how do I configure NAT router firewall...?

Discussion in 'other firewalls' started by thathagat, Oct 27, 2008.

Thread Status:
Not open for further replies.
  1. thathagat

    thathagat Guest

    hello......i have a ZTE ZXDSL 531B modem from dataone broadband and it has two options enable nat and enable firewall...but no firewall settings....so
    1.Is there a general guide to setup firewall configuration in nat router?
    2.Is a router firewall effective without tweaking any settings i.e. at default level?
    thanks...........
     
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    First, it seems you are using xDSL modem. For xDSL modems, NAT can be enabled only if your ISP is running the service on IPoX ( IPoE or IPoA).

    ISP can run broadband using PPPoX or IPoX. If they choose later, you will have an option to do NAT. Incase, the ISP chooses PPP based protection no NAT is possible since NAT needs IP.
    If I remember correctly BSNL DataOne uses PPPoA/E ( depends on area, some places have full PPPoE support. Others are still running PPPoA legacy ). So I think the modem provided, is also a something that can't fully support NAT.

    Please check and get back if your ISP is using IPoX. If possible provide some details of it. Then maybe, I could guide you. ( My xDSL CPE skill set is rusty. Its been a long time, since I left that product set. So Sorry, in advance ).
     
  3. thathagat

    thathagat Guest

    hey vijay.....
    1.maybe these screen shots would explain my router status better....
    2. router firewall is stealthing the ports( i pressume) for kis2009 does not do that and at grc sheilds up my ports come stealthed.
     

    Attached Files:

  4. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    thathagat, looks like you are running PPPoE on CPE with NAT enabled.

    Looks like, NAT is enabled. Now your WAN IP = IP Given by ISP via PPPoE. But since it uses PPP for obtaining IP, I am not sure if NAT will work. You need some pretty intelligent software, to take the IP info obtained from PPP and then route effectively.
    PS: This modem uses same broadcom chipset as Comtrend (which is much more popular. And has english manuals available). Hence you will find the exact same GUI also there, I suggest you download Comtrend user manual (like CT 5372, or any other ADSL2+ cpe from the Comtrend) for reference.

    Most CPE has a very basic firewall with default minimal ruleset. Most of them just operate on the first 3 layers only and that too handle very few scenarios. Only in High-end models you can find a full configurable firewall ( since a dedicated firewall needs a powerful network processor, which most cheap ones don't carry).
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    With these routers, you get NAT+SPI and essentially the firewall drops all unsolicited inbound packets. Usually you can configure exceptions - such as port forwarding and DMZ - in separate sections, and that's all.

    As already suggested above, download the manual/documentation and explore the GUI to see what's available there. If you connect multiple boxes to it, do NOT disable NAT.
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Why not? PPP is designed specificaly for this.

    Yes.

    In most, if not all home routers the term "firewall" will refer to a state table. It is a simple IP/port check mechanism which will ensure that only requested inbound packets are forwarded to your IP (based on what has been requested by outbound). Many vendors will refer to it as "SPI". Some may find this type of check insufficient so there is an option to untick the "Firewall" option in a router and use a software firewall of your choice.

    If you untick "Enable NAT" then your router will run in "bridged" mode. Your PC/NIC will then get an external (WAN) IP assigned to you by your ISP and no LAN is available. If you untick "Enable Firewall" as well, then state table will not be kept for that IP and all inbound packets will be sent directly to your TCP/IP stack (or to a software firewall of your choice).

    State table will be kept for stateful (TCP) and stateless (UDP, ICMP) protocols. For that reason, there is no need for additional filtering except for PortMapping (from a screenshot) when you wish to omit certain ports (or a range of ports) from filtering. PortMapping is valid/available only in NAT "mode".
     
  7. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Nick, if you look up NAT ( RFC 3439 ), you will find that its designed for the DL as ETH.
    Here the OP, is using a xDSL CPE with ISP using PPPoE for authentication.

    Now if CPE is used as PPPoE dialer. Then WAN side uses PPPoE, while LAN side uses ETH. Hence your CPE is already acting as router and doing translation between ETH packets with LAN IP to PPPoE packets on WAN side. So ineffect, you have a partial NAT like behavior. ( Not fully NAT, since its PPP ). So enable/disable NAT will probably do nothing here.

    Suppose CPE is not PPPoE dialer and PC is used to dial PPPoE connection. Here CPE will NOT ACT AS ROUTER, since the LAN side has active PPPoE connection and IP, while WAN side is basically bridged.

    In summary, in both cases you can have at best routing. But not NAT. Although some vendors have custom NAT-like-implementation, these as per my knowledge died off, due to an array of vendor conflict issues.
     
    Last edited: Oct 28, 2008
  8. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    If I remember correctly, these chipsets/lines of CPE don't have SPI support. And their firewall is basic and covers at most the first 3 layers. Which basically protects users from floods and does some IP-based filtering (like you mentioned unsolicited packet drop is key here ).
     
  9. thathagat

    thathagat Guest

    Man....now i am confused.............:doubt:
    1.does this router firewall in its present status add a layer of protection to firewall of kis2009 or vice-versa ?
    2.two of my other pc's have avast pro and no firewall with this xDSL nat router are they safe or do i need a software firewall....though i use returnil on virtually each of my pc/laptop ?
    3.This is supposedly the best xDSL nat router provided by bsnl/dataone my isp provider should i move to netgear or something better for my home connection or this is just fine...?
    4.wow...and i thought software firewalls were difficult to configure...o_O
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Eh? What on earth are you talking about?

    1/ PPPoE is a standard ADSL technology.
    2/ No, they won't have just routing unless their ISP has gone completely mad. The router will receive the public IP and will assign IPs from the reserved private range to its DHCP clients on the local LAN.

    Please, stop confusing the OP with completely nonsensical information.
     
  11. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,981
    Location:
    U.S.A.
  12. thathagat

    thathagat Guest

    thanks for the link....but
    1.no configuration of firewall/routing/nat/port etc is provided in the manual i already have a copy of it, it came with the ZXDSL 531B .
    2.guys.....are you saying
    (a) nat/routing/firewall is there but cannot work?
    (b)the firewall works but is basic at the most?
    (c)firewall/nat/routing works fine as in most cases?
    (d0 nat/routing/firewall not present?
     
  13. Arup

    Arup Guest

    Thatagat,
    In WAN settings, make sure MTU is set to 1452 as thats the default MTU BSNL runs on, then make sure that you change the MTU in your LAN via utilities like TCP Optimizer if you are running XP, for Vista, the procedure is different. No need to add a extra layer of firewall in your system to slow down already slow BB. Just use common sense, good AV and a HIPS, thats all. The NAT will hide your IP and the base firewall in the router will protect you from DDoS etc. Apart from that, the only reason for you to upgrade your existing router would be if you face slowdowns with P2P, downloads and frequent disconnections. Then a Netgear or DLink will do better. For routers with Firewall, you need to get the high end and in your case, that extra added cost is not really justified.
     
  14. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    With all due respect, DN I have the same set of questions for you...
    ADSL/VDSL is a physical layer technology. PPP is Data Link Layer. Please refer OSI model for reference. PPPoX is used only by ISPs which have not moved to pure IP/ETH backbone. Most VDSL providers provide IPoE only.

    Of course they will route !! Your LAN side is in public subnet like 192.168.1.x and your ISP will provide you a private IP which is obtained by the WAN side (via PPPoE in this case). It has to be routed ....

    Again, if you feel to refute me please give me the specs, RFC, IEEE, ITU standard you are referring to. Because although I have not worked on DSLAMs for a while, I am sure the standards have not changed.
     
  15. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Ok, since everything is running amok here. Please let me lay down info straight.

    xDSL is physical layer technology. Now over it a user can connect to the ISP network and then the internet. Now there are multiple technologies and methods for the user to connect to the NOC of the ISP. Each of the following depends on the implementation used at NOC and the ISP preference.

    1. PPPoA : PPP packets are encapsulated on ATM cells. Typically CHAP authentication in PPP is used by ISP for authentication. In this case, the NOC has a ADSL DSLAM and backbone based on ATM.
    The CPE in this case, will act as router. Since WAN side (connected to ISP) works on PPPoA and the LAN side (user side) works on ETH. Since user side is on ETH, the CPE has to act as a PPPoA dialer.

    2. IPoA : IP encapsulated in ATM. same as last case, the NOC still has some parts of legacy ATM equipment. Since its ATM, DHCP can't be used (as ATM has no broadcast only MC VC). So mostly DSLAM or other ISP equipment will act as proxy to obtain IP via DHCP from the part of the NOC which as ETH and then it will relay it back to the CPE.

    Again due same as last case the CPE will have to act as router .

    3. PPPoE: Here the NOC is ETH based, but still uses legacy PPP for user billing and management. Now as we can see ISP uses ETH , which is same as User PC (ETH as stated earlier).
    So we can have 2 scenarios:
    a) We let User PC start PPPoE session. In this case CPE acts just as a DSL modem nothing more. Packet received from user, just needs to be sent over xDSL to NOC. No need to alter packet in any way.
    b) CPE starts PPPoE session. In this case, LAN side remains same ( its have public subnet IPs). But WAN side will dial via PPPoE and start a session. Now we see both sides have IPs in different subnet. For ex: User PC = 192.168.1.100 & IP given by ISP (WAN) = 44.33.22.11
    Now xDSL CPE has to route between the 2 interfaces.

    4. IPoE : In this the complete NOC to user architecture is based on IP/ETH. So here the NOC will allocate IP using DHCP. So there again 2 cases (just like the last case)
    a) User PC sends DHCP directly to NOC : In this case xDSL CPE just acts like modem.
    b) CPE's WAN sends DHCP to NOC : In this case, WAN side will get private IP from ISP, while LAN side will be in public subnet. So CPE will route between the two.

    NOTES:
    1) NAT as per RFC is designed for IP stack. Hence NAT can be done only with IPoA or IPoX. Not with PPPoX, where you will have general routing only.
    2) User PC will use DHCP for getting IP from CPE: In cases 1,2,3.b,4.b PC send DHCP and its responded to by CPE. The IP given can be configured on CPE itself and hence is always in public IP subnet. Note, this is not routed/forwarded to NOC.

    I know, I have added lot of technical gibberish. Please feel to comment to make it more understandable.
    Thanks...
     
  16. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    In your case (since I think its PPPoE and CPE is dialing) its only routing. The firewall in-built provides only protection needed to effective routing/encapsulation of packets. Nothing more

    NAT is a different concept. Which the modem supports, but ISP isn't allowing due to usage of PPPoX.
    Yes, since the CPE firewall is designed to effectively protect from issue arising from encapsulation/routing only.
    See my post explaining various config possibilities. NAT can be used only on IPoX case.In other cases its just routing or plain transparent.

    NAT provides higher degree of insulation. While others are low-level specific only ( in this case ).
     
  17. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Sigh; incorrect. And yeah, please lets drop the gibberish (such as NOC and CPE which only obfuscates things). You can configure these devices to act either as a router, or a bridge. For the first case, the "modem" will get the public IP from your ISP, assign private IPs to boxes on your LAN and obviously will NAT the traffic. In the second case, a computer connected to it will get the public IP and will have to take care of all the routing etc. for other LAN clients (IOW, for Windows-based desktop OSes you'll have to configure internet connection sharing there). If you claim that there's no NAT on PPPoE when the "modem" acts as a router and not a bridge, then I'd suggest using Wireshark to get a better idea.
     
  18. thathagat

    thathagat Guest

    hello...this router business is tough.....:'(

    but i found some information from isp site now i can't make head or tail of it but maybe you guys can....so here it is....

    BSNL broadband is based on ADSL technology and uses PPPoE protocol for authentication and accounting the user access. The CPE (ADSL Modem) is multi featured powerful router. It can be configured in two modes.
    Bridge Mode:

    This is the default factory setting. In this mode the modem works as transparent Ethernet bridge and therefore you need to run the PPPoE client software ( for login authentication) on your PC/server. WIN XP systems have this feature inbuilt but for other operating systems you need to buy it from market. Some freeware like RASPPPoE, Enternet etc. are also available on the Internet.

    PPPoE Router mode:

    In this mode the modem works as router and the PPPoE session terminates on WAN port of router. The PPPoE client is in built in the modem and allocated by BRAS server gets assigned to WAN port of modem. The Internal network has to use the private IP and for Internet access NATing happens in modem. BSNL follows this method. This method is advantageous in many ways like availability of advanced features of router and powerful diagnostic tool for troubleshooting the connection problem.

    It is recommended to use the CPE in PPPoE router mode. This makes internal network secured as the servers/PCs are not directly exposed to public Internet. The CPE has got all the advanced features like firewall, IP access lists, VPN pass through, NAT, Port forwarding which are required for any Intranet.
     
  19. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Yes; that's a good and correct explanation. Seems pretty readable to me, but just ask if anything is unclear there.

    (Just a side note - the default being a bridge mode is pretty weird, considering that they (rightly) recommend using router mode. Don't they supply the devices themselves? Is so, why don't they preconfigure them to their recommended settings? :D Plus pretty much every DSL 'modem' I touched has the defaults the other way round, i.e. router)
     
  20. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    My advice is to use NAT, enable your firewall, and disable all the services that you will not use or aren't needed now, like IPv6...

    Check if your router is supported by DD-WRT... ;)
     
    Last edited: Oct 29, 2008
  21. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    My point being that there is a difference between NAT and routing. They are not interchangeable.

    Please read RFC 3439, NAT was not designed for PPP stack. In a purist world, PPPoE NAT is not possible. For proof, in PPPoE routed CPE first enable NAT and see the wireshark capture. Then disable NAT and then compare the wireshark capture.
    It will be same. Since NAT is not implemented on that network model. Enable/Disable NAT on most models just enable as flag. Which will trigger action when the specific NAT if-stack is activated. But on PPPoE, the whole NAT stack is bypassed and hence you will see no difference at all w/o NAT enabled.
     
    Last edited: Oct 29, 2008
  22. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I have no interest in confusing the OP further. Obviously you've missed who's your audience here, the guy can't figure out a simple web GUI and you keep flooding him with basically totally irrelevant purist gibberish.

    If I disable NAT on my PPPoE, I lose internet connectivity on LAN clients, so stating that "there's no difference at all w/o NAT enabled" is obviously completely wrong.
     
  23. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Could you provide me you CPE config details ? Any wireshark capture would be useful too.
    I have worked on programming/testing/deploying both CPE and DSLAM in past.

    I can't concur how this kills your INTERNET connectivity. If you know, better please do explain to me the schematics of things.

    PS: OP, wanted to enable NAT and wanted to know the worth of the firewall. Both have been answered.
    My only difference with you, is over the fact that NAT disable/enable over PPPoE routed mode makes no difference.
     
  24. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, seriously this is so simple and so obvious I don't understand what's this debate is about. If you disable NAT, you can connect single, and only single computer to internet. All the other boxes will have no internet connectivity. If you need to connect more boxes, you MUST enable NAT.

    To quote from the manual for this exact DSL router type:

    Not that the exact type would matter because it's exactly the same with any of these DSL routers I got my hands on. E.g., the D-Link DSL-G684T:

     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    OMG...

    I have just logged in in order to say something here, but I see now where you two are heading...

    I will not participate in this battle of egos anymore.

    derail.jpg

    Cheers,
     
Loading...
Thread Status:
Not open for further replies.