Avoiding Double NAT with multiple routers
If you installed RouterOS just now, and don't know where to start - ask here!

17 posts   •   Page 1 of 1
kaptain1
Frequent Visitor
Frequent Visitor
 
Posts: 66
Joined: Sun Jul 18, 2010 3:47 am

Avoiding Double NAT with multiple routers

by kaptain1 » Tue Sep 06, 2011 11:08 pm

Hi Everyone,

I need to split-up the network according to their building's physical locations, and need to add 4 x RB450G routers to do that. However, the only way I know how to achieve that, would create Double NAT for the hosts/servers, and I would like to avoid that. I only have 1 Public IP to work with.

How would I add 4 routers to the mix without creating Double NAT? What are my options and what's the most straight-forward way?

Please advise. Network topology picture is attached.

Thank you in advance!
nat.JPG
nat.JPG (92.15 KiB) Viewed 2450 times

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Avoiding Double NAT with multiple routers

by fewi » Tue Sep 06, 2011 11:12 pm

What are my options and what's the most straight-forward way?

Just straight up routing. Either add static routes, or run a routing protocol.

In this case static routes on the main router would do:
Code: Select all
/ip route
add dst-address=192.168.210.0/24 gateway=192.168.200.5
add dst-address=192.168.220.0/24 gateway=192.168.200.4
add dst-address=192.168.230.0/24 gateway=192.168.200.3
add dst-address=192.168.240.0/24 gateway=192.168.200.2


On the other RB450Gs use 192.168.200.1 as the default route for 0.0.0.0/0.

You may want to read up on basic TCP/IP routing first, though. This is an extremely basic question.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

kaptain1
Frequent Visitor
Frequent Visitor
 
Posts: 66
Joined: Sun Jul 18, 2010 3:47 am

Re: Avoiding Double NAT with multiple routers

by kaptain1 » Wed Sep 07, 2011 12:56 am

Thanks Fewi,

I believe that I understand this concept well enough, but just not clear how to avoid Double NAT.

With your proposition, wouldn't I need to set-up NAT on the Main router, AND will need to set-up NAT's on the secondary routers? That would create a double NAT scenario which I'm trying to avoid?

Thank You

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Avoiding Double NAT with multiple routers

by fewi » Wed Sep 07, 2011 1:03 am

No. You'd only set up NAT on the main router. Why would you need NAT on the secondary routers if the main router has routes to the IP space behind them? You only need to NAT when you can't route, because NAT changes the source IP address of the packet to a directly connected one as seen by the connected router. This is necessary on WAN interfaces because you can't route private IP addressing space across a WAN. Within your autonomous system you can route without changing IP addresses via NAT as long as you have valid routes between all the networks involved. Hence no NAT on the secondary routers.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

kaptain1
Frequent Visitor
Frequent Visitor
 
Posts: 66
Joined: Sun Jul 18, 2010 3:47 am

Re: Avoiding Double NAT with multiple routers

by kaptain1 » Wed Sep 07, 2011 1:05 am

Got it! thank you :)

I'll give it a try today.

WirelessRudy
Forum Guru
Forum Guru
 
Posts: 2246
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Avoiding Double NAT with multiple routers

by WirelessRudy » Wed Sep 07, 2011 1:34 am

fewi is completely right.
On the other hand, double or even triple nat ain't such a problem. If it would make building the network more easy I would not see it as a problem.

What happens if one of your users connect a wifi router to your network? Most of these can only be used in nat anyway.
You have double nat in such instance but performance hardly degrades.
My network has nat take place in the main router to the internet, in each CPE device (because I don't want to bother about how many devices client want to connect to their connection) and most users have a simple wifi router attached that also performs nat.
I could put the CPE in bridge mode but than I need double as much IP addresses. One for the CPE for management purposes and one for the next client device.
Any performance degrading that could be a result of two or three nat's is hardly noticeable and is completely out weight by the many other issues a network can have. Like too many firewall/mangle/filter/routing rules or a poor designed QoS system or congested network.

So please follow fewi's advice but if not possible no need for real bothering about some double or triple nat..... :o
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

kaptain1
Frequent Visitor
Frequent Visitor
 
Posts: 66
Joined: Sun Jul 18, 2010 3:47 am

Re: Avoiding Double NAT with multiple routers

by kaptain1 » Wed Sep 07, 2011 2:20 am

Thank You.

I try to stay away from Double NAT because VPN can have issues, forward ports may be more challenging, and VoIP may not work well.

I'll try Fewi's method and will report back!

WirelessRudy
Forum Guru
Forum Guru
 
Posts: 2246
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Avoiding Double NAT with multiple routers

by WirelessRudy » Wed Sep 07, 2011 2:35 am

kaptain1 wrote:VoIP may not work well.
I have many users with Skype phones that are behind 3 nat firewalls and still they claim to have perfect communications. Better at times than the national pstn provider and certainly better than the cell phones!
About VPN I don't know but voip hardly suffers from more than once nat.

This remark is just for the general readers info. With your road to go is nothing wrong. 8)

I make these remarks since it is a wide spread ´story´ that many nat's are not a good thing. While the reality proofs otherwise. And why should it anyway? NAT router only replaces source address and translates it back for return traffic.
With nowadays cpu speeds this is hardly what you could call ´a task´....
But ok, 10 or more NAT's would probably become noticeable. :)
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

User avatar
MCT
Member Candidate
Member Candidate
 
Posts: 157
Joined: Wed Mar 03, 2010 6:53 pm

Re: Avoiding Double NAT with multiple routers

by MCT » Wed Sep 07, 2011 8:12 pm

I'd personally never pay for a connection that doesn't have a public IP. I'll NAT (PAT actually) at the edge of my network but only because I have to.

I wish they'd get on the ball with IPv6. The only downside of that is a lot of people relied on NAT(PAT) to protect their network. I've done testing on two companies with IPv6 connectivity, and they were proud of having that capability. Well, they were proud until I took over their network because they'd neglected to put their carefully crafted firewall rules on the IPv6 side. They had a combo of a NAT/PAT pool and a firewall on the IPv4 side, leaving IPv6 wide open.

FYI for those unfamiliar with the 'PAT'

PAT which stands for Port Address Translation is actually what you're doing with multiple computers behind a single ip.

NAT is technically mapping a single address external to an internal address.

They generally both get referred to as simply 'NAT'

changeip
Forum Guru
Forum Guru
 
Posts: 3730
Joined: Fri May 28, 2004 5:22 pm

Re: Avoiding Double NAT with multiple routers

by changeip » Thu Sep 08, 2011 6:52 am

double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times ... design your network properly and you will be in a better position down the road.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com

WirelessRudy
Forum Guru
Forum Guru
 
Posts: 2246
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Avoiding Double NAT with multiple routers

by WirelessRudy » Thu Sep 08, 2011 3:37 pm

changeip wrote:double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times ... design your network properly and you will be in a better position down the road.
OK, interesting info. Although I'll do it for 5 years and haven't noticed any problems as of yet (maybe I just don't recognize the problem if they are there...?) in my network. But that doesn't make your statement invalid.
I would like to get a bit more explanation if you don't mind. What "established / related / invalid rules" are you talking about? The standard firewall rules to protect the router and LAN network?
And why should the residential routers lock up? I don't seem to understand what the reason is for that?
"design your network properly and you will be in a better position down the road." What is considered as being properly? I see so many different ways of setting up a network. But it is hard to distil what is exactly the best way to do it. Maybe you give some directions?
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

changeip
Forum Guru
Forum Guru
 
Posts: 3730
Joined: Fri May 28, 2004 5:22 pm

Re: Avoiding Double NAT with multiple routers

by changeip » Fri Sep 09, 2011 12:44 am

The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don't get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can't track all the connections. And then they 'power cycle' their router to get it back online again (clearing the table). The asus routers now market using 'high p2p connections' because they have more ram in them and have a larger conntrack table.

Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )

Sam
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com

WirelessRudy
Forum Guru
Forum Guru
 
Posts: 2246
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Avoiding Double NAT with multiple routers

by WirelessRudy » Fri Sep 09, 2011 2:04 am

changeip wrote:The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don't get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can't track all the connections. And then they 'power cycle' their router to get it back online again (clearing the table). The asus routers now market using 'high p2p connections' because they have more ram in them and have a larger conntrack table.

Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )

Sam
OK, that all makes sense to me. Maybe indeed some issues reported to us are of the nature you prescribe. I always looked into my own network to see if things could be improved/solved and I must say I already limit the amount of connections a user can make in my main gateway.

I have a /24 network I own (well, I pay for the use of it, but the network is mine to use, no share) and now the nat takes place in this main gateway.
So here always nat will take place and since 99% of domestic routers have the limitation you show (memory) and I mentioned (no nat bypass or disable) I am wondering how others are doing this.
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
I am anxious to see with what you come up.

I always have had this itch that my network should be different set-up in the authentication and routing ect. But so far they it works, it works fine and like you, always a full agenda.....
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Avoiding Double NAT with multiple routers

by fewi » Fri Sep 09, 2011 2:16 am

Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?

Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

WirelessRudy
Forum Guru
Forum Guru
 
Posts: 2246
Joined: Tue Aug 08, 2006 5:54 pm
Location: Spain

Re: Avoiding Double NAT with multiple routers

by WirelessRudy » Fri Sep 09, 2011 11:06 am

fewi wrote:
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?

Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.
OK. Let me think out loud: Now my ISP routes that /24 range to my main router, where they are indeed all to be found on the WAN interface and than that main router takes care of NAT and receives/routes traffic from/to client by the info in its routing tables. Because I have some 20 AP's all with their own dhcp server in their own network (/24 to /28 ranges) I have nearly the same amount of routing tables (less because I can combine some which are split up later in the network. My network is at places 6 levels deep and each node is a router.

Now, to distribute the /24 network over my clients I have to find a way that they all are assigned by one and the same dhcp-server. So each client request IP by server and that same server also assigns authentication and do QoS and limiting for each client. (Use MT user manager? Or auth. server program? I think user manager on rb1000 can do for roughly 300 clients and QoS and routing and queuing?)
But how to tell now the main gateway where this public client IP is to be found on my network? I leave the original networks with their routes in place and make a route table in the main gateway to each single public IP?
I mean, in this topology IP .4 can be assigned to a complete different AP-client than IP .5. So they both need their own route. And since dhcp-server in main gw only answers requests by clients randomly, it spreads the IP all over my network without any order. So with the existing 20 routes I build another 250 or so routes? And can they all be done automatically? Or by hand? (pffff)

So, how is this done? I think different but it would be nice if someone can give me a sort of framework to start with. This can become a good tutorial for others than also. :)
Show your appreciation of this post by giving me Karma! Thanks.

Rudy R. Puister

WISP operator based on MT routerboard & ROS.

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Avoiding Double NAT with multiple routers

by fewi » Fri Sep 09, 2011 4:33 pm

You split up (subnet) whatever public IPs you have to route around your network, into smaller pools (networks) in different parts of your autonomous system. You implement one of them as the gateway, and hand the rest out via DHCP. Alternatively you could look into using PPPoE instead, where you can use /32s directly.
If you don't want to route statically and insert routes to the pools all over the place look into a dynamic routing protocol such as OSPF.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

tombee79
Member Candidate
Member Candidate
 
Posts: 234
Joined: Sun May 09, 2010 2:28 am

Re: Avoiding Double NAT with multiple routers

by tombee79 » Wed Jun 27, 2012 7:29 am

Hi Few


1st thx, for your help, regarding the Nating on main router.

Ok, My question is do you also enable UPNP on the main router so the let say VOIP and VPN works plug-n-play style? so you don't have to do any special port forwarding, opening port etc.

Do i have to have the UPnP enable on the main router? to have VOIP and VPN working properly.? Or it doesn't matter? or it does?

Need your opinion.


P.S Do you know any online tool to test VOIP and VPN behind NAT?

Thanks

17 posts   •   Page 1 of 1

Who is online

Users browsing this forum: orlando2606 and 38 guests

It is currently Fri Dec 19, 2014 9:08 pm