to NAT or not to NAT

Question

Level 1

46 points

to NAT or not to NAT

I'm very confused. I just updated my old Airport Extreme to one of the new ones with dual band. It is connected to a Motorola 2210 modem with AT&T DSL. After I had it going for a while, Airport Utility popped up and said the Extreme had a problem, namely "double NAT". I had not a clue as to what this meant, but after searching I found information suggesting that I should put the modem in bridged mode and change the Extreme's Internet connection from Ethernet to PPPoE. I did that and everything seems to be running well, other than that AT&T periodically drops my Internet connection, but that problem has been going on for a long time.

Because I don't know what NAT is doing, I am left with the question of whether I need to have it on or not. I have tried running the Extreme with it not enabled and I haven't seen any difference. Can anyone tell me why I should or should not have it enabled? Also, when I have it enabled, it gives me "Enable default host at 10.0.1.243". Is this correct? Thanks.

Message was edited by: Fred Tedsen2

Mac OS X (10.4.11)

Posted on Mar 24, 2009 1:53 PM

Reply

Answer 1

Tesserax

Level 10

148,251 points

Mar 24, 2009 7:53 PM in response to Fred Tedsen2

The Motorola 2210 modem is actually the Netopia 2200-series Gateway, a combination ADSL modem & wired Internet router with a built-in NAT firewall ... so basically you have two routers in series when you connected the 802.11n AirPort Extreme Base Station (AEBSn) to it ... and why you got the initial "double NAT" error.

When two routers are in series you would want to reconfigure the downstream router (in this case the AEBSn) as a bridge, leaving the upstream router (the Netopia) configured as a modem/router. In addition, if your ISP requires PPPoE for access to the Internet, you will want the upstream router configured to provide this as well.

When you reconfigure the Netopia as a bridge, you were required to either leave the AEBSn in its default configuration (an Internet router), but you would had to have needed to reconfigure it to provide the PPPoE credentials since the Netopia would no longer be providing them.

My suggestion is to reconfigure the Netopia to be your primary Internet router including providing PPPoE, and then, reconfigure the AEBSn as a bridge. As a bridge, the AEBSn will pass thru the NAT & DHCP services provided by the Netopia and perform as a Wireless Access Point (WAP).

Reply

Answer 2

Fred Tedsen2 Author

Level 1

46 points

Mar 24, 2009 9:47 PM in response to Tesserax

Thanks for that information. I gather from your answer that I do indeed need to have NAT enabled but that it should be handled by the modem/router. I believe that I tried that but had some problems, perhaps something I set wrong. May I ask why it would be better for the 2210 to be handling NAT and DHCP rather than the AEBS? One advantage that I seem to be getting from my current setup is that when I get disconnected the AEBS seems to be able to get it back on it's own, whereas before I put the 2210 in bridge mode I would usually have to power it off to get a connection back, a real pain. Of course that was with the old AEBSg, so I guess that could have had something to do with it.

I may try switching things again tomorrow. If it doesn't work and I decide to g back to bridging the 2210, can you tell me what the settings for NAT should be on the AEBS? Thanks very much.

Reply

Answer 3

Tesserax

Level 10

148,251 points

Mar 24, 2009 10:41 PM in response to Fred Tedsen2

I gather from your answer that I do indeed need to have NAT enabled but that it should be handled by the modem/router.

NAT or Network Address Translation has the basic function to allow the sharing of a single Internet or Public IP address to multiple Private IP addresses on the local area network (LAN).

In addition, for security, implementing NAT automatically creates a firewall between your internal network and the Internet. That is because NAT only allows connections that originate inside the private network. Essentially, this means that a computer from the Internet cannot connect to your computer unless your computer has initiated the contact.

May I ask why it would be better for the 2210 to be handling NAT and DHCP rather than the AEBS?

Not necessarily better, but it should be simpler to configure your network this way.

One advantage that I seem to be getting from my current setup is that when I get disconnected the AEBS seems to be able to get it back on it's own, whereas before I put the 2210 in bridge mode I would usually have to power it off to get a connection back, a real pain.

I suspect that your Motorola/Netopia gateway may be problematic or that the ADSL signal strength coming from your ISP may need to be "adjusted" Would it be possible to contact your ISP and have them take a look at both of these? I'm guessing that by using the AEBSn instead that you are effectively only fixing the symptom and not the actual problem with your Internet connection.

Reply

Answer 4

dchao99

Level 4

2,074 points

Mar 25, 2009 3:07 AM in response to Fred Tedsen2

Fred Tedsen2 wrote:
One advantage that I seem to be getting from my current setup is that when I get disconnected the AEBS seems to be able to get it back on it's own

I have also noticed this before, Apple Base Stations are very good at recovering from bad PPPoE connection.

I second Tesserax's suggestion, if you get frequent modem disconnect, you should get AT&T to run a line test to your modem and determine what the cause is.

(I also run the Motorola 2210 in modem mode and PPPoE from AEBS into it, I don't have any problem, I also have AT&T DSL)

Also , if you let the 2210 handles the NAT, then you will have problem with AirDisk sharing through MobileMe account.

Reply

Answer 5

Fred Tedsen2 Author

Level 1

46 points

Mar 25, 2009 6:05 AM in response to Tesserax

{quote:title=Tesserax wrote:}
NAT or Network Address Translation has the basic function to allow the sharing of a single Internet or Public IP address to multiple Private IP addresses on the local area network (LAN).

Thanks for the explanation of NAT. I see now why I need it.

May I ask why it would be better for the 2210 to be handling NAT and DHCP rather than the AEBS?

Not necessarily better, but it should be simpler to configure your network this way.

OK, but I'd like to first try leaving it like it is. I have a simple network with one Mac connected to the AEBSn via ethernet, an Airport Express for attaching a remote printer, and a couple of laptops and a Mini connecting wirelessly. The AEBS is set up to handle DHCP addresses from 10.0.1.2 through 10.0.1.200. The NAT panel is where I'm clueless. There are two check boxes:

Enable default host at:

and

Enable NAT Port Mapping Protocol

I presently have them both checked. The first fills in "10.9.1.253" by default, while the second has nothing in the Port Mapping table. Are these right or wrong, and if wrong what should they be?

Thanks again.

Reply

Answer 6

Fred Tedsen2 Author

Level 1

46 points

Mar 25, 2009 6:17 AM in response to dchao99

{quote:title=dchao99 wrote:}
I second Tesserax's suggestion, if you get frequent modem disconnect, you should get AT&T to run a line test to your modem and determine what the cause is.

I've dealt with AT&T support a number of times. They sent me the 2210 to replace a Speedstream 5100 to fix the problem. The 2210 behaves better than the 5100, but I still get disconnects. It's rare that I lose DSL, however. With the 2210 handling PPPoE, it would as if there was nothing wrong from the modem status lights, that is the "Internet" light stays on. It would often get a connection back, but it generally took a while unless I went to the modem and physically disconnected the line or powered it off/on. I'll have another try with AT&T, but it's really hard to get past the first level.

(I also run the Motorola 2210 in modem mode and PPPoE from AEBS into it, I don't have any problem, I also have AT&T DSL)

Can you tell me how you have the AEBS set for NAT? Thanks.

Reply

Answer 7

dchao99

Level 4

2,074 points

Mar 25, 2009 1:59 PM in response to Fred Tedsen2

My AEBS is connected to 2210 using PPPoE, and NAT and DHCP are both enabled on AEBS as well.

You must enable NAT to share the one IP address allocated by our ISP. If NAT is disabled on AEBS, then you have to enable PPPoE on your Mac to talk directly to the modem.

Reply

Answer 8

Mar 25, 2009 3:22 PM in response to Fred Tedsen2

"There are two check boxes:

Enable default host at:

and

Enable NAT Port Mapping Protocol"

I have a Time Capsule set up with the Motorola 2210. I was lucky enough to talk to a Mac specialist several months ago at AT&T and she advised me to put the modem in bridge mode and let the Time Capsule provide the PPPoE service, etc.

My current settings are as follows:

Enable default host at: is not checked.
Enable NAT Port Mapping Protocol is checked.

I've tried checking the box at Enable default host and get a 10.0.1.253 entry, but I can't figure out what this means. My connection works fine either way with the box checked and also not checked. The stability of the connection has been very good. I've probably gone 2 months without losing a connection.

I've also tried a setup in the past where the modem handles the PPPoE, etc and have found that this is not as stable of a connection with my AT&T DSL service, but I do not know why. With this setup, I was losing my connection several times a month and it did require a modem restart when this would happen.

I'll leave my setup with the modem in bridge mode and the TC providing the PPPoE service as is, simply because this has worked best for me.

Reply

Answer 9

Fred Tedsen2 Author

Level 1

46 points

Mar 25, 2009 4:11 PM in response to dchao99

My AEBS is connected to 2210 using PPPoE, and NAT and DHCP are both enabled on AEBS as well.

You must enable NAT to share the one IP address allocated by our ISP. If NAT is disabled on AEBS, then you have to enable PPPoE on your Mac to talk directly to the modem.

Right, I am doing the same. My remaining question is: in the NAT panel, do I check both "Enable default host at: 10.0.1.253" and "Enable NAT Port Mapping..."?

Reply

Answer 10

dchao99

Level 4

2,074 points

Mar 25, 2009 5:51 PM in response to Fred Tedsen2

If you want to host any service from inside the private network, and broadcast it to the outside world. You need to check the option "enable NAT-PMP". This include BTMM, Mail, Web, FTP servers.....

If you have a server you want it completely transparent to the outside world with no firewall protection at all, most people put in on a DMZ (demilitarized zone, another one of the firewall configuration terms). Enable default host at: 10.0.xxx.xxx is equivalent to putting this server on DMZ.

Reply

Answer 11

Fred Tedsen2 Author

Level 1

46 points

Mar 25, 2009 6:31 PM in response to dchao99

If you want to host any service from inside the private network, and broadcast it to the outside world. You need to check the option "enable NAT-PMP". This include BTMM, Mail, Web, FTP servers.....

If you have a server you want it completely transparent to the outside world with no firewall protection at all, most people put in on a DMZ (demilitarized zone, another one of the firewall configuration terms). Enable default host at: 10.0.xxx.xxx is equivalent to putting this server on DMZ.

Argh! I really appreciate your help, but I'm just not getting it. I'm really dense on this.

For "Enable NAT-PMP" I don't want to host anything from inside my network, so leave this unchecked, right?

For "Enable default host", should this be checked or not?

Thanks.

Reply

Answer 12

dchao99

Level 4

2,074 points

Mar 25, 2009 7:48 PM in response to Fred Tedsen2

Best options are:

1) Enable NAT-PMP (it's quite safe to enable it, as the ports can only be opened from inside private network.)

2) Disable Default Host

Reply

Answer 13

Tesserax

Level 10

148,251 points

Mar 25, 2009 8:03 PM in response to Fred Tedsen2

There are two check boxes:

Enable default host at:

and

Enable NAT Port Mapping Protocol

I presently have them both checked. The first fills in "10.9.1.253" by default, while the second has nothing in the Port Mapping table. Are these right or wrong, and if wrong what should they be?

The "Enable Default Host" option is when you have a requirement to configure one of your computers on the LAN to be readily accessible from the Internet ... like an eMail or Web server. It would be a two-step process: 1) Enable this option, and 2) Identify the IP of the computer that you want to be accessed. This is also known as establishing a DMZ. Note by enabling this feature, any device identified would be fully exposed to the Internet and NOT protected by the router's NAT firewall. Unless you need this feature, I would leave it disabled.

The "NAT Port Mapping Protocol" option enables the AEBSn to provide support for network clients that are running applications that know how to interact with this protocol to selectively open ports on the router in order to operate properly in their communication with the Internet. This is Apple's equivalent to UPnP in the Windows-world. It's okay to leave this feature enabled.

Reply

Answer 14

Mar 25, 2009 10:12 PM in response to Fred Tedsen2

Thank you for all the information regarding the NAT. I also had an initial problem with a double NAT issue. I "fixed" setting this:

Connect Using:Ethernet
Configure IPv4: Using DHCP
Connection Sharing: Using a Public IP address
NAT Default Host: 10.0.1.78 (I put this number to solve the double NAT issue)
Unchecked Enable NAT Port Mapping Protocol

My modem is a Speedstream 5100 and is set up as follows:
Protocol PPPoE
Use Public IP Address
PPP is on the modem

Is this a reliable set up? SO far it works but I am having a speed problem since using a new network adapter card.

Appreciate your help.

Reply

Answer 15

Fred Tedsen2 Author

Level 1

46 points

Mar 25, 2009 10:29 PM in response to dchao99

Thanks very much dchao99 and Tesserax. You guys are great, and very patient.

Reply