Cisco Router – Slow Performance with Comcast Business Static IP

cisconat;router

20I have a server with a static IP address connected to a Comcast Business router (Cisco DPC3941B).

I also have a second machine directly connected to the same router. It gets assigned a NAT address 10.x.x.x.

When the second machine connects to the server (or vice versa) I get very slow performance. For example, if I do an RDP connection from the second machine to the server, the screen draw is unbearably slow. Similarly, an HTTP connection from the second machine to the server (via a browser) is noticeably slow.

However, when connecting to the server from an outside network, everything seems fine. No unusual delays or performance problems.

The exact same set up with a different router (a Motorola one) did not have this problem.

Is this a problem/limitation with this router? Why? Is it the translation over the NAT? Why is that so slow?

Or is it something about my set up? Could I have misconfigured something on the server or router?

Any suggestions for debugging/diagnosing?

EDIT 27 May 2018: Added config settings

ROUTER CONFIG
Router is set to defaults/factory settings except for what Comcast 
did to set up the static IP address, etc. Settings as follow:

Bridge Mode: Disabled
WiFi: Enabled (but not used)
DOCSIS Software Version: dpc3941b-v303r20421762-180419a-CMCST
Model: DPC3941B
Vendor: Cisco
Hardware Revision: 1.0
Processor Speed: 447.28 MHz
DRAM: 1048576 MB
Flash: 128 MB

Firewall
Disable Firewall for True Static IP Subnet Only: OFF
Disable Gateway Smart Packet Detection: ON
Disable Ping on WAN Interface: OFF

Firewall Security Level: Minimum
LAN-to-WAN: Allow all
WAN-to-LAN: Block IDENT (port 113)

Local IP Network
IP Address (IPv4): 10.1.10.1
Subnet mask: 255.255.255.0
DHCPv4 Server: Enabled
DHCPv4 Lease Time: 7d:0h:0m
Link Local Gateway Address (IPv6): fe80::481d:70ff:fede:dcc8
Global Gateway Address (IPv6): 2603:3024:1705:3c00:481d:70ff:fede:dcc8
Delegated prefix: 2603:3024:1705:3c00::/56
DHCPv6 Lease Time: 7d:0h:0m
IPV6 DNS: 2001:558:feed::1

WAN Network
Internet:Active
Local time:2018-05-26 14:11:06
System Uptime: 4 days 16h: 56m: 42s
WAN IP Address (IPv4): 50.242.89.126
WAN Default Gateway Address (IPv4): 24.5.176.1
WAN IP Address (IPv6): 2001:558:6045:bf:31e4:2d63:9158:8238
WAN Default Gateway Address (IPv6): fe80::201:5cff:fe65:4c46
Delegated prefix (IPv6): 2603:3024:1705:3c00::/56
Primary DNS Server (IPv4): 75.75.75.75
Secondary DNS Server (IPv4):75.75.76.76
Primary DNS Server (IPv6):2001:558:feed::1
Secondary DNS Server (IPv6):2001:558:feed::2
WAN Link Local Address (IPv6): fe80::4a1d:70ff:fede:dcc7
DHCP Client (IPv4):Enabled
DHCP Client (IPv6): Enabled
DHCP Lease Expire Time (IPv4): 2d:10h:53m
DHCP Lease Expire Time (IPv6): 2d:17h:59m

Managed Sites: Disabled
Managed Services: Disabled
Managed Devices: Disabled
Port Forwarding: Disabled
Port Triggering: Disabled
True Static IP Port Management: Disable all rules and allow all
   inbound traffic through
Remote Management: Disabled
DMZ: Disabled
NAT: Disable All
Static Routing: None
Dynamic DNS: Disabled
Device Discovery: Disabled

EDIT 27 May 2018
This might be relevant: Email not delivered over local wifi, delivered all other times

Perhaps the Cisco router does not support Hairpinning? But wouldn't that result in NO connection as opposed to a slow connection?

Best Answer

Assuming the "server" is located in your network, accessing the router by the public address requires hairpinning: a client's packet is first source NATed, then destination NATed by port forwarding/reverse NAT. That can be slow on some routers, doesn't work at all on others, and it's generally very inefficient.

When both client and server are located on the same private network, NAT is only a burden. A better solution is to access the server by its private address directly.

The easiest way to do that is to set up split-brain DNS: on your DNS server, you set up an A record with the server FQDN, pointing to the private address (instead of the public DNS which points to the public = the router's address). That way, clients in your local network use the private IP address while anyone outside uses the public IP.

Related Solutions

Cisco Router Switch VPN NAT – Static NAT Source and Destination on Router

To test your scenario I set up the following lab:

NAT topology

The 10.0.0.0/24 network is your -RangeOfIPs-

When traffic comes from 10.0.0.0/24 it will be NATed to 192.168.0.21. Traffic sourcing from 192.168.0.114 will be NATed to 10.1.1.21.

Configuration:

R3(config)#int f0/0
R3(config-if)#ip nat outside
R3(config-if)#int f0/1
R3(config-if)#ip nat inside

The above commands define the interfaces as outside and inside.

R3(config)#ip nat inside source static 192.168.0.114 10.1.1.21

This command translates the inside local address of 192.168.0.114 to an inside global address of 10.1.1.21.

R3(config)#access-list 1 permit 10.0.0.0 0.0.0.255

This access-list will define which hosts on the outside that will get NATed.

R3(config)#ip nat pool NAT_POOL 192.168.0.21 192.168.0.21 netmask 255.255.255.0

We create a NAT pool consisting of a single address.

R3(config)#ip nat outside source list 1 pool NAT_POOL add-route

Then we configure so that hosts matching access-list 1 will get NATed to 192.168.0.21.

It is important to configure add-route here or to add a static route because when doing inside to outside NAT, NAT takes place before routing in the order of operations. That means that R3 must have a route for 10.1.1.21.

R3 now has the following NAT table:

R3#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
--- 10.1.1.21          192.168.0.114      ---                ---

Note that R4 has configured with an IP and ip routing turned off to emulate a host. Debugging of ICMP on R1 is enabled and debugging of ip nat on R3 is also enabled.

R1#debug ip icmp
ICMP packet debugging is on

R3#debug ip nat 
IP NAT debugging is on

A ping is then issued from R1:

R1#ping 10.1.1.21 so f0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.21, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/104 ms
R1#
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1

Debug and NAT table from R3:

NAT*: s=10.0.0.1->192.168.0.21, d=10.1.1.21 [15]
NAT*: s=192.168.0.21, d=10.1.1.21->192.168.0.114 [15
NAT: s=192.168.0.114->10.1.1.21, d=192.168.0.21 [15]
NAT: s=10.1.1.21, d=192.168.0.21->10.0.0.1 [15]

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
icmp 10.1.1.21:3       192.168.0.114:3    192.168.0.21:3     10.0.0.1:3
--- 10.1.1.21          192.168.0.114      ---                ---

I think that this is the kind of configuration you are looking for.

However, note that there is a caveat because there is no overload (PAT) available for outside to inside translation. That means that as soon as one of your hosts communicate with 192.168.0.114, there will be no free IP's in the pool. What you can do is to increase the pool size so that you reserve maybe 10 IP's that are only used for NAT.

Nat – can pfsense perform ipv6 nat (for outbound service redirection)

https://forum.pfsense.org/index.php?topic=89014.0

An expert finally responded - the answer is no, pfSense provides no IPv6 NAT capabilities.

Best Answer

Related Solutions

Cisco Router Switch VPN NAT – Static NAT Source and Destination on Router

Nat – can pfsense perform ipv6 nat (for outbound service redirection)

Related Topic