X-Account-Key: account1 X-UIDL: 110331 X-Mozilla-Keys: Return-Path: X-ListServer: CommuniGate Pro LIST 5.1.3 List-Unsubscribe: List-ID: List-Archive: Precedence: list Message-ID: Reply-To: "OS/2 Wireless Users Mailing List" Sender: "OS/2 Wireless Users Mailing List" To: "OS/2 Wireless Users Mailing List" X-Original-Message-ID: <468B1C4B.2090808@2rosenthals.com> Date: Wed, 04 Jul 2007 00:04:27 -0400 From: "Lewis G Rosenthal" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Subject: Re: [OS2Wireless] NAT issues On 07/03/07 03:02 pm, Dave Saville thus wrote : > On Tue, 03 Jul 2007 14:05:38 -0400, Lewis G Rosenthal wrote: > > >> Unfortunately, these were 643's, and less flexible than the 660's (which >> are indeed nice units). It's either all or nothing, and in this case, it >> wouldn;t have helped as there is only one public IP (though thankfully, >> static). ;-) >> >> SNAT does indeed work for the setup you have, Dave. Do you have any >> services runnign which require NAT traversal? I'm wondering whether the >> 660 does this better than the 643. >> > > Not sure exactly what you mean by NAT traversal. I run web and email servers, > have run FTP and also VOIP. Now the latter gave me some fun. VoIP requires NAT-T, just as IPSec VPNs do. IOW, we need to get the end points behind the routers to see the opposite side's real address, and not the private one. > In the first > place, as I said, I was running real IP's through the 660 so my ATA just had > the real world address - no need for STUN or anything. Then, when I changed to > the NAT solution I thought I ought to change something on the ATA - but I could > not get it to work and basically returned to what it had been set to - and the > damn thing worked. I later found out that the 660 has a built in and enabled > SIP alu? > > That's interesting to note... > But, Zyxel have got a real bad bug in it which I fell over. If, for whatever > reason, the modem drops the line and restarts, not a reboot, then the SIP code > in the 660 will no longer talk to the code in the ATA. The fix is to reboot, > wait for it, the ATA! I spent many hours tracing packets and talking with Zyxel > support - luckily both units were their's so I avoided the "pointing finger" > syndrome :-) After a few weeks with several modified firmwares on both boxes > they were getting no nearer a fix so I had a look at the ATA options and found > one whereby you could give it the realworld IP address which it would embed in > the VOIP packets - so NAT only had to deal with the addressing as any "normal" > NAT stuff. I then turned of the SIP code in the 660 - been rock solid ever > since and still does not need any additional stuff like STUN servers or > proxies. > > Yes. In your case, you needed to preserve the public IP and not the NATed one. This was the situation I ran into the the IPSec VPN, and worked around it in similar fashion, telling the Astaro Security Gateway to expect an ID of 192.168.1.xxx, which satisfied its requirement. > You can also define a "server" in the NAT setup but using this one to one stuff > it is not required. The only downside is that one to one does not work like > normal NAT in terms of protecting the LAN address - it passes everything. > Someone elsewhere posted that the dodge there if you *need* the protection of > NAT is to specify it as one to many - but only give it one inside address - He > must be almost as sneaky as me :-) > > HTH > > Great tips, Dave, thanks! -- Lewis ------------------------------------------------------------ Lewis G Rosenthal, CNA, CLP, CLE Rosenthal & Rosenthal, LLC Accountants / Network Consultants New York / Northern Virginia www.2rosenthals.com eComStation Consultants www.ecomstation.com Novell Users Int'l www.novell.com/openenterpriseserver Need a managed Wi-Fi hotspot? www.hautspot.com ------------------------------------------------------------ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to To subscribe (new addresses), E-mail to: and reply to the confirmation email. Web archives are publicly available at: http://lists.2rosenthals.com This list is hosted by Rosenthal & Rosenthal, LLC P.O. Box 281, Deer Park, NY 11729-0281. Non- electronic communications related to content contained in these messages should be directed to the above address. (CAN-SPAM Act of 2003) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=