We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
VLANs and subnets...?
Comments
-
Thanks. You're right -- I don't need NAT on the ISP's router. But keeping it enabled means that I can easily connect a device to the ISP's router if I ever need to test the internet connection.0
-
As the person you've quoted has said you can't put the ISP router in the DMZ, it's already open to the internet...
Ohhh, of course!No, what I said was that you don't need to use DMZ on the Draytek, but you do need to use the DMZ on the ISP's router if you want to use port-redirection.
If you want to forward port 8080 to 192.168.100.100 (example):
Double NAT: On your ISP router, you forward traffic from Internet on port 8080 to 192.168.100.1 (the Draytek). On the Draytek you then forward port 8080 from WAN to LAN on address 192.168.100.100
DMZ: Since the Draytek will be in the DMZ on the ISP's router, all ports will be forwarded to it automatically, so you only need one redirection (from Draytek to 192.168.100.100).
So, back to your question, you are not putting the ISP's router in the DMZ, but you are putting the Draytek in the ISP's router's DMZ.
Brilliant explanation -- I get it now! :T2 lots of Nats = still more lag than one NAT. If the isp's router is low on memory, then it may lock up in using too many fast (torrent type) connections - but i have not seen this in years though
Ah, right. Would I be correct in thinking that:- The DrayTek's WAN and LAN ports can't be on the same subnet?
- Only the DrayTek's WAN ports are firewalled (by the DrayTek)?
Connect Sky router's LAN port to DrayTek's WAN port.
Put the two routers' LAN interfaces on separate subnets.
Put the DrayTek's WAN IP in Sky's DMZ.
Apply port forwarding rules on the DrayTek.
Risk possible lag from double-NAT.
Connect Sky router's LAN port to DrayTek's LAN port.
Disable DHCP on one router.
Apply port-forwarding rules on the Sky router.
Unable to use DrayTek's firewall (only Sky's).
Avoid lag from double-NAT.
The "main thing" I'm trying to do is separate the ISP router from the LAN and have the DrayTek handle as much as possible. So I think I'll risk a double-NAT for now, and see how I get on.
Cheers again, everyone! Very much appreciated.0 -
Ah, right. Would I be correct in thinking that:- The DrayTek's WAN and LAN ports can't be on the same subnet?
- Only the DrayTek's WAN ports are firewalled (by the DrayTek)?
2. You can firewall anything you like, including switch ports, but by default the WAN port on a router is always 'untrusted', meaning that it normally blocks all the connections unless set up otherwise.In which case I have two sensible options:
Connect Sky router's LAN port to DrayTek's WAN port.
Put the two routers' LAN interfaces on separate subnets.
Put the DrayTek's WAN IP in Sky's DMZ.
Apply port forwarding rules on the DrayTek.
Risk possible lag from double-NAT.
Connect Sky router's LAN port to DrayTek's LAN port.
Disable DHCP on one router.
Apply port-forwarding rules on the Sky router.
Unable to use DrayTek's firewall (only Sky's).
Avoid lag from double-NAT.
The "main thing" I'm trying to do is separate the ISP router from the LAN and have the DrayTek handle as much as possible. So I think I'll risk a double-NAT for now, and see how I get on.
Cheers again, everyone! Very much appreciated.
Definitely go for option A, your will have the Draytek in the DMZ so there won't be a double NAT.
Edit: you could, in theory, keep both routers on the same subnet, just a different IP, and change the default gateway in the DHCP to the IP of the Sky. In that case it will all be part of the same network and you won't need VLANs. It can be done, but I would still prefer to take the main route, which is using the wan port on the Draytek and keep the Sky router and everything else as it is.0 -
Definitely go for option A, your will have the Draytek in the DMZ so there won't be a double NAT.
Got it! I was thinking that the two LANs would need to be NATted, but, of course, they're on the same network, just different subnets. In that case...
I have my IPv4 setup working perfectly. :j
Internet -> Sky router -> DrayTek router (in Sky's DMZ)
Sky router LAN IP = 192.168.1.1
DrayTek WAN IP = 192.168.1.2
DrayTek LAN IP = 192.168.100.1
The only problem I have now is with IPv6.
If I connect directly to the Sky router (and manually allow incoming ICMPv6 ping requests in the Windows 7 firewall), running the test at https://ipv6-test.com/ now gives me a score of 16/20. A few points are knocked off because I don't have an IPv6 hostname or any IPv6 DNS servers (apparently Sky don't provide them).
But, when I run the test from the DrayTek, I get a score of 3/20, and it says that IPv6 isn't supported. So, essentially...
IPv6 works on the Sky router, but not on the DrayTek.
I'll have another play around...0 -
No, your internal IP addresses are just that, internal. What communicates with the external world is your router, not your devices directly. That's NATing: you open www.google.co.uk from your computer, but what Google sees is the IP address of your router, not of your computer. Once Google replies, your router then knows that that data packet is meant for you, because it has kept trace of where the request came from (you) and where the replies need to go (you).
I know that's how it works with IPv4, but I really thought that one of the "features" of IPv6 was that NAT was unnecessary. :-/Now, your internal IPv6 addresses are not something you should be interested in. What I mean is that, very often, IPv6 is something that works 'behind the scenes' and it's rarely something you need to configure.
It seems to "just work" on the Sky router, but not on the DrayTek, no matter what settings I've tried.On the other hand, IPv6 on the Internet (this is where your ISP comes into play) has become more and more critical, due to the fact that we have run out of IP addresses (version 4), therefore the only thing that could be done was to use a different format (version 6) to allow more addresses (unless you are running billions of devices in your LAN, you will never have such a problem).
I understand that. But if IPv6 only matters on the Internet (where IPv4 addresses are scarce), wouldn't it make sense to disable IPv6 on the LAN and NAT to local IPv4 addresses? Yet that doesn't seem to be how other people do things... :-/
I've just read the following forum thread which discusses this in more detail than I fully understand. But a lot of people do seem to want to use IPv6 on the LAN. There's much debate as to whether NAT is desirable with IPv6.
https://security.stackexchange.com/questions/44065/with-ipv6-do-we-need-to-use-nat-any-more
DrayTek themselves say that one of the main advantages of IPv6 is:DrayTek wrote:The removal of the need for NAT or other address sharing mechanisms. These methods break protocols (in particular multimedia, VoIP and VPNs), requiring complex and often unreliable kludges. The removal of NAT means that routing and traffic flow is far more predictable and reliable. The intropduction of NAT by ISPs who have run out of IP addresses (so called 'Carrier Grade NAT') will upset even more people by breaking even more services!
https://www.draytek.co.uk/information/our-technology/are-you-ready-for-ipv6
:huh:
Why (I think) I want to use IPv6 on my LAN:
Previously, I was using just the DrayTek router with IPv6 disabled. It connected to ADSL and provided LAN access. Everything seemed to work fine. (Or... almost fine. Web pages would often take 5 or 10 seconds to load!)
I recently connected a printer to a LAN port on the DrayTek. When I installed the print driver software, a new network interface driver appeared in Device Manager, but failed to install. The device name mentioned "Teredo tunnelling adapter", which apparently is for IPv6-capable hosts on an IPv4 network. So, I assume the printer needs IPv6 to work.
I enabled IPv6 on both the DrayTek and the PC, and the print driver installed successfully, without installing the troublesome Teredo tunnelling adapter, as presumably it wasn't needed as IPv6 was available.
However, with IPv6 enabled, one particular app on my Android phone was suddenly unable to connect to its servers. Every other app seemed fine. Disabling IPv6 on the DrayTek made the app work again. Connecting to the Sky router instead, with IPv6 enabled also worked. So, I assume there's a problem with the DrayTek's IPv6 settings/implementation.
That's when I discovered the "IPv6 test" webpages, and got the impression that, if IPv6 wasn't working properly, I'd have problems accessing IPv6 sites in future. It certainly causes problems with the Android app, and disabling IPv6 would apparently stop me using my network printer. So I really want to get IPv6 working properly.Some ISPs provide public IPv6 addresses to their clients, others still have a few spare IPv4 addresses to allocate. In both cases, pretty much nothing changes for you. The only thing that does change is that your public IP might be a version 6, so if you need to connect to your router for whatever reason, you need to use the much longer IPv6 address.
Sky use a "native dual-stack", so they prove me with both an IPv4 address and an IPv6 range. I saw a random presentation by a Sky engineer on YouTube talking about how IPv6 was implemented. I'm not sure if this is for all connections (ADSL, VDSL), but the main points were that Sky use:- Native dual-stack
- PPPoE and IPoE with link local WAN addressing only
- Single /56 range allocated to CPE via DHCPv6 PD
- SLAAC running on CPE LAN for address assignments
- Stateless DHCPv6 for DNS information
0 -
I know that's how it works with IPv4, but I really thought that one of the "features" of IPv6 was that NAT was unnecessary. :-/
If you want to have all your devices using IPv6 you can disable NAT, but you need to be extra-careful with the firewall rules, as your ISP, and the Internet as a whole, will now be able to see each and every device you have connected.I understand that. But if IPv6 only matters on the Internet (where IPv4 addresses are scarce), wouldn't it make sense to disable IPv6 on the LAN and NAT to local IPv4 addresses? Yet that doesn't seem to be how other people do things... :-/I've just read the following forum thread which discusses this in more detail than I fully understand. But a lot of people do seem to want to use IPv6 on the LAN. There's much debate as to whether NAT is desirable with IPv6.
https://security.stackexchange.com/questions/44065/with-ipv6-do-we-need-to-use-nat-any-more
DrayTek themselves say that one of the main advantages of IPv6 is:
https://www.draytek.co.uk/information/our-technology/are-you-ready-for-ipv6
:huh:Why (I think) I want to use IPv6 on my LAN:
Previously, I was using just the DrayTek router with IPv6 disabled. It connected to ADSL and provided LAN access. Everything seemed to work fine. (Or... almost fine. Web pages would often take 5 or 10 seconds to load!)
I recently connected a printer to a LAN port on the DrayTek. When I installed the print driver software, a new network interface driver appeared in Device Manager, but failed to install. The device name mentioned "Teredo tunnelling adapter", which apparently is for IPv6-capable hosts on an IPv4 network. So, I assume the printer needs IPv6 to work.
I enabled IPv6 on both the DrayTek and the PC, and the print driver installed successfully, without installing the troublesome Teredo tunnelling adapter, as presumably it wasn't needed as IPv6 was available.
However, with IPv6 enabled, one particular app on my Android phone was suddenly unable to connect to its servers. Every other app seemed fine. Disabling IPv6 on the DrayTek made the app work again. Connecting to the Sky router instead, with IPv6 enabled also worked. So, I assume there's a problem with the DrayTek's IPv6 settings/implementation.
That's when I discovered the "IPv6 test" webpages, and got the impression that, if IPv6 wasn't working properly, I'd have problems accessing IPv6 sites in future. It certainly causes problems with the Android app, and disabling IPv6 would apparently stop me using my network printer. So I really want to get IPv6 working properly.
What I can suggest you is that you can create a simple diagram with all your network devices to get an idea of what you have and what is connected to what. Having checked some of my Draytek routers, it seems that IPv6 is enabled by default and the subnet it uses is /64, which seems to be different than what Sky said. See if all the settings match with what you have.
You've probably done it already, but in order to get all the devices work with IPv6 addresses and no NATing, you need to disable NAT on both routers.
In any case, IPv4 will stick around for another 15-20 years at least, but I think it's a good thing to experiment with what you have if you are interested.0 -
In a way, [NAT on IPv6 is unnecessary], but simply because there are so many that you don't need NAT. I think I understand now what you are trying to do.
Ah, but... I don't understand what I'm trying to do! :rotfl:
It's not that I necessarily want to expose all my LAN devices with a global IPv6 address; it's just... that's how I thought it was supposed to work.
I watched this really helpful video, about how IPv6 is implemented in the real world, and it backs-up what you've been saying about not exposing global IPv6 addresses to the Internet.
https://www.youtube.com/watch?v=2nl54x6_nH8
It also mentions DHCPv6 (which, I think, is the source of the problem with the DrayTek), and EUI-64 naming (based on MAC address), which seems to be in use on my network.I would need to check the configuration to see if that's something I could help you with.
What I can suggest you is that you can create a simple diagram with all your network devices...
That's very kind of you -- thanks. It's a very simple network. I'll get back to you with more details (and questions!) shortly. I'm just trying to get my head round a few things first, so I don't waste your time with stuff I can figure out myself.In any case, IPv4 will stick around for another 15-20 years at least, but I think it's a good thing to experiment with what you have if you are interested.
Yeah -- I'm very interested in finding out how IPv6 works and having a play around with it. I know IPv4 isn't going anywhere, but... IPv6 is strangely fascinating.
Cheers0 -
Yeah -- I'm very interested in finding out how IPv6 works and having a play around with it. I know IPv4 isn't going anywhere, but... IPv6 is strangely fascinating.
The IPv6 address in the test was my computer's address, not my router's. This shows you that, without doing much, you are effectively directly exposed to the Internet.0 -
I'm stumped. IPv6 just doesn't want to work with my DrayTek! Gah! Anyway, this post is just a quick log of what I've tried today...
I'm going to connect just the Sky router (to ADSL and my PC), so IPv6 is working, and note the router and ipconfig settings and test results. Then I'll connect just the DrayTek and compare the differences:
ADSL >> Sky Router >> LAN PC
Sky router information:[FONT="]MODEM:-[/FONT] [FONT="] IPv6 Loopback Address 2a02:aaaa:bbbb:cccc::1/128[/FONT] [FONT="]BROADBAND PORT:-[/FONT] [FONT="] MAC Address ww:ww:ww:ww:ww:ww[/FONT] [FONT="] Gateway IPv6 Address fe80::1234:5678:90ab:cdef[/FONT] [FONT="] IPv6 Domain Name Server -[/FONT] [FONT="] IPv6 Global Address 2a02:aaaa:bbbb:cccc::1/64[/FONT] [FONT="] IPv6 Link Local Address fe80::wwww:wwff:feww:wwww[/FONT] [FONT="] IPv6 Delegated Prefix 2a02:aaaa:bbbb:cccc::/56[/FONT] [FONT="]LAN PORT:-[/FONT] [FONT="] MAC Address xx:xx:xx:xx:xx:xx[/FONT] [FONT="] IPv6 ULA fd13:dddd:eeee:ffff:xxxx:xxff:fexx:xxxx/64[/FONT] [FONT="] IPv6 Global Address 2a02:aaaa:bbbb:cccc::1[/FONT] [FONT="] IPv6 Link Local Address fe80::xxxx:xxff:fexx:xxxx[/FONT] [FONT="]LAN TCP/IPv6 SETUP:-[/FONT] [FONT="] Enable IPv6 on LAN side YES[/FONT] [FONT="] Enable ULA Router Prefix Advertisements YES[/FONT] [FONT="] Prefix randomly generated** YES[/FONT] [FONT="] Enable IPv6 DHCP Server YES[/FONT] [FONT="] Enable MLD Querier YES[/FONT]
* - I've changed the IP/MAC addresses, but have done so consistently. I've replaced MAC addresses (and the MAC part of EUI-64 addresses) with a sequence of:
w = Sky broadband port
x = Sky LAN port
y = PC's MAC
** - This option generates prefix (fd13:dddd:eeee:ffff), or can be manually specified.
ipconfig information:[FONT="]Windows IP Configuration[/FONT] [FONT="] Host Name . . . . . . . . . . . . : mypc[/FONT] [FONT="] Primary Dns Suffix . . . . . . . :[/FONT] [FONT="] Node Type . . . . . . . . . . . . : Mixed[/FONT] [FONT="] IP Routing Enabled. . . . . . . . : No[/FONT] [FONT="] WINS Proxy Enabled. . . . . . . . : No[/FONT] [FONT="] DNS Suffix Search List. . . . . . : Home[/FONT] [FONT="]Ethernet adapter Local Area Connection:[/FONT] [FONT="] Connection-specific DNS Suffix . : Home[/FONT] [FONT="] Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller[/FONT] [FONT="] Physical Address. . . . . . . . . : YY-YY-YY-YY-YY-YY (PC’s MAC)[/FONT] [FONT="] DHCP Enabled. . . . . . . . . . . : Yes[/FONT] [FONT="] Autoconfiguration Enabled . . . . : Yes[/FONT] [FONT="] IPv6 Address. . . . . . . . . . . : 2a02:aaaa:bbbb:cccc:1111:2222:3333:4444(Preferred)[/FONT] [FONT="] IPv6 Address. . . . . . . . . . . : fd13:dddd:eeee:ffff:1111:2222:3333:4444(Preferred)[/FONT] [FONT="] Temporary IPv6 Address. . . . . . : 2a02:aaaa:bbbb:cccc:5555:6666:7777:8888(Preferred)[/FONT] [FONT="] Temporary IPv6 Address. . . . . . : fd13:dddd:eeee:ffff:5555:6666:7777:8888(Preferred)[/FONT] [FONT="] Link-local IPv6 Address . . . . . : fe80::1111:2222:3333:4444%11(Preferred)[/FONT] [FONT="] IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)[/FONT] [FONT="] Subnet Mask . . . . . . . . . . . : 255.255.255.0[/FONT] [FONT="] Lease Obtained. . . . . . . . . . : 21 January 2020 10:38:48[/FONT] [FONT="] Lease Expires . . . . . . . . . . : 22 January 2020 10:38:48[/FONT] [FONT="] Default Gateway . . . . . . . . . : fe80::xxxx:xxff:fexx:xxxx%11 (Sky’s LAN port)[/FONT] [FONT="] 192.168.1.1[/FONT] [FONT="] DHCP Server . . . . . . . . . . . : 192.168.1.1[/FONT] [FONT="] DHCPv6 IAID . . . . . . . . . . . : 234567890[/FONT] [FONT="] DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-55-66-77-88-YY-YY-YY-YY-YY-YY (PC’s MAC)[/FONT] [FONT="] DNS Servers . . . . . . . . . . . : fd13:dddd:eeee:ffff:xxxx:xxff:fexx:xxxx (Sky’s LAN port)[/FONT] [FONT="] 192.168.1.1[/FONT] [FONT="] NetBIOS over Tcpip. . . . . . . . : Enabled[/FONT] [FONT="]Tunnel adapter isatap.Home:[/FONT] [FONT="] Media State . . . . . . . . . . . : Media disconnected[/FONT] [FONT="] Connection-specific DNS Suffix . : Home[/FONT] [FONT="] Description . . . . . . . . . . . : Microsoft ISATAP Adapter[/FONT] [FONT="] Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0[/FONT] [FONT="] DHCP Enabled. . . . . . . . . . . : No[/FONT] [FONT="] Autoconfiguration Enabled . . . . : Yes[/FONT]
Test results:ipv6-test.com 17/20 test-ipv6.com (HTTP) 9/10 test-ipv6.com (HTTPS) 9/10 Android game OK Android test app OK ping -6 ipv6.google.com OK
ADSL >> DrayTek Router >> LAN PC
In the DrayTek router's settings, I set:
WAN >> Internet Access >> IPv6:
--- Connection Type = PPP
Running ipconfig /all shows that the DNS Suffix "Home" doesn't appear anywhere (unlike with the Sky router), nor do DHCPv6 IAID or DUID; nor any unique local addresses (fd13:...). These are my test results:ipv6-test.com 3/20 test-ipv6.com (HTTP) 9/10 test-ipv6.com (HTTPS) 0/10 Android game OK Android test app FAIL ping -6 ipv6.google.com FAIL (Could not find host)
So this must be the DrayTek setting page where the problem lies:
LAN >> General Setup >> IPv6
The DHCP and DNS settings were empty. And the "Current IPv6 Address Table" was missing the unique local address range (fd13:...).
So, I set the following options. (All the IP characters are literal, except x which is the LAN MAC in EUI-64 format.)LAN >> General Setup >> IPv6 RADVD Configuration: Enable DHCPv6 Server Configuration: Enable Server - Start IPv6 Address FD13:1:1:: - End IPv6 Address FD13:1:1:0:FFFF:FFFF:FFFF:FFFF - Primary DNS Server FD13:1:1:0:xxxx:xxFF:EE:xx:xxxx - Secondary DNS Server (blank) Static IPv6 Address configuration - [Add] "FD13:1:1:0:xxxx:xxFF:EE:xx:xxxx/64"
The output from ipconfig /all now looks comparable to Sky router, except for the missing DNS suffix ("Home"). The test results have improved, but they don't match those from the Sky router:ipv6-test.com 17/20 test-ipv6.com (HTTP) 9/10 test-ipv6.com (HTTPS) 0/10 Android game FAIL Android test app OK ping -6 ipv6.google.com OK
The report from test-ipv6 HTTPS says:- No IPv6 address detected
- Our tests show that you will have a broken or misconfigured IPv6 setup, and this will cause problems as web sites enable IPv6.
- We are sometimes unable to detect Teredo and 6to4 when using HTTPS.
I'll have a look tomorrow...0
This discussion has been closed.
Confirm your email address to Create Threads and Reply

Categories
- All Categories
- 349.8K Banking & Borrowing
- 252.6K Reduce Debt & Boost Income
- 453K Spending & Discounts
- 242.8K Work, Benefits & Business
- 619.6K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards