Hello @Clive_A,

thank you for the quick response to my question.

I know the basic concept for a one-to-one NAT, but I have a special requirement: In an existing network with a Fritz!Box, an ER605 and an OC200, I have to integrate a special device that only has a fixed IP address. So I want to use the NAT functionality to translate this address (10.x.x.x).

The unpleasant alternative would be to give all other devices (over 100) a new IP address in the 10.x.x.x range. This is very time-consuming and error-prone.

What's wrong with setting up a LAN2 with a different IP range "under" a LAN1?

It doesn't work with my infrastructure to assign port-by-port IP ranges to the first ER605, because there are other devices on the string with the special device via a switch.

Yes, if I could redesign it, I would do it differently today...

Best regards

  @Sheep_Dog ,

Isn't the main point of NAT to reduce IP exhaustion and hide the details of the LAN?

And yet you use mappings to give each LAN client an IP on the WAN side?

As is, that's 3 layers of NAT within your network for some of your devices!

So you have different networks and they need to communicate.

Why don't you setup a few VLAN on your top router?

I suspect you might be able to create a network per LAN port but I haven't tried that. That's if you don't have VLAN capable switches.

By default, VLANs will all be able to talk to one another using their actual IP addresses. You can constrain inter-VLAN traffic.

If your existing router can't do this, maybe you put it in bridge mode and move all your devices behind the ER605.

If you insist on keeping your existing top level LAN, you'll have to manage mappings only once at that first layer.

 Hello @EricPerl,

thank you for your information and questions

My main purpose of NAT is not to reduce IP exhaustion. Yes, the IP ranges should be separated.

No, not every device can communicate with every device. Only a few devices have comprehensive access.

Yes, there are 3 IP ranges, with two ranges having special features:

- The first IP range is specified by the Fritz!box, which will probably be discontinued after some time.

- The third IP range is only for one (!) device, as it cannot be changed in terms of IP.

(The second IP range is my main area)

Yes, I have three different network ranges and they must communicate. I have moved away from the VLAN approach on the top router because I cannot assign the ranges to individual ports on the ER605 or 1:1 VLANs. Unfortunately, the in-house cabling does not allow this. I can't move all my devices behind the ER605-1 either, because the cabling doesn't allow it, and I can't use WiFi for some devices.

Yes, I would like to keep the existing top-level LAN, which would then have three LAN levels:

LAN1 (top), LAN2 (middle), LAN3 (bottom).

I have successfully stored NATs in the ER605-1 for LAN1 and LAN2, but not for access from LAN1 to LAN3.

My levels are:

- Fritz!Box -> ER605-1 -> ER605-2 -> Dedicated mini-computer

- WAN____-> LAN1____-> LAN2___-> LAN3

Perhaps I'm making a mistake in my thinking.

  @Sheep_Dog ,

IP v4 exhaustion is definitely a concern at the global level and NAT is a critical part of addressing it.

From the WAN side, the details of the LAN are unknown. Range, number of clients... All traffic appears to be coming from the GW's WAN address.

Exposing 1:1 mappings defeats the purpose. It's not a concern globally because you're doing it within the confines of your LAN...

And it explains why you can't access LAN3 from LAN1. With the method that you use, you'd need to do another mapping from LAN1 to the LAN2 mapping of the LAN3 machine you want to access. I guess that technically it means that instead of doing NAT with port mappings (GW-WAN-IP:X to Machine-LAN-IP:Y) you end up with IP mappings (Machine-WAN-IP:Y to Machine-LAN-IP:Y). You can't jump directly from 1 to 3 because you have to traverse each layer one by one.

This will end up being unmanageable really quickly. It's also quite unnatural and inefficient.

I'm also in a situation where my house wiring is constraining my internal physical network.

I made a post about it a few months ago.

But as long as you can physically get to all the devices, the beauty of VLANs is that you can build a logical/virtual network on top of that physical network to fulfil your needs.

By doing assignment of physical switch ports to VLAN profiles, you indicate which wired client(s) belongs to which VLAN.

By creating a SSID per VLAN, you bind wireless clients to the VLAN based on the SSID they connect to.

This is actually quite easy with Omada (and Omada compatible switches and APs). There's a guide for that.

All clients can communicate using their native IPs out of the box.

For your fixed IP machine, you create a VLAN with a compatible IP range.

And again, you can curtail inter-VLAN traffic.

HTH 

  @Sheep_Dog 

You absolutely can assign an entire VLAN, all by itself to each ER605 port, in both standalone and controller mode.

I dont understand why you dont just have as many vlans as you need, with their own IP ranges, and assign individually to each router port, then use ACLs to control inter vlan communication, all from one router.  Adding a basic omada switch will allow you better control of the VLANs splitting off the ER605 from each port, and allow more granular switch ACLs.

Granted, this is actually a bit easier to achieve in standalone, but absolutely doable in controller.

And Switch VLAN distribution:

And Switch based inter-vlan control ACLs