Expired

IX. NAT Related Features

Expired

Configuring non-NAT operation (public subnet) with a Vigor 3900 / 2960

Products:

Keywords:

If you have multiple public IP addresses (i.e. a subnet allocated by your ISP as opposed to just a single IP address), it is possible to configure the DrayTek units that support multiple IP's in a flexible way using NAT, Multi-NAT/WAN IP Alias and IP Routing. The preferred method is often to use WAN IP Alias to minimise the direct exposure from unsolicitied incoming traffic via NAT but a non-NAT configure can also be setup.

Using IP Routing, IP Addresses can be routed directly through to the LAN side directly without applying NAT to that traffic, which can be useful for placing servers or other devices behind the router; This configuration would mean that the device uses a public IP Address directly.

IP Routing can be used in addition to the WAN IP Alias feature, but IP addresses allocated as IP Aliases are removed from the pool of addresses usable by the IP routed subnet.

This guide will use 198.51.100.152 as the Network Address, with a 255.255.255.248 subnet mask, which has a usable IP range of 198.51.100.153 to 198.51.100.158.
The router will use 198.51.100.153 for the WAN interface.
The address 198.51.100.158 will be used for IP routing, clients on the network would use an IP address available in the usable range, with 198.51.100.158 as their gateway.

On the Vigor 3900 series, this requires:

Configuring the WAN interface as normal
Set up a LAN interface in Routed mode, either as a part of an existing NAT subnet or as a separate Routed network interface
Set up the router's LAN/WAN ARP Proxy feature to link the LAN and WAN interfaces

There are two methods to set this up:

Dedicated LAN Interface - This uses a separate LAN interface in Routing mode to route the public IP addresses through, this requires either a dedicated LAN port on the router or the use of VLAN tags (on a separate switch)

NAT & Routed Shared LAN Interface - This would add the routed subnet to the existing NATted LAN interface, this is required if the devices will be on the same physical network and VLAN tags are not in use

NAT & Routed Shared LAN Interface
Dedicated LAN Interface

NAT & Routed Shared LAN Interface

The WAN interface will need to be configured first of all, in this example, the router is using 198.51.100.153 as its WAN IP address, this is configured from WAN > General Setup by selecting and Editing the relevant WAN interface.

This example also has 198.51.100.154 specified as an Alias IP, which can be used for port forwarding. This removes that IP address from the IP addresses available on the public subnet because it is effectively in use by the router.

This method requires temporarily disabling the WAN interface from the Global tab of that WAN interface's configuration. Once that is done, click Apply to apply the changes.

The LAN interface then needs to be configured with the additional routed interface. This is done from the LAN - General Setup section by editing the existing LAN profile. Scroll down to the More Subnet section and click Add. Enter the IP address to use; in this example we use 198.51.100.158, the Subnet Mask must also be specified to match what the ISP has provided.

Set the Mode of the additional subnet to ROUTING mode and enable or disable DHCP depending on your requirements (with this implementation, it's recommended to leave DHCP disabled). Make sure that the Start IP and End IP addresses reflect the available range.

Click the Save button once that's configured, then click Apply to save and apply that change.

The WAN interface can be re-enabled at this point:

With the WAN and LAN interfaces configured, the router now needs the IP Routing configured to link them - this is configured from Routing - Static Route - LAN/WAN Proxy ARP.

Click the Add button on there to create a new entry:

In the pop-up window, set the name to reflect which network it links to, link the WAN interface, in this case wan1 to the LAN interface with the routed subnet configured, in this case lan1. Enter the IP address that the router will be using for the IP Routed subnet, set the subnet mask and click Apply on that to apply it.

With that configured, the router will then be able to route traffic directly to devices configured with the public subnet range and using the router's 198.51.100.158 address as the gateway address.

Dedicated LAN Interface

A new LAN interface then needs to be configured with a routed interface. This is done from the LAN - General Setup section by clicking Add to create a new LAN profile.

This is set up with a unique VLAN tag to differentiate it from existing networks, which is in this case set to 100.

The Mode of this network must be set to ROUTING.

Enter the IP address for routing usage, in this example we are using 198.51.100.158, the Subnet Mask must also be specified to match what the ISP has provided.

Enable or disable DHCP depending on your requirements. Make sure that the Start IP and End IP addresses reflect the available range if DHCP is enabled.

Click Apply to save and apply that change.

With the WAN and LAN interfaces configured, the router now needs the IP Routing configured to link them - this is configured from Routing - Static Route - LAN/WAN Proxy ARP.

Click the Add button on there to create a new entry:

In the pop-up window, set the name to reflect which network it links to, link the WAN interface, in this case wan1 to the LAN interface with the routed subnet configured, in this case, the newly created LAN interface called IPRoute. Enter the IP address that the router will be using for the IP Routed subnet, set the subnet mask and click Apply on that to apply it.

The new LAN interface is not yet linked to any physical interface on the router so can't be used yet. To link this new LAN interface to a physical port, go to LAN > Switch and on there, select the existing default VLAN 10 and click Edit for that. On there, click the Untag drop down box and Unselect LAN_Port_2 then click Apply for that. This is so that this port is available as an Untagged port for the new LAN interface.

Click Add to create a new VLAN entry, set the VLAN ID to match what the new LAN interface is using, in this case 100, set the Member port to LAN_Port_2 and set the Untag port to LAN_Port_2 also. This means that any device connected to LAN Port 2 will join this VLAN without needing to provide the matching VLAN tag. Click Apply to apply that change.

That should then allow devices connected to the new LAN interface, via LAN Port 2, to use the IP Routed subnet when using an IP address from the available range, with the gateway address set to 198.51.100.158.

If this VLAN will link into a network that uses VLAN tags or there is a switch in use with VLAN tags configured, simply add the new VLAN tag interface and set the Member ports to LAN_Port_1 and LAN_Port_2. Then Apply that by clicking Apply. This configuration would require a connected switch or device to supply the VLAN tag to be a member of the IP routed network.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

: First Published: 06/01/2015; Last Updated: 16/06/2020

Share this link

Configuring non-NAT operation (public subnet) with a Vigor 3900 / 2960

NAT & Routed Shared LAN Interface