wugger Wug Range: 172.18.100.0/29
• Wugger PVT Lan Range: 10.0.0.0/24
• Wugger PC PVT IP: 10.0.0.3

Source NAT (SRC-NAT)

For Source NAT your PVT IP address will be translated to a Public WUG IP, this so that you pvt ip can communicate with traffic on the public network (Think of it as traffic going out from pvt lan to public lan)

First configure the IP's for your wlan1 (Wireless Wug interface) and eht1 (Ethernet interface)

Set your static Wug route of 172.16.0.0/12

First we will configure the Source Network Address Translation setting (SRC-NAT). This will translate your local pvt lan ip (10.0.0.3) to a public (wug accessible) ip.

To configure the NAT, go to IP > Firewall and click the NAT tab

• There are 2 ways in accomplishing this. You can use the masquerade function that will translate ALL ips in your PVT network range to 1 ip (which will be the wug ip of your RB) or you can translate a specific Wug ip from the range give to you, to a specific pvt ip of your lan

Option 1 - Using MASQUERADE to hide (translate) all ip's on your pvt lan to 1 public (Wug) IP

On the General tab, in the Chain box, we choose srcnat. This will be for all traffic going out via our wlan1 interface, so out interface we make wlan1 Then we go to the Action tab.

Here we simply choose the masquerade option

If you have an adsl router and wish to connect to the internet and the WUG network at the same time without any hassle then simply make sure your adsl router is on the same subnet as the your wug rb's ethernet range, in this case 10.0.0.0/24. So lets say your ADSL router's IP is 10.0.0.2 and we know that your Rb's IP is 10.0.0.1, you then simply configure your PC's NIC settings using the ADSL's IP as the Default Gateway & DNS.

NB: This config is for a windows PC, the method described below may differ to other brand OS'es.

e.g:

IP: 10.0.0.3 Subnet Mask: 255.255.255.0 Default Gateway: 10.0.0.2 Primary DNS: 10.0.0.2

Now that this is complete we need to add a permanent route to the PC's routing table. You can do this by opening command prompt. For this example we will type the following:

route -p ADD 172.16.0.0 MASK 255.240.0.0 10.0.0.1 METRIC 1

Once this is complete press ENTER, if all the details were entered correctly an "OK!" will be displayed.

Restart your PC and you should be good to go!

Option 2 - Translate an IP from your WUG RANGE to an internal PVT IP on your lan range

Once again, on the General tab, in the Chain box, we choose srcnat. Now instead of just choosing the outgoing interface, we are going to specify the source ip of the packets that need to be translated. So in Src Address we type the ip of our PVT Address to be translated.

Now instead of masquerading all the ips, now in the Action tab, we make action = src-nat. We specify the to-address as the PUBLIC (WUG) ip to be translated to.

Thats all there is to it !

Destination NAT (DST-NAT)

For Destination NAT, traffic to a public WUG IP will be forwarded (translated) to your PVT IP address. On some routers this is also known as port forwarding. You can either forward all traffic to a public ip to your ip or you can choose to only forward selected ports to your ip. You can even use 1 public ip and forward different ports to different internal ips. (Like forward port 21 (ftp) to ip 10.0.0.3 and forward port 80 (http) to ip 10.0.0.4.

Once again we go IP > Firewall and choose the NAT Tab

To Forward all ports from the WUG IP 172.18.100.1 to the PVT IP 10.0.0.3

Now in the General Tab, Chain = dstnat. The ip that traffic is destined for is the Public WUG IP, so at dst-address, you need to enter a WUG IP from the range given to you.

Under the Action Tab, we again choose dst-nat, and then the PVT ip that the address should be translated to at to-address.

• To Forward only port 21 WUG IP 172.18.100.1 to the PVT IP 10.0.0.3 for an FTP server hosted on PVT IP 10.0.0.3

Same as the previous example, except now we choose the protocol and again we use the dst port.

Also the To address is our PVT IP and the port on the PVT lan that needs to be forwarded.