DHCP not working when NAT is enabled.

2»

Comments

  • Forsaken_GAForsaken_GA Member Posts: 4,024
    ayori wrote: »
    Understood. What confused me is if you're really simulating DHCP traffic over the Internet, then why would your Wireshark capture have source IPs of 10.0.0.1 reaching the DHCP server over the WAN? Those packets would be dropped right at the ISP router (which is A-B in this case) as the source is from a private LAN space.

    With your posted config minus the NAT statements and ACL, how was your PC able to get an IP from the server?

    Unless you're using something like IPSec over GRE tunnels then your packet would never traverse the Internet without NAT contrary to what you said in the original post that the config works without NAT.

    Right, this is why this type of setup is normally done with a tunnel across the public internet, or across private WAN circuits. Trying to connect your sites over the public internet using NAT is a bad idea :)
  • ayoriayori Member Posts: 48 ■■□□□□□□□□
    Which is exactly what the OP said. Without NAT, it works fine. With NAT, it doesn't. Without NAT, there is a presumption that the route is being propagated.

    What I said was with or without NAT it wouldn't work. OP said that it works without NAT which doesn't make sense.

    And what routes are required in the OP's example to make it work without NAT? Private LAN space. Which contradicts the OP's intent of simulating DHCP traffic over the Internet in the first place as you won't have direct routes to your private LAN subnet as you've mentioned.

    I agree to what everyone is saying here and I'm learning lots along the way. The point is that the symptoms posted are incorrect which mislead me to believe that it's OK to advertise the private LAN subnet in this scenario.
  • ayoriayori Member Posts: 48 ■■□□□□□□□□
    Right, this is why this type of setup is normally done with a tunnel across the public internet, or across private WAN circuits. Trying to connect your sites over the public internet using NAT is a bad idea :)

    I couldn't agree more. Just got confused on how the hell the topology worked without NAT as the OP stated? This made me assume the 'Internet routers' know how to get to the private LAN space for the topology to work without NAT.

    Thanks for the educated posts everyone.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    ayori wrote: »
    What I said was with or without NAT it wouldn't work. OP said that it works without NAT which doesn't make sense.

    it does if you consider the context of his test. He's not actually running this across the public internet. I suspect he's running it through packet tracer, or a segregated lab. The only configuration that works is for the DHCP server to have a route back to the network that's being NAT'd, which entirely defeats the purpose of the NAT. *That* is why the scenario is invalid, not because of the choice of IP's used in the theoretical presented here.

    You're correct in that RFC1918 space can't be routed across the internet, but that's actually marginal, because the same problem exists even if the network behind the NAT is publicly routable space. Doesn't matter what IP addresses you use, DHCP relay through NAT cannot co-exist with both technologies working in their intended fashion.
  • ayoriayori Member Posts: 48 ■■□□□□□□□□
    Correct and that is why I ignored everything about 1."oh this is a simulation over the Internet" and 2.best design practices as the network was presented with a presumption that the WAN routers know how to get to the private IP space - effectively negating 1 and 2. So my thought process was - "OK you got it to work in your topology without NAT, then don't NAT the DHCP request since your WAN routers know how to get to your private space anyway." - keeping in mind that the topology is invalid if the OP intends this to be a simulation over the Internet.

    Agreed with your second point as well. We actually have a client in our NOC that uses an IP block outside RFC1918 as their internal IP space. It's going through NAT, being passed along the VPN tunnels just like the RFC1918 space. No issue with that.
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    ayori wrote: »
    What I said was with or without NAT it wouldn't work. OP said that it works without NAT which doesn't make sense.

    And what routes are required in the OP's example to make it work without NAT? Private LAN space. Which contradicts the OP's intent of simulating DHCP traffic over the Internet in the first place as you won't have direct routes to your private LAN subnet as you've mentioned.

    I agree to what everyone is saying here and I'm learning lots along the way. The point is that the symptoms posted are incorrect which mislead me to believe that it's OK to advertise the private LAN subnet in this scenario.
    So how does it NOT make sense that DHCP is working without NAT? Without NAT, my 10.0.0.0 subnet is being advertised and is really not what I wanted. My sole purpose seeing if this would work with NAT was just a test to see if I could get it to work and obviously, it wont in this way (which has been confirmed by some kind people here). What do you mean by "the symptoms posted are incorrect"? I was viewing this in wireshark and nothing was coming back from the DHCP server causing my host to get an automatic private IP and it's because of NAT. When I say I'm "Simulating the internet", I mean that I don't want anything sourced from a private address space routed, I only want packets sourced from a public IP to be routed. No doubt packets sourced from 10.0.0.0 would probably be dropped by the ISP. I'm using GNS3 with a few windows XP machines and Windows Server 2008 R2 for my DHCP server.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    CodeBlox wrote: »
    So how does it NOT make sense that DHCP is working without NAT? Without NAT, my 10.0.0.0 subnet is being advertised and is really not what I wanted. My sole purpose seeing if this would work with NAT was just a test to see if I could get it to work and obviously, it wont in this way (which has been confirmed by some kind people here). What do you mean by "the symptoms posted are incorrect"?

    He got a little thrown by the fact that you said it worked without NAT because it would have required advertising 10. space, which combined with your stated intent of using the internet to transit DHCP traffic might be a little confusing if someone though you were running this as a live test, as it should have never worked due to 10. space not propagating across the public internet.
  • spd3432spd3432 Member Posts: 224
    CodeBlox wrote: »
    So how does it NOT make sense that DHCP is working without NAT? Without NAT, my 10.0.0.0 subnet is being advertised and is really not what I wanted. My sole purpose seeing if this would work with NAT was just a test to see if I could get it to work and obviously, it wont in this way (which has been confirmed by some kind people here). What do you mean by "the symptoms posted are incorrect"? I was viewing this in wireshark and nothing was coming back from the DHCP server causing my host to get an automatic private IP and it's because of NAT. When I say I'm "Simulating the internet", I mean that I don't want anything sourced from a private address space routed, I only want packets sourced from a public IP to be routed. No doubt packets sourced from 10.0.0.0 would probably be dropped by the ISP. I'm using GNS3 with a few windows XP machines and Windows Server 2008 R2 for my DHCP server.

    How many routers are you using when you're not using NAT? I'm thinking you should be using 4.
    {Main Office (w/dhcp)} <----> {ISP1} <internet cloud> {ISP2} <----> {Branch office w/clients}
    Figure F0/0 on the inside of both Main and Branch.
    Figure S0/0 on the outside of those connecting to the ISPs. <--- set your NAT or not however you like.
    On both interfaces of both ISP routers, have inbound ACLs dropping multicast, loopback, and private address spaces.

    With this setup you shouldn't be able to see any of your DCHP requests at the home office when NAT is not enabled. And it should somewhat emulate ISPs not allowing traffic from the private spaces to propagate.
    ----CCNP goal----
    Route [ ] Studying
    Switch [ ] Next
    Tshoot [ ] Eventually
  • LinuxRacrLinuxRacr Member Posts: 653 ■■■■□□□□□□
    Very informative! I just ran into a very similar issue while labing at home on Packet Tracer... Thanks all.
    My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
    AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
    WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE!
  • poguepogue Member Posts: 213
    It'd be cool to get a synopsis of how actual engineers working at organizations with a multi-site network that has a central DHCP infrastructure would actually design this..

    I am assuming something like this:

    Branch site main router has a public IP address on uplink, and is configured for an IPSec tunnel to central hub. Branch router has a dhcp relay set up on internal interface, with the private range configured on this interface. Private address routes are advertised through the IpSec (or an additional GRE?) tunnel.

    Please keep in mind, I recently got my CCNP and haven't worked on a major multi-site network yet. I am simply guessing based on the behavior I see on the major network I work on. (But don't have administrator access to..)

    With a fully informed internal routing protocol, the DHCP server has routes to all the private networks residing at branches... It will go through tunnels to reach all requesting clients, yes?

    Again, pardon me if I am totally off base here. Any insight as to how a multi site, central DHCP network would function without NAT would be appreciated.

    That being said, how would clients with a private address be addressed when they wish to go to the Internet? I can see a situation where they are handled by a central Proxy server, and then NAT'ed, but how exactly would that work?

    Thanks,

    Russ
    Currently working on: CCNA:Security
    Up next: CCNA:Voice
Sign In or Register to comment.