On Tue, 03 Jul 2007 14:05:38 -0400, Lewis G Rosenthal wrote:

  

Unfortunately, these were 643's, and less flexible than the 660's (which are indeed nice units). It's either all or nothing, and in this case, it wouldn;t have helped as there is only one public IP (though thankfully, static). ;-)

SNAT does indeed work for the setup you have, Dave. Do you have any services runnign which require NAT traversal? I'm wondering whether the 660 does this better than the 643.
    

Not sure exactly what you mean by NAT traversal. I run web and email servers, have run FTP and also VOIP. Now the latter gave me some fun.

In the first place, as I said, I was running real IP's through the 660 so my ATA just had the real world address - no need for STUN or anything. Then, when I changed to the NAT solution I thought I ought to change something on the ATA - but I could not get it to work and basically returned to what it had been set to - and the damn thing worked. I later found out that the 660 has a built in and enabled SIP alu?   

But, Zyxel have got a real bad bug in it which I fell over. If, for whatever reason, the modem drops the line and restarts, not a reboot, then the SIP code in the 660 will no longer talk to the code in the ATA. The fix is to reboot, wait for it, the ATA! I spent many hours tracing packets and talking with Zyxel support - luckily both units were their's so I avoided the "pointing finger" syndrome :-) After a few weeks with several modified firmwares on both boxes they were getting no nearer a fix so I had a look at the ATA options and found one whereby you could give it the realworld IP address which it would embed in the VOIP packets - so NAT only had to deal with the addressing as any "normal" NAT stuff. I then turned of the SIP code in the 660 - been rock solid ever since and still does not need any additional stuff like STUN servers or proxies.

  

You can also define a "server" in the NAT setup but using this one to one stuff it is not required. The only downside is that one to one does not work like normal NAT in terms of protecting the LAN address - it passes everything. Someone elsewhere posted that the dodge there if you *need* the protection of NAT is to specify it as one to many - but only give it one inside address - He must be almost as sneaky as me :-)

HTH