Network queries

Been having trouble allowing a machine on my network running apache to be accessed from the Internet.

Before getting into that, just have some queries in relation to the setup of my Netopia DSL modem and Linksys WRT54G router.

Right, here's the setup:

DSL modem connected to WAN port of router.
Win XP machine connected to ethernet port of router.

IP address of router: 192.168.2.1
IP address of modem: 192.168.1.254

If I go into the web config interface of my router and go to the DDNS tab and select dyndns.org, my public IP address should be pulled through to the "Internet IP Address" line, but instead, a private IP address of 192.168.1.1 is pulled through.

Image of routers DDNS screen:

If I go to the web config interface of my modem and view the IP ARP table, I am presented with the line below:

Ethernet IP ARP table:
0: IP 192.168.1.1 Hardware 00-16-b6-45-95-b6 flags VALID

(Have a look at the MAC address in the line above. If I do an 'arp -a 192.168.2.1', which is the IP address of my router I am shown the MAC address 00-16-b6-45-95-b5)

So I think that the 192.168.1.1 IP address is what my modem views the router as and has used the routers MAC address but incremented it by 1....some type of bridging between the modem subnet and router subnet?...

Now, DHCP is enabled on my modem as well as the router but I've read that since they're differant subnets it shouldn't cause a problem.
I've tried turning the DHCP server on my modem off to see if that made a differance but that just made me lose Internet connectivity, be unable to connect to the modems web config interface and make me have to reset the modem.

Image of modems DHCP screen:

Just want to find out if the above is alright or would it cause any problems.

If you could clarify the situation with IP address 192.168.1.1

Anymore info that would be helpful just let me know and I'll put up more screenshots etc.

Cheers.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

The modem is giving your router the IP address for its WAN interface 192.168.1.1. The 192.168.2.1 address is being used by your router on your LAN. As you may or may not know a router can have more than one IP address and MAC address.

Your routers internet (WAN) address is 192.168.1.1 which is why it is showing on that screen. There is no bridging going on.

tiersten

The LAN and WAN ports of the router will have different MAC addresses.

You're getting 192.168.1.1 as the WAN side IP address of your router because your modem is doing NAT already.

ConstantlyLearning

Ok, so I understand now about the differant IP and MAC addresses for the LAN and WAN ports of the router.

What I don't understand is why the WAN port of the router is using a private IP address assigned by the modem instead of just the modems WAN IP address. i.e. the public internet address.

I saw a video tutorial for DDNS using dyndns.org for the WRT54G router and the public IP address was pulled through to the "Internet IP Address" line and not some private IP address.

I believe this is causing the problem with my apache server not being able to be accessed from the Internet.

I can access the web server from within my network.

I have forwarded port 80 and unchecked the box "block anonymous internet requests".

hmmm

astorrs

ConstantlyLearning wrote:

What I don't understand is why the WAN port of the router is using a private IP address assigned by the modem instead of just the modems WAN IP address. i.e. the public internet address.

Because as others have said your modem is doing NAT (therefore it is a router not just a modem).

networker050184

ConstantlyLearning wrote:

What I don't understand is why the WAN port of the router is using a private IP address assigned by the modem instead of just the modems WAN IP address. i.e. the public internet address.

It works that way because that is the way it is configured. If you want to have your router get a public IP address you will have to speak with your ISP.

ConstantlyLearning wrote:

I believe this is causing the problem with my apache server not being able to be accessed from the Internet.

I can access the web server from within my network.

I have forwarded port 80 and unchecked the box "block anonymous internet requests".

You will have to do the port forwarding on your modem (if supported).

Also remember your router is probably performing NAT as well.....

You may need to do a little more reading as it seems you are missing some fundamental knowledge here.

undomiel

Easiest would probably be to just put your modem into bridged mode and just let your router do all the management, if that works for your network set up.

RTmarc

Depending on your ISP, you should be able to enable IP Passthrough on that modem that will essentially eliminate that hop. The modem/router becomes just a modem and gives the internet IP address to the external interface of your router.

ConstantlyLearning

Thanks a mill for all the info guys.

Looks like my modem is a router/modem.

I think I can put it into bridged mode so it acts as a pass-through device and enter my isp account details into my linksys router.

There's a tonne of steps to put it into bridged mode but if I upgrade the firmware it should only be a couple steps.

I'll try this out tomorrow and let you know how I get on.

The modem does support port-forwarding. Gave me an error message when I tried it. Probably because I used an IP in the 192.168.2.* subnet and not in 192.168.1.*.

Cheers.

tiersten

You can leave the DSL router doing NAT if you want. Just configure the WiFi AP to not do NAT or plug your DSL router into one of the LAN ports on the WiFi AP. Remember to disable DHCP on the WiFi AP however.

ConstantlyLearning

Couldn't help myself, had to stay up and try this.

Disabled DHCP on the Linksys and connected the Netopia ADSL Modem/Router to one of the LAN ports.

So the Netopia device is doing the work and the Linksys is effectively a switch.

Changed the IP address of the web server machine to one in the 192.168.1.* subnet, set port forwarding for port 80 to that machine and it works.

Had to change the internal web service port of the modem/router to something other than 80 because it was causing a conflict when I tried to create the port forwarding rule.

Couple of questions though:

What was happening beforehand? A request would be made from the Internet to access my public IP address on port 80 and.....it would not see any portforwarding rule on the first router it came to which was the Netopia device?

Would it have been possible to have left the two routers the way they were but set up some type of static route between the Netopia router and the Linksys so that if there was an incoming request it would look for a portforwarding rule on the Linksys router instead?

Thanks again for all the help.

networker050184

ConstantlyLearning wrote:

What was happening beforehand? A request would be made from the Internet to access my public IP address on port 80 and.....it would not see any portforwarding rule on the first router it came to which was the Netopia device?

Yes this is what was happening.

ConstantlyLearning wrote:

Would it have been possible to have left the two routers the way they were but set up some type of static route between the Netopia router and the Linksys so that if there was an incoming request it would look for a portforwarding rule on the Linksys router instead?

A static route wouldn't have worked in this situation. Even if the modem/router would have known about the 192.168.2.0 network behind the router it will would have still gotten a request for the outside IP port 80 not the inside address.

seuss_ssues

ConstantlyLearning wrote:

What was happening beforehand? A request would be made from the Internet to access my public IP address on port 80 and.....it would not see any portforwarding rule on the first router it came to which was the Netopia device?

The request was hitting your DSL modem and being dropped because it was either being firewalled off or there was no port forward in place.

ConstantlyLearning wrote:

Would it have been possible to have left the two routers the way they were but set up some type of static route between the Netopia router and the Linksys so that if there was an incoming request it would look for a portforwarding rule on the Linksys router instead?

Depending on the type of DSL modem/router that you have that is a possibility. You could configure a port forward on the DSL to point to the IP of the linksys router. You could then configure the linksys router to port forward the same port on to the IP of the server.

Another thing to keep in mind is that your dsl device may also have some type of firewall built in. If that is the case you either need to turn it off or create a rule to allow your traffic in.

tiersten

What you had before was this:

Internet

> DSL router ----> WiFi router ----> Home network

The DSL router and WiFi router were both doing NAT. The WiFi router can see everything on your home network. The DSL router can only see the WiFi router. The general internet can only see your DSL router.

You were doing port forwarding on the WiFi router but not on the DSL router. This means that as you correctly assume the requests would just get dropped by the DSL router.

There are several ways around this:

1. Leave it how it is now. The DSL router does NAT and the WiFi router is just used as a switch + access point.
2. Disable NAT on the DSL router and enable it on the WiFi router. You'll have to investigate whether this is possible or not with your DSL router.
3. Enable NAT on both devices and set up a forwarding rule on each router. This will mean more maintenance work in the future however if you want to change something.

networker050184

tiersten wrote:

1. Leave it how it is now. The DSL router does NAT and the WiFi router is just used as a switch + access point.
2. Disable NAT on the DSL router and enable it on the WiFi router. You'll have to investigate whether this is possible or not with your DSL router.
3. Enable NAT on both devices and set up a forwarding rule on each router. This will mean more maintenance work in the future however if you want to change something.

1. This will work but you are losing any sort of security provided by your router (probably not much if its just a Linksys but if you had something more robust it would cut it out of the picture).

2. If you disable NAT on the DSL modem it is still handing out private IPs. It will take a little more than just disabling NAT on the modem to get this approach working.

3. Again will work, but I have heard about issues with IPSec and NAT to NAT connections nothing concrete that it won't work though. Just something to think about if you have any VPN connections.

Your best bet to keep everything how it was before would be to engage your ISP to see what kind of options they offer such as a PPPoE connection.

tiersten

networker050184 wrote:

1. This will work but you are losing any sort of security provided by your router (probably not much if its just a Linksys but if you had something more robust it would cut it out of the picture).

Its a WRT54G. The security features in it are pretty basic to say the least. For general home usage, the firewall built into the DSL router is probably more than sufficient. The DSL router and the WRT54G aren't going to be doing anything particularly clever in either case.

networker050184 wrote:

2. If you disable NAT on the DSL modem it is still handing out private IPs. It will take a little more than just disabling NAT on the modem to get this approach working.

Yes. You'd have to do more reconfiguration than just turning off NAT. My cop out answer to save me typing everything in was to talk to the ISP.

networker050184 wrote:

3. Again will work, but I have heard about issues with IPSec and NAT to NAT connections nothing concrete that it won't work though. Just something to think about if you have any VPN connections.

It would most probably screw up IPSEC. NAT already messes up IPSEC to a certain extent. This wouldn't be the option you'd do anyway. It'd work but as I said, you'll have issues with it if you do this.

networker050184 wrote:

Your best bet to keep everything how it was before would be to engage your ISP to see what kind of options they offer such as a PPPoE connection.

No chance. PPPoA is the standard here. Option 2 to disable NAT and enable bridging etc... is the only option if you want to do it properly.

networker050184

tiersten wrote:

No chance. PPPoA is the standard here. Option 2 to disable NAT and enable bridging etc... is the only option if you want to do it properly.

Ah I see the UK.