I need to split-up the network according to their building’s physical locations, and need to add 4 x RB450G routers to do that. However, the only way I know how to achieve that, would create Double NAT for the hosts/servers, and I would like to avoid that. I only have 1 Public IP to work with.
How would I add 4 routers to the mix without creating Double NAT? What are my options and what’s the most straight-forward way?
Please advise. Network topology picture is attached.
I believe that I understand this concept well enough, but just not clear how to avoid Double NAT.
With your proposition, wouldn’t I need to set-up NAT on the Main router, AND will need to set-up NAT’s on the secondary routers? That would create a double NAT scenario which I’m trying to avoid?
No. You’d only set up NAT on the main router. Why would you need NAT on the secondary routers if the main router has routes to the IP space behind them? You only need to NAT when you can’t route, because NAT changes the source IP address of the packet to a directly connected one as seen by the connected router. This is necessary on WAN interfaces because you can’t route private IP addressing space across a WAN. Within your autonomous system you can route without changing IP addresses via NAT as long as you have valid routes between all the networks involved. Hence no NAT on the secondary routers.
fewi is completely right.
On the other hand, double or even triple nat ain’t such a problem. If it would make building the network more easy I would not see it as a problem.
What happens if one of your users connect a wifi router to your network? Most of these can only be used in nat anyway.
You have double nat in such instance but performance hardly degrades.
My network has nat take place in the main router to the internet, in each CPE device (because I don’t want to bother about how many devices client want to connect to their connection) and most users have a simple wifi router attached that also performs nat.
I could put the CPE in bridge mode but than I need double as much IP addresses. One for the CPE for management purposes and one for the next client device.
Any performance degrading that could be a result of two or three nat’s is hardly noticeable and is completely out weight by the many other issues a network can have. Like too many firewall/mangle/filter/routing rules or a poor designed QoS system or congested network.
So please follow fewi’s advice but if not possible no need for real bothering about some double or triple nat…
I have many users with Skype phones that are behind 3 nat firewalls and still they claim to have perfect communications. Better at times than the national pstn provider and certainly better than the cell phones!
About VPN I don’t know but voip hardly suffers from more than once nat.
This remark is just for the general readers info. With your road to go is nothing wrong.
I make these remarks since it is a wide spread ´story´ that many nat’s are not a good thing. While the reality proofs otherwise. And why should it anyway? NAT router only replaces source address and translates it back for return traffic.
With nowadays cpu speeds this is hardly what you could call ´a task´…
But ok, 10 or more NAT’s would probably become noticeable.
I’d personally never pay for a connection that doesn’t have a public IP. I’ll NAT (PAT actually) at the edge of my network but only because I have to.
I wish they’d get on the ball with IPv6. The only downside of that is a lot of people relied on NAT(PAT) to protect their network. I’ve done testing on two companies with IPv6 connectivity, and they were proud of having that capability. Well, they were proud until I took over their network because they’d neglected to put their carefully crafted firewall rules on the IPv6 side. They had a combo of a NAT/PAT pool and a firewall on the IPv4 side, leaving IPv6 wide open.
FYI for those unfamiliar with the ‘PAT’
PAT which stands for Port Address Translation is actually what you’re doing with multiple computers behind a single ip.
NAT is technically mapping a single address external to an internal address.
They generally both get referred to as simply ‘NAT’
double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times … design your network properly and you will be in a better position down the road.
OK, interesting info. Although I’ll do it for 5 years and haven’t noticed any problems as of yet (maybe I just don’t recognize the problem if they are there…?) in my network. But that doesn’t make your statement invalid.
I would like to get a bit more explanation if you don’t mind. What “established / related / invalid rules” are you talking about? The standard firewall rules to protect the router and LAN network?
And why should the residential routers lock up? I don’t seem to understand what the reason is for that?
“design your network properly and you will be in a better position down the road.” What is considered as being properly? I see so many different ways of setting up a network. But it is hard to distil what is exactly the best way to do it. Maybe you give some directions?
The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don’t get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can’t track all the connections. And then they ‘power cycle’ their router to get it back online again (clearing the table). The asus routers now market using ‘high p2p connections’ because they have more ram in them and have a larger conntrack table.
Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )
OK, that all makes sense to me. Maybe indeed some issues reported to us are of the nature you prescribe. I always looked into my own network to see if things could be improved/solved and I must say I already limit the amount of connections a user can make in my main gateway.
I have a /24 network I own (well, I pay for the use of it, but the network is mine to use, no share) and now the nat takes place in this main gateway.
So here always nat will take place and since 99% of domestic routers have the limitation you show (memory) and I mentioned (no nat bypass or disable) I am wondering how others are doing this.
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
I am anxious to see with what you come up.
I always have had this itch that my network should be different set-up in the authentication and routing ect. But so far they it works, it works fine and like you, always a full agenda…
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.
OK. Let me think out loud: Now my ISP routes that /24 range to my main router, where they are indeed all to be found on the WAN interface and than that main router takes care of NAT and receives/routes traffic from/to client by the info in its routing tables. Because I have some 20 AP’s all with their own dhcp server in their own network (/24 to /28 ranges) I have nearly the same amount of routing tables (less because I can combine some which are split up later in the network. My network is at places 6 levels deep and each node is a router.
Now, to distribute the /24 network over my clients I have to find a way that they all are assigned by one and the same dhcp-server. So each client request IP by server and that same server also assigns authentication and do QoS and limiting for each client. (Use MT user manager? Or auth. server program? I think user manager on rb1000 can do for roughly 300 clients and QoS and routing and queuing?)
But how to tell now the main gateway where this public client IP is to be found on my network? I leave the original networks with their routes in place and make a route table in the main gateway to each single public IP?
I mean, in this topology IP .4 can be assigned to a complete different AP-client than IP .5. So they both need their own route. And since dhcp-server in main gw only answers requests by clients randomly, it spreads the IP all over my network without any order. So with the existing 20 routes I build another 250 or so routes? And can they all be done automatically? Or by hand? (pffff)
So, how is this done? I think different but it would be nice if someone can give me a sort of framework to start with. This can become a good tutorial for others than also.
You split up (subnet) whatever public IPs you have to route around your network, into smaller pools (networks) in different parts of your autonomous system. You implement one of them as the gateway, and hand the rest out via DHCP. Alternatively you could look into using PPPoE instead, where you can use /32s directly.
If you don’t want to route statically and insert routes to the pools all over the place look into a dynamic routing protocol such as OSPF.
1st thx, for your help, regarding the Nating on main router.
Ok, My question is do you also enable UPNP on the main router so the let say VOIP and VPN works plug-n-play style? so you don’t have to do any special port forwarding, opening port etc.
Do i have to have the UPnP enable on the main router? to have VOIP and VPN working properly.? Or it doesn’t matter? or it does?
Need your opinion.
P.S Do you know any online tool to test VOIP and VPN behind NAT?
I was searching for help and I found this post. I have similar setup in a
my network and Im using nat and routing as suggested above to avoid double nat.
In your network topology if you want to port forward e.g. port 3389
from outside to a pc in network 192.168.210.0/24 for remote desktop
what nat rules I must use.
Setup a rule for traffic (udp/tcp/icmp) that has the destination (IP) of the router and mention de port number (dst-port) and then under ‘action’ setup where you want that traffic to leave to (dst-to). Hence the IP of the host behind that firewall. that’s it.
