NAT or no NAT

[Guest]

Hello,

A client has two XP Home PCs. They acquired two static public ip addresses
and were given an extra three from their ISP. They were apparently obtained I
was informed, in order for me to log in remotely through remote desktop
(should issues occur), to the two PCs.

The ISP provided instructions to set these up on the wireless ADSL router
and stated to disable NAT and to disable DHCP on the router.

All went well and then I noticed that XP Home does not allow anything other
than remote logins through remote assistance. Anyway, this isn't too much of
a problem as we use a third-party remote login software. I would just like to
clarify that XP Home is limited in this sense?

Anyway, the customer then advised that they wanted the public also, to bring
in their laptops to access the wireless router and obtain Internet
connectivity at their premises. I advised that as the wireless ADSL router
has DHCP disabled as per instructions from ISP, that it would not be
possible, unless I enable NAT and provided private ip addresses via DHCP to
the laptops, and I also advised, that only 3 more static ip addresses were
now available anyway, as two had been assigned to the PCs.

I did end up setting the router to using NAT and getting it's ip address
dynamically from the ISP, and providing DHCP to clients. This worked fine.

However, I would like to clearly differentiate the difference or benefits of
NAT or no NAT.

Before deciding to use private ip addresses instead internally, I tried to
enable DHCP on the router whilst using the static ip addresses but it
wouldn't allow it anyway.

Does all this seem correct?

Many kind regards,
Jeff

 

[Lanwench [MVP - Exchange]]

Hello,

A client has two XP Home PCs. They acquired two static public ip
addresses and were given an extra three from their ISP. They were
apparently obtained I was informed, in order for me to log in
remotely through remote desktop (should issues occur), to the two PCs.

My goodness, this all seems overkill for such a small network!

The ISP provided instructions to set these up on the wireless ADSL
router and stated to disable NAT and to disable DHCP on the router.

Yuck. They shouldn't disable NAT - they're opening up the network to huge
security risks by doing all of this. I don't know what kind of
router/firewall/AP this is, but if it can't handle more than one public IP
or do one-to-one NATting, replace it with something better. [OR - in
addition to
NAT, set up each machine to listen for connection on a different port from
the other, so you can connect using a single public IP and the appropriate
port.] Use private IP addresses on the internal computers - not public
ones. The router /firewall should be doing NAT and take care of the rest
via access rules/forwarding to the private addresses.

Re DHCP - I'd leave it enabled, but set up DHCP reservations to the two
workstations, or set them to use statics . That way, other internal users
can connect to the network/internet easily, but the machines you want to
manage will be easily "findable"

Since they're using wireless, I sure hope they're at least using WPA....

All went well and then I noticed that XP Home does not allow anything
other than remote logins through remote assistance. Anyway, this
isn't too much of a problem as we use a third-party remote login
software. I would just like to clarify that XP Home is limited in
this sense?

Yes; there's no remote desktop (host) in Home.

Anyway, the customer then advised that they wanted the public also,
to bring in their laptops to access the wireless router and obtain
Internet connectivity at their premises. I advised that as the
wireless ADSL router has DHCP disabled as per instructions from ISP,
that it would not be possible, unless I enable NAT and provided
private ip addresses via DHCP to the laptops, and I also advised,
that only 3 more static ip addresses were now available anyway, as
two had been assigned to the PCs.

I did end up setting the router to using NAT and getting it's ip
address dynamically from the ISP, and providing DHCP to clients. This
worked fine.

Except if your remote management software can't find the computer it wants
to, because it isn't using the IP address it expects. Dunno what you're
using; perhaps this isn't a problem.

However, I would like to clearly differentiate the difference or
benefits of NAT or no NAT.

Security, for one thing....

Before deciding to use private ip addresses instead internally, I
tried to enable DHCP on the router whilst using the static ip
addresses but it wouldn't allow it anyway.

You can't use NAT if your external & internal addresses are on the same
subnet.