Feb 6, 2012
tom
No Comments

Packets dropped due to NAT? Firewall? Unroutable private IP addresses?

Question

Preliminary note
This question is out of academic interest. I know how to work around the limitation. I use this setup to control access from one subnet to the other on IP level which works great so I don't need any 'solution' or alternative setup - just as implied by the questions: no need for any guessing about my intentions :)

My LAN consists of two cascaded consumer routers with NAT enabled each. I set up a static route in router 1 (which is connected to the internet) so that packets from subnet 1 targeting the subnet of router 2′s LAN will use the latter as a gateway. The routing seems to work so far. However when router 2 receives a packet for its LAN subnet on its WAN port it drops the packet immediately.

Is this because of the nature/specification of NAT so that the router won’t accept any packets not addressed to its WAN IP? Do the NAT specs imply this?

Or does the firewall inside the router blocks everything which is not port-forwarded to a specific LAN IP?

Are consumer routers (also) designed to not route private IP addresses on their WAN port even if it has a private address assigned?

Any other mechanism involved?

Asked by Christian

Answer

Because it is a NAT relationship, it can’t “route” traffic. Packets addressed to the routers WAN IP Address will be forwarded according to its port forwarding rules. Any packets not addressed to its WAN IP Address will be dropped becuase they are not for it. In fact, ANY device connected to an IP network will ignore packets that may be recieved that aren’t addressed to it.

You can also view this function as part of the firewall if you want. If the router just routed anything it recieved that looked like it belonged to the LAN side it wouldn’t be much good as a firewall, would it?

As you know, if you want to allow traffic through then the traffic must be addressed to the routers WAN address and have port forwarding rules to tell it where to send the traffic onto. That is how a NAT device works, you appear to think they should work as a router, they don’t.

Answered by pipTheGeek

Check more discussion of this question.

Related posts:

  1. Marking packets with iptables with a NAT
  2. What does it mean that most dropped packets have a different incoming and outgoing port?
  3. How do I configure my router under another to avoid NAT issues?
  4. Cisco Router/Firewall Port Forwarding
  5. Netgear Router/Modem installation PPPoA NAT issues

Leave a comment