Netopia CLI 874 manual Stateful Inspection Commands, Restriction

Motorola Netopia® Router Connection Profile Commands 3-21

Beginning with Firmware Version 8.3.3, IP Passthrough allows a first come first serve mode, which defaults to an all-zeroes MAC address.

If you leave the default all-zeroes MAC address, the Router will select the next DHCP client that initiates a DHCP lease request or renewal to be the IP passthrough host. When the WAN comes up, or if it is already up, the Router will serve this client the IP passthrough/WAN address. When this client's lease ends, the IP passthrough address becomes available for the next client to initiate a DHCP transaction. The next client will get the IP passthrough address. Note that there is no way to control which PC has the IP passthrough address without releasing all other DHCP leases on the LAN.

Note: If you specify a non-zeroes MAC address, the DHCP Client Identifier must be in the format specified above. Macintosh computers allow the DHCP Client Identifier to be entered as a name or text, however Motorola Netopia® routers accept only strict (binary/hex) MAC address format. Macintosh computers display their strict MAC addresses in the TCP/IP Control Panel (Classic MacOS) or the Network Preference Pane of System Preferences (Mac OS X).

Once configured, the passthrough host's DHCP leases will be shortened to two minutes. This allows for timely updates of the host's IP address, which will be a private IP address before the WAN connection is established. After the WAN connection is established and has an address, the passthrough host can renew its DHCP address binding to acquire the WAN IP address.

A restriction

Since both the router and the passthrough host will use same IP address, new sessions that conflict with existing sessions will be rejected by the router. For example, suppose you are a teleworker using an IPSec tunnel from the router and from the passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer’s office. In this case, the first one to start the IPSec traffic will be allowed; the second one – since, from the WAN it's indistinguishable – will fail.

Stateful Inspection Commands

See also:

■“Stateful Inspection Commands” on page 2-85 for Global Stateful Inspection commands.

■“Stateful Inspection Configuration Commands” on page 2-32 for Ethernet interface commands.

Note: The commands in this section are supported beginning with Firmware Version 8.2.

cp { name index } ip state-insp enable { yes no on off } no cp { name index } ip state-insp enable

show cp { name index } ip state-insp enable

These commands allow you to set, disable, or show the status of stateful inspection for the specified Connection Profile. This option is disabled by default. Stateful inspection prevents unsolicited inbound access when NAT is disabled.