For the last two months, I used NAT to make use of my 5 static ips. I wanted to do away with NAT and create another network for public ip space. My goal was simple; a router that was attached to two networks: a RFC1918 LAN and a LAN for my public ip block; however this would not be an easy task.
Desired Network Topology:
/-------------------\ ____Host A_____
+ LAN1 + ------> | 18.104.22.168 |
+ 22.214.171.124/29 + ----------------
+-----------------+ +--------+ /--------------------\
| modem | --> eth0 | router | eth2 --> + LAN2 (192.168.1.1) +
| 10.1.10.1/24 | +--------+ \--------------------/
| 126.96.36.199/29 |
Ideally, the modem would be configured as bridge, with a default route via eth0 to comcast’s gateway. The routing should be simple. Sadly, comcast made this way more difficult.
The modem, a SMCD3G (cable gateway), is a switch and router with modem functionality. In theory, it should be possible to disable the router/switch functionality and turn it into a bridge, however comcast refuses to provision the modems in this manner.
The modem has two interfaces, a coax interface and switched virtual interface (svi). The coax interface is provisioned automatically and is used to communicate with comcast’s gateway. The svi is configured with two network blocks: 10.1.10.1/24 (RFC1918) and 188.8.131.52/29 (static ip block). Unfortunately, it is not possible to see how the modem is configured, therefore the above is an educated guess, based on the network traffic I saw from the modem.
The modem’s configuration posed, a slight problem. The modem was configured with 184.108.40.206/29, but I wanted to assign 220.127.116.11/29 to the router. After some trial and error, I figured out how to make this configuration work. The secret: proxy arp.
General Configuration / Theory
Disable the firewall/router functionality on the modem. The modem configuration can be accessed via 10.1.10.1; the username is ‘cusadmin’ and the password is ‘highspeed’. Comcast follows similar steps when you request them to bridge your modem.
Note, this configuration will not disable the routing and switching functionality of the modem.
Firewall -> Firewall Options
* [checked] Disable Firewall for True Static IP Subnet Only
* [checked] Disable Gateway Smart Packet Detection
* [unchecked] Disable Ping on WAN Interface
Firewall -> Port Configuration
* [checked] Disable all Port Forwarding rules
Firewall -> 1-to-1 Network Address Translation
* [checked] Disable all
LAN -> IP Setup
* [unchecked] Enable LAN DHCP
Insure there are no static routes configured on the modem; filtering is disabled; a dmz has not been configured; and website blocking is disabled.
Assign 18.104.22.168/29 to router:eth1 (lan1) and assign 192.168.1.1/24 (lan2) to router:eth2
To get traffic between the modem and router, router:eth0 needs to be configured. Assign 10.1.10.2/24 to router:eth0 and set the default gateway to 10.1.10.1 (the modem’s lan ip).
At this point, it should be possible to access the internet from the router. The src ip of packets going out eth0, will be 10.1.10.2. Since 10.1.10.1/24 is not routeable on the internet, the modem will SNAT 10.1.10.2 to 22.214.171.124. To fix this we need set the src ip of the default route, to match the ip that is configured on router:eth1 (126.96.36.199).
ip route add default via 10.1.10.1 src 188.8.131.52
A tool such as ifconfig.me will show the external src ip of the host.
From your host run:
184.108.40.206/29 lives on the modem, outside of LAN1, therefore a static route to 220.127.116.11 via 10.1.10.1 (modem) should be configured.
ip route add 18.104.22.168/32 via 10.1.10.1.
Note: overlapping network space is a poor configuration practice and should be avoided. In this case, it is the only way to configure the network.
Host A (22.214.171.124) tries to ping 126.96.36.199. Echo requests go out, but Host A never receives echo replies. A tcpdump of router:eth0, verifies the icmp traffic is leaving the router with the correct src/dst ips, but does not show any return/inbound traffic, except for the modem. From the tcpdump, one will see the modem is sending the following arp requests:
ARP, Request who-has 10.1.10.2 tell 10.1.10.1, length 28
ARP, Reply 10.1.10.1 is-at c4:39:3a:02:02:02 (oui Unknown), length 46
ARP, Request who-has 188.8.131.52 (Broadcast) tell 184.108.40.206, length 46
ARP, Request who-has 220.127.116.11 (Broadcast) tell 18.104.22.168, length 46
ARP, Request who-has 22.214.171.124 (Broadcast) tell 126.96.36.199, length 46
ARP, Request who-has 188.8.131.52 (Broadcast) tell 184.108.40.206, length 46
ARP, Request who-has 220.127.116.11 (Broadcast) tell 18.104.22.168, length 46
The router can reply to the request for 22.214.171.124 and 10.1.10.2. The router can not reply for addresses not configured. No other devices will respond to these arp requests, because the router and modem are the only devices on the layer 2 segment. Why does this happen? The modem’s svi has an ip address of 126.96.36.199/29. The 188.8.131.52/29 network is directly attached and is the final destination. Luckily, we can make use of proxy arp. Proxy arp will make the router respond to all arp requests.
Enable proxy arp on router:eth0.
Now, when HOST A (184.108.40.206) pings 220.127.116.11 icmp echo requests are sent and echo replies are received.
SNAT needs to be configured so hosts in LAN2 (192.168.1.1/24) can communicate on the internet. Keep in mind, the address used for SNAT can’t be the router gateway (18.104.22.168), modem gateway (22.214.171.124), or any host addresses in LAN1.
Applying the above configuration to a Linux router
Make sure the modem has been configured appropriately (see above).
# set ip addresses
router$ ip addr add 10.1.10.2/24 dev eth0
router$ ip addr add 126.96.36.199/86 dev eth1
router$ ip addr add 192.168.1.1/24 dev eth2
# bring up interfaces
router$ ip link set eth0 up
router$ ip link set eth1 up
router$ ip link set eth2 up
# add routes
ip route add default via 10.1.10.1 src 188.8.131.52 # change src to the ip on eth1
ip route add 184.108.40.206/32 via 10.1.10.1 # route to the modem's IP
# enable proxy arp on eth0
iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 220.127.116.11