A question on network router cabling

drvnbysound said:
My eyes were opened to the NAT reflection stuff when I went from a consumer grade Linksys 54G router/AP to an enterprise Cisco Integrated Services Router. I was kinda shocked that the "enterprise" solution didn't offer such "simple" functionality; with the Linksys it was default configuration that I never enabled. 
 
Mike, FWIW, in my part of the country, DirectTV's internet offering is ATT U-Verse; not sure if that's the same everywhere, but something worth checking into. If so, you have one less option... 
 
I had ATT Uverse here for many years until ATT sold all of it's wireline service in Connecticut to Frontier Communication. Now it is the same technology renamed Frontier VantageTV. DirectTV is a satellite service owned by ATT as  compared to the Uverse which comes into the house on copper wire and is owned by ATT.
 
The content packages are very different between Frontier VantageTV and DirectTV here in Connecticut.
 
Mike.
 
pete_c said:
Back to the Wiki here...
 
NAT loopback, also known as NAT hairpinning or NAT reflection,[9] is a feature in many consumer routerswhich permits the access of a service via the public IP address from inside the local network. This eliminates the need for using separate domain name resolution for hosts inside the network than for the public network for a website, for example.
The following describes an example network:
  • Public address: 203.0.113.1. This is the address of the WAN interface on the router.

  • Internal address of router: 192.168.1.1

  • Address of the server: 192.168.1.2

  • Address of a local computer: 192.168.1.100

If a packet is sent to the public address by a computer at 192.168.1.100, the packet would normally be routed to the default gateway (the router), unless an explicit route is set in the computer's routing tables. A router with the NAT loopback feature detects that 203.0.113.1 is the address of its WAN interface, and treats the packet as if coming from that interface. It determines the destination for that packet, based on DNAT (port forwarding) rules for the destination. If the data were sent to port 80 and a DNAT rule exists for port 80 directed to 192.168.1.2, then the host at that address receives the packet.
 
If no applicable DNAT rule is available, the router drops the packet. An ICMP Destination Unreachable reply may be sent. If any DNAT rules were present, address translation is still in effect; the router still rewrites the source IP address in the packet. The local computer (192.168.1.100) sends the packet as coming from 192.168.1.100, but the server (192.168.1.2) receives it as coming from 203.0.113.1. When the server replies, the process is identical as for an external sender. Thus, two-way communication is possible between hosts inside the LAN network via the public IP address.
 
Consumer routers can have this shut off or not offer an option for your own safety (it is said).  Here using PFSense there is a switch for it.  Firmware DD-WRT / OpenWRT also has a switch for it.
 
The primary reason for the security concern is that some consumer routers appear to intentionally disable NAT loopback by default, and there is no way around this with stock firmware. However, this is not an intentional barrier, it’s just a constraint of limited stock firmware. Nothing new there.
 
Don’t be fooled by the plethora of forum posts crying that NAT loopback is disabled on routers purposefully, that it opens up dangerous security holes, or that it will destroy your network and ultimately your livelihood as you know it. Like the vast majority of scare tactic-based content on the internet, it’s false. Your router will not stab you in your sleep if you allow NAT loopback … although it may emit higher levels of radiation.....
 
Looks like your new box doesn't have NAT reflection or a switch for it. 
 
Both you and Video321 describe what happens when NAT reflection is present and I think that I understand. What I don't understand is what happens to the same packet when NAT reflection is not on the router.
 
Mike.
 
And what happens to the same packet in the example above if you don't have NAT reflection on the router?
 
It goes out to the Internet and blocked by your firewall on the return trip.
 
Here shut off my cellular phone when at home and manually use cellular connections or home wifi for the tablets.  Also utilize only VPN to access my home network from the internet.  Works fine for me today.
 
Here just switched on VPN via a cellular connection to call home for a minute or two.
 
 


local id configured
 
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
 
I did a quickie drawing of your network and pieces.  If you like I can post it and you can fill in the blanks for archival purposes.
 
Just about every combo router is configured the same way. 
 
When Frontier took over from Verizon for my stuff; they slammed the account.   Well similar to what AT&T did to my cellular accounts after 25 years.
 
IE: they reset my combo box to stock which disconnected my remote access then tried to get me to sign up for new service and new equipment.  I made a big issue out of it and the Texas Frontier folks helped me as the FL AG was also working on it but were clueless.  First call to Frontier support was a total joke. That said I had a tech drive to the house and reconfigure the firewall / modem the original way I had it configured.
 
I did talk the tech through the process step by step.  It was a PITA to have this done and took 2 weeks.
 
Here have had direct TV since the beginning.  I did have issues with the AT&T take over and did make the tech climb up to my roof after a snow storm to fix what the previous AT&T tech did to my antenna which was a combo DTV / DISH custom job.
 
pete_c said:
And what happens to the same packet in the example above if you don't have NAT reflection on the router?
 
It goes out to the Internet and blocked by your firewall on the return trip.
 
Why would it be blocked on the return trip? I have a port forwarded to the destination device.
 
 
 
Two mechanisms of transport. 
 
One with your cellullar phone connected wirelessly to your LAN with a private IP address and gateway to your network. 
 
One with same said device on the internet which will indeed use the port you have open on your firewall.
 
You can just switch your cellular phone to use the Wifi in your home when you are at home.  Then you just point your cell phone to your local IP camera's internal network address instead of the public internet address. 
 
When wanting to see the camera on your phone when you are out and about then change the link to your camera to your internet public address.  It is a bit of PITA to do this but it's also just two different links.
 
I'm still not understanding why a packet originating from my private LAN that is addressed to my router's WAN address would be blocked by my firewall when I have a port open and forwarded to the destination NIC.

Mike
 
mikefamig said:
And what happens to the same packet in the example above if you don't have NAT reflection on the router?
Either dropped or forwarded to that port on the router itself. Such as an http request would hit the router's config page if setup for port 80.
 
video321 said:
Either dropped or forwarded to that port on the router itself. Such as an http request would hit the router's config page if setup for port 80.
 
I think Mike's point/question is... why isn't the router reading that the traffic is destined for a specific port (e.g. 2601), and then following the Port Forwarding rules, to then forward that traffic to the appropriate destintation address. 
 
If I'm on an external network (e.g. Verizon), and direct traffic to: MyPublic/WAN Address:2601; that traffic follows the port forwarding rules properly and is allowed to reach the intended destination device (Elk XEP). 
 
However, if the request is genernated from the inside (Phone on LAN via AP), traverses out of the router through the "Internet", comes back to the WAN address:port (same as above), it's then dropped or forwarded... 
 
In either case, the "destination" traffic is reaching the router at WAN Address:port, but one is forwarded, while the other is blocked. The difference being where the traffic is originating from. 
 
I mentioned in an earlier post, that I found this to be the case when I setup my Cisco ISR... and I had to formulate a work-around. What I don't understand, or haven't wrapped my head around, is what's "bad" about NAT reflection being enabled, that eliminated it from being a "feature" in Business/Enterprise routers? The use of it, for me, comes down to simple convenience w/ smart devices. For example, when I configure the app (eKeypad) to access my Elk system, I don't want to have to have (2) separate entries that I have to navigate to based on where I'm located (inside home on LAN vs. outside). Having said that, some App developers (e.g. BlueIris) utilize LAN and WAN addresses and route traffic "properly" for you automatically... and it's not an issue. But obviously, not all app developers do this, and I know that app based traffic isn't the only concern. 
 
+++
 
The difference being where the traffic is originating from.....
 
BTW another name for NAT reflection is NAT loopback...
 
Here is a picture that shows both means of transport from your cellular phone.  Enabling NAT reflection just circumvents a built in firewall feature....similarly your firewall blocks entry of private addresses to your network if you set up the rule or default it...

mikenetwork.jpg
 
With this picture you can document your home network, WLAN stuff, firewall rules for safekeeping no matter what equipment you use.  IE:
 
WAN - what methodology you use to connect to your ISP - static, DHCP, PPOE, et al
LAN - IP subnet, mask, gateway and DNS addresses plus DHCP scope and or DHCP assignments.
Here you may want to shrink down the default size of the network if you want.
WLAN - SSID - broadcast or not - password - TKIP or whatever
Firewall rules - Open ports for what devices, DMZ, NAT reflection (optional)...et al
 
Then no matter what type or mfg of device(s) you have the base will always be the same.
 
I do this to keep track of stuff here as the more stuff there is to track the easier it is to just see the 10,000 foot view for me.

 
Here are the first two firewall rules on one WAN port of my firewall.  PFSense gets a bit granular with internal LAN firewall settings, external WAN firewall settings and setting between different LANs. 
 
private.jpg
 
 
 
drvnbysound said:
In either case, the "destination" traffic is reaching the router at WAN Address:port, but one is forwarded, while the other is blocked. The difference being where the traffic is originating from.
That's exactly the issue at hand... SNAT is at play here.
drvnbysound said:
I mentioned in an earlier post, that I found this to be the case when I setup my Cisco ISR... and I had to formulate a work-around. What I don't understand, or haven't wrapped my head around, is what's "bad" about NAT reflection being enabled
Nothing really. A lot of it has to do with features and processing power of the router.
drvnbysound said:
The use of it, for me, comes down to simple convenience w/ smart devices. For example, when I configure the app (eKeypad) to access my Elk system, I don't want to have to have (2) separate entries that I have to navigate to based on where I'm located (inside home on LAN vs. outside). Having said that, some App developers (e.g. BlueIris) utilize LAN and WAN addresses and route traffic "properly" for you automatically... and it's not an issue. But obviously, not all app developers do this, and I know that app based traffic isn't the only concern.
And that is just another reason why I only connect to my house via VPN (using encrypted certs and user/pass combo). I can enter a single internal IP into my apps and always connect properly.
 
video321 said:
And that is just another reason why I only connect to my house via VPN (using encrypted certs and user/pass combo). I can enter a single internal IP into my apps and always connect properly. 
 
So before launching said app, you launch VPN software, and authenticate first? 
 
From a security stand-point this is great. I don't think anyone would disagree. From a usability stand-point, particularly in the event that someone is actively breaking into your home, it's quite a hinderance, in my opinion. Example: you receive an email from your system that the alarm has been triggered (or a call from monitoring company). How long would it take you to access video from cameras to validate or invalidate the concern? How much faster would it be if you didn't have to authenticate VPN? 
 
When seconds count, the cops are only minutes away... So, for me, if the process adds XX time to the process, I'll forego a level of device/network security in exchange for faster access. Understanding, that it's not as if the network doesn't already have authentication/encryption meausres in place and is open to the world; hence why I stated foregoing "a level" of security... not all security. 
 
I use my VPN on a daily occurrence for more than just apps.
 
Also, I've been in the situation you describe. However, I was already connected via VPN so I was able to bring up my cameras instantly. Still, were only talking a few seconds here to connect...
 
Much of the time the preference here is to use my home firewall to surf the web; such that the VPN tunnel is always up.
 
There is always the issues of inconvenience.  Once you do it a few times then it becomes fast and automatic - you become process oriented and don't even know it.
 
Well like riding a bicycle or scuba diving (remember to always breath - but don't think about it).
 
I have and use the Cisco AnyConnect app to do it; and do it for work all the time. Even so, I still find it very cumbersome to do for my personal/home use. I'll also say that maybe part of my "cumbersome-ness" is due to having split-tunneling disabled. So, while I'm VPN connected, I'm connected to my local network only, and don't have Internet access, so I don't just leave my device [VPN] "connected".
 
I also had a hard time with WAF; convincing my wife to launch AnyConnect, enter username/password to establish VPN, close Anyconnect, open HA app... then when done, open AnyConnect again to disconnect from VPN... particularly when the alternative is to just launch the select app and have "instant" access.
 
Using OpenVPN, on Android anyway - can't comment about iOS, is so simple. I have the cert imported and the username saved, but it prompts for a password. If I wanted to, obviously, I can save the password as well. I have a shortcut to make the connection on my phone's home screen too. So, if I wanted simple, as I did for my father to connect to his home, all that is required is a simple tap on an icon and you're connected in like 5 seconds and that's it. It's really that simple!
 
Further, I force all traffic (including Internet and DNS) through the VPN. For my work laptop I exclude our work subnets from the VPN tunnel so I can stay connect to work and home at the same time all day long and force Internet browsing through my home connection and DNS lookups to my personal resolver.
 
If you can run OpenVPN you may want to look into it.
 
Back
Top