New Member
•
4 Messages
Cascade Instructions (LAN to WAN) for AT&T Fiber BGW320-505 To Second Router With Public Static IP Block
I'd like to cascade the BGW320 into my other router that's set up behind it, including managing a block of public static IPs I got. My understanding of what I'm trying to accomplish is to make the BGW320 as hands-off as possible so that the UDMP can manage the firewall and all traffic. I can find instructions for IP passthrough and other bits and pieces of things I need to consider. But I think the public static IP block adds a layer of complication. I've read that I should NOT do IP Passthrough and instead do the cascading thing. Again, I'm not sure and nothing walks me through the entire process that I can follow. I'm new to this stuff and I'm hoping someone can dumb it down enough for me to understand.
Here's what my setup looks like right now:
AT&T Fiber Internet --> BGW320-505 --> Unifi Dream Machine Pro (UDMP) <-- All other devices
- Nothing else is connected to the BGW320 aside from the UDMP (LAN to WAN). That is, an RJ-45 cable is plugged into one of the BGW320's ethernet ports, and the other end is plugged into the "internet" port of the UDMP.
- The only adjustments I made so far is to disable the BGW320 wifi so as to not interfere with the UDMP wifi access points.
- As mentioned, I bought a block of 5 usable static public IPs from AT&T. But I'm not sure how to utilize these. The info the AT&T tech provided looks like:
- Gateway IP XX.XX.XX.206
- Subnet Mask XXX.XXX.XXX.XXX
- IP Range XX.XX.XX.201 --> XX.XX.XX.205
If your network is working fine why do you want to do any of this?
I'm going down this road because I was trying to set up a Plex server. I ran into a "double NAT" issue and nobody outside my home network can access my Plex server. I think the double NAT issue will be resolved by cascading the routers.
Why did you buy public static IPs?
Also because of the Plex server. I thought these were needed to facilitate connecting to the server and that one of these static IPs would be assigned to it. Clearly I'm confused about this. I got it in my head that the UDMP would get one of the public static IPs and then the Plex server gets another one? Or maybe I'm supposed to assign static public IPs to all three devices in question (BGW320, UDMP, Plex server)? I'm really not sure. Currently the Plex server is connected to the UDMP like any other device.
What is your Plex server?
I bought a Synology DS920+ NAS. It has a built in OS that can install Plex onto itself. Setting up the hardware was fairly easy. And like I said, devices within my network have no problems streaming from the Plex server right now. External connections -- say, a friend with the Plex app on their TV -- can see my Plex libraries on their side but cannot stream anything. Ultimately this is what I'm hoping to resolve.
Thanks in advance for any help offered. Let me know if there's any other info or screenshots or pictures I can provide. I'm outside my comfort zone here but am very excited to learn how to do all this.
wsggsllc
New Member
•
17 Messages
2 years ago
@JefferMC , in the cascaded router configuration, is there any way to remove the 192.168.1.0 segment? That adds a hop, and potentially a double NAT. I have a BGW320, a static block, and a Fortigate 30E.
0
0
ATTHelp
Community Support
•
220.9K Messages
2 years ago
Hello @wsggsllc
The fiber team will be able to assist. I can escalate and give you a call.
Lisa
AT&T Business Social Media
0
0
JefferMC
ACE - Expert
•
33.1K Messages
2 years ago
No. The BGW320 will be a routing hop regardless of configuration.
0
0
wsggsllc
New Member
•
17 Messages
2 years ago
Thanks @JefferMC. With the Fortigate, I can setup a host with a public IP in a DMZ and use the remaining three public IPs for a DHCP pool for the private subnets. That is all good, but having that double NAT sure seems like it will be a gotcha in the future.
Do you think adding IP Passthrough might resolve that problem? I am even willing to add a second Fortigate.
0
0
JefferMC
ACE - Expert
•
33.1K Messages
2 years ago
It. Is. Not. Double. NAT. It is just a hop.
EDIT: I should clarify.
It is not double NAT unless your internal router performs NAT and the Gateway performs NAT on the same packets.
If your internal router is in Cascaded Router config (without IP Passthrough), even though it has a private address on its "WAN interface", the Gateway is not performing NAT on its traffic; it's just passing it through: the packets have a public IP as the source address and the Gateway will not change it. Heck, it won't even keep the session in the NAT table.
If your internal router is in IP Passthrough, then it already has either the dynamic public address [or a static IP address if also in Cascaded Router] and the Gateway doesn't need to NAT any of its traffic, although it will maintain session state for any traffic coming from the dynamic address.
In Subnet mode, the Public Static address traffic is also not being NATted by the Gateway.
Double NAT will only happen when the router behind the Gateway is not in either IP Passthrough nor Cascaded Router (and therefore the Gateway will perform NAT on the traffic), and the router is also performing NAT.
(edited)
0
ATTHelp
Community Support
•
220.9K Messages
2 years ago
Hello @wsggsllc
Please let us know if you need any further assistance. I will be glad to schedule a call.
Lisa
AT&T Business Social Media
0
0
wsggsllc
New Member
•
17 Messages
2 years ago
@JefferMC, It's a Fortigate in a cascade configuration with statics and it is definitely NATing once. What I am unable to comprehend is what the BGW at 192.168.1.254 does with the packets. Someone on DSL Reports said it is "sort of" a double NAT but "less translation" and he successfully runs multiple VPNs over it (which is what I need to do). It just seems like a kludge solution for a real business class service. In addition to the VPNs, I need to make this work with an existing copper connection too.
@ATTHelp, yes, please, if you can schedule with a tier 3/escalations engineer, I would be grateful.
0
0
ATTHelp
Community Support
•
220.9K Messages
2 years ago
Hello @wsggsllc
We can schedule a call and get you over to the Fiber support team for assistance. What time would be best for a call?
Lisa
AT&T Business Social Media
0
0
wsggsllc
New Member
•
17 Messages
2 years ago
Thanks @ATTHelp. Any time today after 12 ET or any time tomorrow. I just need 15 minutes notice.
0
0
JefferMC
ACE - Expert
•
33.1K Messages
2 years ago
When you have IP Passthrough on, the Gateway has to keep track of the sessions coming from the IP Passthrough target with a source address of the public IP vs. the sessions it might have with other clients for which it is providing NAT. So, although it isn't doing NAT on those packets itself, it is tracking the sessions in its NAT table. And, because of this, it may have to do PAT if (a) there is another client for which it's doing NAT and (b) the packet coming from the IP Passthrough device matches an entry already in the NAT table on all of: destination IP, destination port and source port (which is fairly unlikely). The reason being when a response comes back, it needs to know how to route it.
If you have a public static block, and the packet source IP is one of those public static IPs, then (a) the Gateway doesn't have to do NAT, (b) it doesn't have to put it in its NAT table, (c) it'll never have to do PAT. These statements are all true whether you're using (a) Public Subnet config, (b) Cascaded Router to 0.0.0.0 or (c) Cascaded Router to 192.168.1.x.
(edited)
0
0