Alan, I am in complete agreement with you about reducing the functions of the ISP supplied equipment. What I've been aiming at is to totally divorce it from any function besides bridging the ATM signal (phone line) to Ethernet. But the need to authenticate the PPPoE connection makes it impossible to go directly from the bridge to a private router.
This is why I propose to run the output of the bridge into the primary Macintosh, which can perform the PPPoE authentication, act as a firewall and a proxy server, and NAT route packets downstream to a hub. Alternatively, I could allow the bridge to continue performing the PPPoE authentication, but pass the WAN IP to a local router, as would be the case if the circuit were not PPPoE. The unit has both bridge mode and "relay" mode. ZyXEL responded today with the necessary information on how to access the device if it has been set to bridge or relay, so I will now be able to play with these topologies. In case you are interested, it continues to listen for http or telnet traffic from a particular IP (192.168.1.10) over the Ethernet side of the device. (A "magic number!") Knowing this also is a warning to me not to use ZyXEL's magic numbers (0-31) in my own LAN. Sergio, you have some research to do to learn the peculiarities of the Ericsson device! -----Original Message----- From: Alan Watchorn <[EMAIL PROTECTED]> Sent: Jan 12, 2005 1:31 PM To: PicaRules <[EMAIL PROTECTED]> Cc: VNC List <vnc-list@realvnc.com> Subject: RE: Getting past *two* NAT routers PicaRules, You're right; there was no dotted line between 'DSL Ericsson Modem' and 'Router' - the line got broken there because of Sergio's mail program! I take back the part about the diagram being wrong but the advise is still good; reduce the functions in the ISP supplied equipment where possible if the function can be done in your own network i.e. if you have a router and a DHCP server in your own equipment, use it and disable those functions in the ISP's equipment - you never know whether those same functions will be available from your next ISP. -----Original Message----- From: PicaRules [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 10:30 AM To: Alan Watchorn Subject: RE: Getting past *two* NAT routers Alan, I'm not posting this, you can think it over and decide for yourself. I think what Sergio meant in his diagram was "DSL Ericsson's modem router." It's a bridge since it connects to the phone line, so we think of it as a modem; but it also has the PPPoE authentication and (then) passes the connection to its internal router. -----Original Message----- From: Alan Watchorn <[EMAIL PROTECTED]> Sent: Jan 12, 2005 1:16 PM To: vnc-list@realvnc.com Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: Getting past *two* NAT routers Sergio, I think your network diagram is wrong. By its very nature the modem has to connect to the Internet directly so I think the router is actually is actually on the network side of the "DSL Ericsson's modem". That aside, just turn off DHCP on the modem/router and assign it a fixed IP address if you can and use the ouput from the modem/router box as your input to the Linksys box and set the Linksys external (WAN) IP address to whatever the IP coming out of the modem/router. N.B. Make sure the range of IP addresses used bu the DHCP server conflict with any static address you define. Alan. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sergio Del Pino Sent: Wednesday, January 12, 2005 6:10 AM To: vnc-list@realvnc.com Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Getting past *two* NAT routers Sorry for this off-topic, but I think that is already off-topic from the previous message. (suggestions on where to ask this are accepted) I'm using a DSL modem router Ericsson connecting using pppoe that have a nat and DHCP providing one LAN address (10.0.0.4) to a WIFI Linksys Router that get that LAN address as its WAN address and provide nat and DHCP to the "real" lan 192.168.1.xxx wired and wireless machines. Graphically: {Clients} ----->WIFI Linksys Router-------> DSL Ericsson Modem Router ------> Internet (192.168.1.xxx) (192.168.1.1/10.0.0.4) (10.0.0.1/dyn public ip address) I'm not a IP/Network expert but I'm sure I'm doing something wrong using 2 routers(with its services nat,dhcp,etc.) to provide internet access to the lan computers. My question is which is the 'elegant' way to provide internet access to the lan with this equipment? should I convert the WIFI Linksys router into an access point? is this possible?, how? The DSL Ericsson modem router has a bridge feature, but not sure how to use it. Any ideas are welcome!! Thanks in advance! Sergio Argentina > Message: 1 > Date: Tue, 11 Jan 2005 07:42:10 -0600 > From: Angelo Sarto <[EMAIL PROTECTED]> > Reply-To: Angelo Sarto <[EMAIL PROTECTED]> > To: PicaRules <[EMAIL PROTECTED]> > Subject: Re: Getting past *two* NAT routers > Cc: vnc-list@realvnc.com > > You are correct it is not necessarily any different then what you are > doing now, but it moves services off of the Mac and onto the router, > allowing you to turn on and off the Mac without affecting Internet > connectivity. Additionally a typical SOHO router usually provides > much more configuration options than ICS services (mac or pc). > > as for john solution this should work but we are simply reshuffling > the same components around and it has a chance of failure depending on > the operation of the ZyXel. > > Current Network > > {Clients} ----->Hub ------> Mac -------> Zyxel ------> Internet > (PAT) (NAT) > > John's Solution > {Clients + MAC} ----->Hub -------> Zyxel ------> Internet > (PAT) > > My first prooposed solution > {Clients + MAC} ----->Router-------> Zyxel ------> Internet > (PAT) (NAT) > > You are correct that John's solution should work but now you will be > doing PAT on a router that has limited options, and may not support > PAT very well. Additionally forwarding may be much more difficult in > this situation. The reason why I proposed the solution are the > following: > > 1. The router purchased can be completely controlled by you > 2. Their would be no need for any computer in your network to support > Internet connectivity. (that is any could be turned off) > 3. This will allow you to replace the ZyXel device with a modem if > you wish (and your ISP is okay with it) > 4. You can change service providers, other DSL ISP or even medium > (cable modem) with only a single setting change (change the router's > WAN type and address). > > > > --Angelo > > > On Mon, 10 Jan 2005 22:03:20 -0800 (PST), PicaRules > <[EMAIL PROTECTED]> wrote: > > > > > > -----Original Message----- > > >From: Angelo Sarto <[EMAIL PROTECTED]> > > > > > >Jumping in a little bit there is still one question I have.... > > > > > >does your integrated device provide no firewall capability? I mean if > > >the integrate device exposes its only interal IP (.1.2) completely to > > >the internet? > > > > No. The router portion of the ZyXEL exposes only the external IP; > > I didn't think any 192.168.x.x addresses could even be seen except on > > the LAN side of *any* router (as Alan states). > > > > > > > >If this is the case, or you can place that IP in the dmz, or bridge > > >mode may do this as well, then perhaps your answer is simple. > > > > > >1. simply purchase an ethernet router - e.g. a dlink or linksys device. > > >2. change its wan type to static IP > > >3. assign it's ip to 192.168.1.2 > > >4. pretend your other device is just a modem, do all forwarding on > > >the new router. > > > > Alan, I don't see how this is any more "elegant" than what I've been doing all along. The Mac is already a true NAT router in and of itself, not a bridge. Its second NIC connects to a hub, and the rest of the LAN uses that interface's IP, 192.168.2.1, as the gateway. > > > > "Elegant" would be eliminating one or the other router and its address translation. John's is the elegant solution--change the netmask simultaneously with the Size of Client IP pool, and attach the ZyXEL to the hub. This relieves the Mac of its need for a second NIC, reducing rather than increasing the hardware involved. > > > > Thanks to everyone for sharing your knowledge. The only unanswered question is how one would talk to the device at all if it became a bridge. That one's for ZyXEL. > > --__--__-- _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
