Image

SD WAN router conversion

SD WAN equipment can be managed using business-aligned policies written by a network engineer.

For network connection quality and security it is advised that the WAN to router conversion be done as per the following approach:

Pre-conversion the ISP’s router to an ISP gateway (Ethernet 1) which will support private IP addresses or “trunking” where possible. Pre-conversion the ISP’s LAN connection to the actual gateway is to be upgraded. NAT from the LAN connection to the ISP’s router via a port forwarding rule with a small number of IPs as potential private addresses.

Typically, a LAN gateway has several interfaces which must be identified by the network administrator to get everything working correctly. In a residential environment the LAN interface must be identified as either an IP address or DNS nameserver. These addresses can be used to forward traffic.

A common NAT method is to have an individual IP address assigned to each device. The wireless LAN gateway provides for the management of connections between devices and the management of DNS servers. In most cases, if there is a valid DHCP server configured on the WAN interface the WAN interface will show up as a DHCP server with no need for port forwarding or other NAT method, and there are also information about this at sites such as https://www.fortinet.com/resources/cyberglossary/sd-wan-explained which have the best explanation about WAN definitions.

Frequently in situations when there is only one NAT interface on a switch, it is advantageous to configure a “nat” rule, such as the following one, to allow IPv4 and IPv6 traffic to flow over the NAT gateway:

The router is configured to use the network interface for static IPs and to forward NAT to IPv4. DHCP server is configured on the LAN interface. The NAT gateway is configured to forward to the NAT source network address the ARP packets and DNS replies that enter this switch. The DHCP server and NAT gateway are turned on for a static IP and to forward NAT to the source IP on the network. The network interface interfaces are configured to use the network MAC addresses. This will prevent rogue DHCP clients from assigning static MAC addresses. An IP address from the LAN and the NAT source network addresses are assigned to devices.

Depending on the way the MAC address is assigned, there may be some delay before the NAT is recognized. If the MAC address is assigned to a device then the connection will probably work but if the MAC address is assigned to a device as an address (vendor specific) then it will be very difficult to get this connection working. The additional MAC address can be assigned to a DHCP server to prevent rogue DHCP clients from assigning private IP addresses.

Port forwardings, when used correctly, are very useful in making a connection to a WAN port. Port forwarding can also help bridge connections between devices where both have IP addresses and or have a private IP address and a MAC address for their devices.

Using the same NAT method as the above (IP addresses or DNS nameserver) the WAN switch will show up as an IP server, although the WAN port will only be accessible to LAN clients who use the DHCP server to assign static IPs. The DHCP server will only see a DHCP request, the port forwarding rule will not forward the request to the WAN switch for broadcast packets.

If it is necessary to use port forwarding on a WAN switch, the NIC’s port forwarding must be configured to do a static NAT (port forwarding rule on the NAT switch). This requires additional NICs for the NAT switch and the port forwarding rule must be configured on the NAT switch. For this, you can use Treasure Valley IT to improve your IT hardware procurement in Boise, ID.