Solution Disable NAT on Omada Router
This Article Applies to:
Certain Omada models.
Issue Description/Phenomenon:
In certain situations, especially, ISP provides a modem-router and intends to disable the NAT to eliminate the double-NAT problem.
Available Workarounds/Solutions:
Our team has developed an early firmware version to address the issue mentioned above.
Disable NAT function is developed on the recent firmware release:
For ER706W V1 based on 1.0.4, download here;
ER7206 V2 based on 2.1.2, download here.
More to come this month:
ER605 V2 based on 2.2.6, download here.
ER7206 V1 based on 1.4.2, download here.
ER8411 V1 based on 1.2.2, download here.
Note:
1. The firmware above only applies to the standalone mode.
2. Please be advised that if there are any delays or cancellations in the development progress, we will not provide notifications or explanations. Additionally, we do not offer any guarantees to their release before the actual development of firmware has been finished. For information on the final outcome, please refer to future updates on this thread.
3. For other models, the official fix/solution will be included in the upcoming V5.15.X Omada Controller and its associated firmware. We cannot provide a specific release date at this time.
Thank you for your attention!
Update Log:
Sep 20th, 2024:
Add ER605 V2 2.2.6.
Sep 14th, 2024:
Release of this article.
Feedback:
If this was helpful, welcome to give us Kudos by clicking the thumbs-up button below.
If the solution doesn't work for you, your case is probably different from what is described here.
In that case, please feel free to click Start a New Thread and elaborate on the problem so that we can try to help you further.
Thank you for your great cooperation and patience!
TP-Link Support Team
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
This link don't work for me.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
could you share any timeline when Controller Software 5.15 Early Access will be released?
- Copy Link
- Report Inappropriate Content
@Clive_A Is this applicable on controller mode or only ins standalone mode?
- Copy Link
- Report Inappropriate Content
@ceejaybassist actually only in standalone. in controller mode with 5.15
- Copy Link
- Report Inappropriate Content
@mainkowitsch So many features planned for 5.15. I just hope all the lined up features will really be added in that version.
- Copy Link
- Report Inappropriate Content
Hi @mainkowitsch @ceejaybassist
Thanks for posting in our business forum.
mainkowitsch wrote
could you share any timeline when Controller Software 5.15 Early Access will be released?
As explained in the note. Please do not iterate a question that has been answered in the note. If there is a beta, the forum will first send it out for public tests. We always keep the latest news on the forum so that you can take part in the tests.
For the controller query, please consult this matter on the Controller page. So far I have not noticed any new V5.15 released yet.
I am offering this article to put together the very early beta firmware so it can help some people with their needs. Please understand you only have what's been offered as this is early access. At this moment, we do not take customized requirements. This beta solely aims and addresses the disable NAT function.
I once thought it was not necessary to release this to the public to avoid any unnecessary concerns or requests before V5.15.X was officially posted on the forum for public tests. If this thread continues to cause unnecessary discussions and concerns, I will pull off this thread.
Please note that this will involve an adapted firmware, not just a controller update. Firmware development is a complex process, and timelines may change. Therefore, we cannot provide a specific release date at this time. Please stay tuned to future firmware release notes for updates.
When introducing a feature like this, we typically apply it uniformly across all models to ensure consistency and a seamless user experience.
However, it's essential to acknowledge that hardware limitations may exist, which might prevent us from adding the feature to certain models. In such cases, we cannot provide individual notifications explaining the reason. Please note that we cannot guarantee the fulfillment of all requests, and we must set clear expectations upfront.
- Copy Link
- Report Inappropriate Content
Thanks for this feature.
Even with this feature, I'm not sure the ER605 does what I think it does; I'm unsure if it's the wrong equipment or configuration.
I'm trying to use the little ER605 router to route between the Internet and a public IP subnet.
{ INTERNET } [ ISP 10.0.0.1/30 ] - [ ER605 WAN 10.0.0.2/30 LAN 10.0.1.1/29 ] ...
Obscured private IPs, but accurate representative subnets.
I've got a public IP subnet routed through a static public IP provided by my ISP. The static IP is provided in a 2-node /30 (technically 4, but definition and broadcast eat 2), and my subnet is an 8-node (six usable...) /29, like demonstrated in the little map above. They've confirmed my subnet is routed via my static IP, so nodes on the Internet should be able to reach devices on my LAN, if my router behaves.
To make this happen, I set the WAN address and gateway to match the /30, similar to the diagram, and I changed the IP addresses in the LAN configuration to match the /29, choosing the first IP for the LAN address, similar to what's in the diagram, and disabled DHCP. I manually configured a device with a different address from the /29 and set its gateway to the LAN address. Out of the box, this seemed to work, as the node could reach the Internet, but I could not reach the node from the Internet.
From the Internet, I can reach (via ping or the web UI, when allowed) the ER605 WAN port, but I cannot reach any service on the LAN node. It took me too long to realize the ER605 is a strong "NAT only" device, and was disappointed when I couldn't find a way to disable it or configure around it.
I was tickled to find this thread. i thought the "disable NAT" would encourage the router to route between the WAN and LAN, but it does not seem to be doing this. Again, hopeful this is a problem with configuration, and maybe I missed something.
With the NAT disabled, from the router UI, I can use the test tool and ping to the Internet and a node on the LAN, but I cannot reach the Internet from the node on the LAN although configured correctly (e.g., 10.0.1.2/29 with gateway 10.0.1.1). Also, I still cannot reach a LAN node from the Internet.
When the NAT is enabled, it works so that nodes on the LAN can reach the Internet, of course, but the public subnet is treated as a private network, where the presented IP is the WAN IP of the ER605, and access from the Internet to the subnet is still not available.
I don't see any changes to the routing table when changing the disable NAT feature, but it always looked "right" for "Internet this way, subnet that way" rules. I can't see where a forward or NAT configuration is added, ala iptables NAT forwarding rules in LINUX. I've also not poked at anything via SSH, hoping the configuration necessary would be exposed via the UI.
The the only documentation I could find is in the beta firmware UI, in the pop-up help, that seem to indicate that when NAT is disabled, it seems the LAN traffic will be simply bridged to the WAN, and not routed between. This doesn't seem like I'd expect a router to behave, and since the IPs involved want routing and not bridging, it would give the result I'm experiencing.
Is there a configuration item I've missed to ensure that traffic from the LAN subnet is routed to the Internet, and vice versa, when the NAT is disabled?
Or is that pure routing not a feature of this router?
Please advise or redirect. I've searched and cannot find any other articles that suggest a solution, except for a couple older items looking for this kind of "disable NAT" solution, but clearly those were before this was offered, and any subnet routing discussion was stopped with "no can do" pretty quickly.
Thanks for reading this far.
- Copy Link
- Report Inappropriate Content
Hi @JeKeWa
Thanks for posting in our business forum.
JeKeWa wrote
Thanks for this feature.
Even with this feature, I'm not sure the ER605 does what I think it does; I'm unsure if it's the wrong equipment or configuration.
I'm trying to use the little ER605 router to route between the Internet and a public IP subnet.
{ INTERNET } [ ISP 10.0.0.1/30 ] - [ ER605 WAN 10.0.0.2/30 LAN 10.0.1.1/29 ] ...Obscured private IPs, but accurate representative subnets.
I've got a public IP subnet routed through a static public IP provided by my ISP. The static IP is provided in a 2-node /30 (technically 4, but definition and broadcast eat 2), and my subnet is an 8-node (six usable...) /29, like demonstrated in the little map above. They've confirmed my subnet is routed via my static IP, so nodes on the Internet should be able to reach devices on my LAN, if my router behaves.
To make this happen, I set the WAN address and gateway to match the /30, similar to the diagram, and I changed the IP addresses in the LAN configuration to match the /29, choosing the first IP for the LAN address, similar to what's in the diagram, and disabled DHCP. I manually configured a device with a different address from the /29 and set its gateway to the LAN address. Out of the box, this seemed to work, as the node could reach the Internet, but I could not reach the node from the Internet.
From the Internet, I can reach (via ping or the web UI, when allowed) the ER605 WAN port, but I cannot reach any service on the LAN node. It took me too long to realize the ER605 is a strong "NAT only" device, and was disappointed when I couldn't find a way to disable it or configure around it.
I was tickled to find this thread. i thought the "disable NAT" would encourage the router to route between the WAN and LAN, but it does not seem to be doing this. Again, hopeful this is a problem with configuration, and maybe I missed something.
With the NAT disabled, from the router UI, I can use the test tool and ping to the Internet and a node on the LAN, but I cannot reach the Internet from the node on the LAN although configured correctly (e.g., 10.0.1.2/29 with gateway 10.0.1.1). Also, I still cannot reach a LAN node from the Internet.
When the NAT is enabled, it works so that nodes on the LAN can reach the Internet, of course, but the public subnet is treated as a private network, where the presented IP is the WAN IP of the ER605, and access from the Internet to the subnet is still not available.
I don't see any changes to the routing table when changing the disable NAT feature, but it always looked "right" for "Internet this way, subnet that way" rules. I can't see where a forward or NAT configuration is added, ala iptables NAT forwarding rules in LINUX. I've also not poked at anything via SSH, hoping the configuration necessary would be exposed via the UI.
The the only documentation I could find is in the beta firmware UI, in the pop-up help, that seem to indicate that when NAT is disabled, it seems the LAN traffic will be simply bridged to the WAN, and not routed between. This doesn't seem like I'd expect a router to behave, and since the IPs involved want routing and not bridging, it would give the result I'm experiencing.
Is there a configuration item I've missed to ensure that traffic from the LAN subnet is routed to the Internet, and vice versa, when the NAT is disabled?
Or is that pure routing not a feature of this router?
Please advise or redirect. I've searched and cannot find any other articles that suggest a solution, except for a couple older items looking for this kind of "disable NAT" solution, but clearly those were before this was offered, and any subnet routing discussion was stopped with "no can do" pretty quickly.
Thanks for reading this far.
Not sure what level of skill you have. No offense. Just find some thoughts strange to have here.
First, we don't support any sort of iptables to change the route. No support to enter the debug mode of the router. Nor do we provide flash firmware to a third-party or add a CURL to the system. The system is not an open platform.
Second, the disable NAT was requested to resolve the double-NAT situation. This is what's been asked on the request page. I don't think this is what you need. You looks like you need port forwarding instead of disabling the NAT.
And think about the direction you travel.
How do you determine the IP address? You tried to access the private IP address from a device that has a public IP?
Not to mention that you should test the NAT status from LAN. You Wireshark on the WAN and you find that the data comes from the local IP.
NAT was meant to share a single public IP to multiple devices. So, disabling it means that the local(private) IPs are no longer being translated.
- Copy Link
- Report Inappropriate Content
@Clive_A Why can this not be enabled for Controller mode? Obviously the hardware supports it!! Please extend the ability to disable NAT to the routers running in controller mode!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1054
Replies: 11
Voters 0
No one has voted for it yet.