Double-nat

Discussion in 'hardware' started by Meriadoc, Nov 29, 2009.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Never hear anyone here that uses double-nat or 'multi nat' on their network. I do on one network, for 2 reasons.

    1. improve overall lan security - which basically covers both reasons.
    2. separate/isolate part of the network from my computers, example the kids machines, server, DMZ.

    The idea is to use a second nat router in series to secure your lan network. Traffic would first go through the internal nat in front of your lan and then out through the wan facing nat to the internet.

    As long as configuration is correct the routers will do there job perfectly.

    Have a spare router and can justify doing it then give it a go. What do you think?
     
    Last edited: Nov 29, 2009
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    GRC makes an interesting point that you could leave an older WEP wifi application in place by adding second nat.

    grc
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    It's fine for basic users. Yes it's a crude way of isolating 2 (or more) parts of your network. However, realize a few things.

    *If your network is the one behind the second router, you end up getting screwed by the double NAT. For basic use of the web and stuff...that's generally OK. But from a performance point of view, you get the short end of the stick. You get slightly less performance, you have an extra hop, and some applications aren't friendly to double NAT. I've had some remote access software and VPN software and online games that flat out don't like it. This also depends on the quality of the router(s) that you're using...some better ones or more business grade ones handle the job better, while some el cheapo models can give you more problems.

    *If the untrusted network is put behind the 2nd router..technically they can't "browse" the first network through network places...but a slightly network savvy person can still find and access resources on the outside network via IP address. And...a computer infected with a worm or other malware can still spread that to computers on the outside network...as quite a bit of it is coded to spread across local networks via common IP address ranges, so it can travel from the inside network to the outside network.

    If I'm doing a network setup where I need to separate networks, I take the port based VLAN approach. With the low cost of basic managed switches these days, it's not beyond the means of most people who need to build a network. Or you can do this with many of the common home grade routers available today by flashing them with 3rd party firmware like DD or Tomato, and get the port based VLAN features.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Mmm I don't see any noticeable problems with performance, but agree that's probably because of the hardware - infact no performance hit at all. I think basic as in easy but not that crude really as, in my case anyway it works well, I like to experiment and put to use instead of hardware languishing but yes not at the cost of use and performance, btw haven't found anything that baulks with this setup.

    Browsing other machines isn't a problem here but I can see it could be to some.

    With you on virtual lan, I use this on another network and does everything such as separation that the multi nat does.

    YOS, thought you'd post a comment;)
     
    Last edited: Nov 29, 2009
  5. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,271
    Location:
    Nebraska, USA
    I would not expect to see a performance hit because the local network/networks should be running at 100Mbps - so any bottleneck should still be on the Internet side of the first router, but local networking should unaffected. The 2nd router would basically acting as switch.
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    He's talking about double NAT'ing...that 2nd router is actually routing 2x different networks, one on each side of it...the LAN interface for the secondary internal network, and the WAN interface for the outside which is just the inside network of the first router.

    Internet==>Modem==>1st Router==>192.168.0.xxx and its network, ==>2nd router==>192.168.1.xxx and it's network

    Having the 2nd router act as just a switch would require uplinking it to the first routers LAN using a LAN port on each, and naturally..ensuring no IP conflicts if it's the same make/model routers on default settings, and most likely disabling DHCP on the 2nd router since you usually don't want 2x conflicting DHCP services on the same network. WAN interface of the 2nd inside router not being used at all. In this case..it's basically just used as a switch..or commonly, a wireless router reconfigured as an access point.
     
Loading...
Thread Status:
Not open for further replies.