NAT32 Version 2 uses a Packet Classifier to gather additional information about packets prior to routing. Its IP Router then uses this information to make complex routing decisions that allow many different network configurations to be implemented. Several of those configurations are described below.
One Network, One or Two Gateways
The above configuration consists of a private network (192.168.178.0) behind two external routers, each of which has its own connection to the Internet. For example, each router might use a DSL, Cable or 4G/LTE Internet connection, and each such connection will generally have different connection characteristics. The two routers are directly connected and have the IP addresses 192.168.178.1 and 192.168.178.2.
NAT32 can run on any (or all) of the private machines on the 192.168.178.0 network.
Configuration consists of selecting the computer's network interface and then specifying that it is an Internet-connected interface. In the subsequent Interface Configuration dialog box, the two gateway addresses (192.168.178.1 and 192.168.178.2) should be entered. When NAT32 then runs, all Windows traffic will be intercepted and routed to either Gateway 1 or Gateway 2 in accordance with the selected Gateway Selection Algorithm. In addition, all DNS requests will be intercepted by NAT32's DNS Resolver to protect your users from unwanted content.
It is also possible to specify that only specific machines are to use a particular gateway. This is done via the route alt command.
If NAT32 is to run on only a single machine, and if the other machines are to forward traffic via NAT32, then the following points should be noted:
- Configure the Windows TCP/IP protocol on the NAT32 machine to use a fixed IP address on the 192.168.178.0 network, and then set both the default gateway address and the DNS address to 192.168.178.1.
- Turn off the DHCP Server functionality in each external router and then enable the NAT32 DHCP Server functionality on the NAT32 Internet interface (see DHCPD for details).
- Reconfigure each of the other private machines either by rebooting them or running the commands ipconfig /release followed by ipconfig /renew in a Windows Console.
Two Networks, One or Two Gateways
The above configuration consists of a private network (192.168.178.0) behind two external routers, and just the NAT32 machine (192.168.178.32) on that network. The other private machines connect to a second private network (192.168.1.0) to which the NAT32 machine connects via a second network adapter. That adapter should be configured under Windows to use a fixed IP address on the 192.168.1.0 network. No gateway or DNS address need be specified. When NAT32 runs, its DHCP Server will be enabled by default, and all of the private 192.168.1.x machines will be configured correctly.
This configuration has the advantage that the private machines on the 192.168.1.0 network are isolated from the Internet and protected by two external firewalls: the external router(s) and the NAT32 router. All private machines then enjoy enhanced performance and protection that only external firewalls can offer.
Per default, NAT32 performs address translation for traffic to/from private networks. This means that two levels of network address translation are being done: first by NAT32 and then again by the external router(s). This "double-NAT" issue can cause problems for some applications running on the computers connected to the private networks.
The issue can be avoided if the external router has the following capabilities:
Many DSL routers (such as all FritzBox models from AVM in Germany) have the required capabilities and the command rmode p on will set a "routing only" mode that turns off NAT32's network address translation feature.
- It is able to map/unmap traffic from any IP source address (i.e. from computers on another network).
- It allows a network-specific route to be added that specifies NAT32's IP address as the gateway to another network.
Download, ReadMe, Configuration, Reconfiguration, Routing Mode