In the previous article we enabled and checked IPv4 connectivity between RARE/freeRouter and ISP box using sdn1 interface within 192.168.0.0/24 network. But as stated in the previous post, I'd like:
- all people connected within 192.168.128.0/17
- to access the external world
In this article we will pursue the SOHO network appliance installation and enable IPv4 connectivity for all host connected within your internal network to the external world.
[ #004 ] - Do you need translation ?
First step, let's create an interface Loopback0 within 192.168.128.0/17, let's say 192.168.254.1/32
First step, let's try to ping 22.214.171.124
Hey ! It seems that it's not working as expected ! At the present time, it seems that no one is able to reach outside world. Let's try to figure out why.
- It is a common best practice to dedicate a loopback to a router in a VRF
- Loopback are mostly used to identify a service proposed by the router
- Each services are bound to this Loopback in a specific VRF
This confirms the ping failures we observed previously. The output above indicate the packet does not even egress our SOHO router.
What is the inet VRF says ?
So we have no default routes . Let's configure one then pointing towards ISP BOX gateway:
So at that point, packet send to 126.96.36.199 are sent to nexthop 192.168.0.254 via sdn1.
But ping is still not not working. Let's figure out what's going on here.
As depicted in previous article:
- ISP box has a demarcation point set to 192.168.0.254
- So ISP box at some point is configured to perform Network Address Translation from 192.168.0.0/24 → ISP public IPv4 interface
- When ISP box receives a ICMP ping from 192.168.254.1 which does not match any ISP box NAT rules → Packet is discarded
Therefore in order to have a working seamless networking environment from the ISP box point of view, traffic coming from 192.168.128.0/17 might need to be NAT(ed) into 192.168.0.0/24 network. Let's see If our guess is right.
Let's configure IPv4 Network Address Translation specifically for Loopback0
In the config stanza above we configure an access-list called ACL-NAT4 in VRF inet that would translate all incoming packet matching 192.168.254.1 going to anywhere to interface sdn1 IPv4. But we also don't NAT for inter-vlan traffic within 192.168.128.0/17 and also does not touch multicast traffic.
Yahhoooo ! It works ... Our guess was good after all...
For the future we assume that the home network is subnetted as follow and are all inside VRF inet:
- appliance port#1 @ sdn1: 192.168.0.0/24 (ISP subnet)
- appliance port#2 @ sdn2: 192.168.130.0/24
- appliance port#3 @ sdn3: 192.168.133.0/24
- appliance port#4 @ sdn4: 192.168.134.0/24 (unused)
- appliance port#5 @ sdn5: 192.168.135.0/24
- appliance port#6 @ sdn6: 192.168.136.0/24
- appliance integrated wifi @ sdn998: 192.168.129.0/24
- appliance loopback inet @ loopback0: 192.168.129.0/24
In the config stanza above we configure an access-list called ACL-NAT4 in VRF inet that would translate all incoming packet matching 192.168.[128|129|130|133|135|136|254].0/24 going to anywhere.
Each time you modify ACL-NAT4 you will need to re-apply the NAT calls:
Also notice that we are NAT(ing), 192.168.128.0/24 which is the OOBM subnet of the Linux appliance itself. This is needed during Debian system update/upgrade operation and also needed during the auto-upgrade feature that I'll describe in a next article.
IPv6 does need NAT in my specific case as my ISP has allocated me public IPv6 prefixes. We will see IPv6 configuration in the next articles.
In this article
- We finally have a router that enables connectivity for all hosts inside the home network to the outside world
- due to the ISP specific setup, our router had to translate inner home IP subnets to subnet that can be in turn NAT'ed by the ISP box.
- We have a consistent IPv4 addressing plan
- We now can add very exciting feature from now on. (In next articles !)
RARE validated design: [ SOHO #004 ] - key take-away
In this example we are proposing a basic connectivity scenario. However, keep in mind that depending on your location the configuration might be drastically different. But do not fear ! RARE/freeRouter has all the features need to enable connectivity !
- NAT64 is available. So in case you want to run a pure IPv6 network, freeRouter can NAT64 traffic for you.
- NAT46 is also available. In case you are desperate and don't want to implement a pure IPv6 home network and have an ISP running only IPv6, freeRouter can NAT46 your traffic for you !
- In the example described, we are lucky to have IPv6 public global IPv6 address. We will see IPv6 configuration in subsequent articles.