While there’s nuance to it, and some attention to detail necessary, IP routing isn’t supposed to be as hard as it’s proving to be this week.

I finally got my new block of IPs from my new ISP. Now I’m trying to get the network set up to use it, and it’s proving to be a bit obnoxious.

To recap and set the scene, I’m trying to move from my current DSL+fiber Internet access to a new fiber provider. I use the DSL to have a block of static IPs to serve some junk, like this website, but it’s capped at 100Mb/s, with asynchronous outbound closer to 20Mb/s. I got their upscale fiber service to get closer to synchronous 1Gb/s speeds, and while it is that, they don’t offer static IPs, despite being “basically the same company” according to the sales peeps who set me up.

I got a new fiber provider that delivers closer to 1Gb/s speeds in both directions, and did offer a static IPs. I asked about getting an IP block, and they do that, but only for business customers, so I said “let’s do that!”

Finally, after a few weeks and a curious equipment swap, I’ve been given a block of 8 IPs, just like I had before. One difference is that I need to route the IPs through the IP that they gave me before. Obscured, it should look a little like this:

{ INTERNET } - [ ISP 10.0.0.133/30 ] - [ ME 10.0.0.134/30 : 10.0.1.128/29 ]

So the small, 2-node network gives them a .133 address and my router a .134 address. My LAN side of the router, labeled “ME” in the diagram, should be a 6-node network, with 1 address used by the router and 5 available for my servers.

Add to this a WiFi router I want connected to the “ME” LAN, and a portable computer I’m using to test the things.

I had purchased a TP-Link ER605 GB VPN router for the task. It seemed capable of being configured for making this go. Once the allocation was shared with me, I configured and installed the ER605 on the network, and reconfigured the WiFi router I had installed as a node on that LAN, and it all seemed to work!

Except that while I could get to the Internet from a node connected to the WiFi router, I couldn’t reach the WiFi router (which is doing NAT, but has a port pass-through for testing) from the Internet.  I scratched my head a lot, as the router test tools could ping everything just fine. I just couldn’t connect from my otherwise Internet connected device through to the test node, as I could before I installed the TP-Link in between.

It took a whole day before I realized that the TP-Link wasn’t truly routing, but was instead doing NAT to the LAN. It respected the address range just fine, but it was treating it like the private IP network it had originally, 192.168.1.1/24.

I found there’s a beta version of their firmware that allows disabling the NAT, but that then treats the LAN traffic like it’s on the WAN interface, which isn’t how routers work, but more like switches. Turning on the disable NAT rule severed the LAN nodes from the Internet.

I groaned and searched some more. I found a bit about how what I’m trying to do should be possible with my WiFi router, but that would sacrifice its ability to NAT, which is useful for the other things on my network, like the iPad I’m using to tap this out.

Then I remembered that I have a previous-gen of my WiFi router that I was using as a mesh node for a bit. I plugged it in, removed it from the mesh, reconfigured it with the new network IPs, disabled the NAT and firewall (I figured I’d eliminate firewall as a potential problem and turn it on later if I need to), and replaced the TP-Link.

It connected immediately to the Internet, and from the “ME” WAN configuration interface, I could tell it could see the WiFi router plugged into it, and the little Windows handheld I’m using to configure things. However, neither the Windows node or the WiFi router, nor nodes connected to the WiFi router,  seem to see the Internet through the other router.

From the “ME” WAN router, I can ping nodes on the Internet and the LAN, tested using the web interface and ping (and traceroute) from an SSH session. From the WiFi router, I can ping and SSH to the “ME” WAN router, and nodes on its LAN.

The block seems to be still in the “ME” WAN router. Because nodes connected directly to the router can’t reach the Internet, but they can reach other nodes on the LAN, it seems that there’s something amiss with the routing in the router. It knows to send traffic to the correct network, but is missing the bit to move across the network.

It’s been a bit, but I’ve done this a lot in the past. It’ll come back to me, and I’ll face-palm myself, and on recovering, remind myself of the solution here.