I have seen several topics where it was adviced that it is better not to have two, three or more NAT firewall between client and internet.

My clients had for years a wifi router performing NAT, which connects to a CPE antenna performing NAT, and then the border router performed NAT towards the adsl modem yet again performing NAT.

Althouhg I also would think less NAT is better and am in the process of bringing it back to maximal two NAT for the client to internet traffic, in reality I see no difference in speed or latency.

Ping times from even the darkest corners of my network (7 hops away) are still only 3-5ms to the last pingable device on my network.
I see a jump in latency to the first pingable router on the ISP's network but that is still only 40ms average and even my symmetric line has a jump over the ISP's Cisco box..

Why should NAT be bad anyway? Al that happens is that router replaces IP address in package header. But most routers perform many more operation of filters on package anyway. MT routers are so fast that a simple NAT is not delaying traffic?

i think the main reason is that some services have problems with this, ftp and sip for example. And it is a pain to forward services to them if needed.
Couldn't you separate them with VLANs or tunnels to just NAT them just in the gateway router?

I have a few wireless costumers my self that are double NATed due to restrictions on hardware and the fact that my ISP delivers this specific connection already NATed

Some clients of mine use VOIP service behind two or three times NAT without problems. ftp traffic is rare on my network so don't know.

The creation of tunnels is planned but I am a bit afraid to start that and don't know what kind of tunnels to use. vlan over wireless is been advices as bad so don't want to use it.

Any tunnel needs a concentrator that I just haven't found the time for to explore and setup (radius etc. / user manager...)

I have my adsl routers converted into modems so the border router of mine can do the PPoE and thus the natting but now I run in other problems.
Thinking of setting modems back into adsl-route mode so natting will take place in these adsl modems. But to make it work I have to setup static routing in these adsl-routers and they need to have their conn. tracking running for NAT which with the many hundreds of connections at time is eating their cpu time...

I am a bit in a situation that whatever I choose for I'll get problems..

I have a network with douwble nat (linux - front end and isa server backend).
It worked fine for 5 years, with 100+ web users (browser, flash, ftp -- heavy, sip, mail, pptp, etc).

I've only encountered 1 problem using double nat: the linux nat editor which doenst handle pptp call id's very well and it upsets isa.
Some distro's fixed the bug, but some still have it.


Other than that i have not found a reason why double-nat is a bad layout. everything i tried worked.

its the same as patching two cat5 cables together because you dont want to run a new long one. it will work, its just not ideal. there is nothing written that says it wont work, people just shy away from it because its 'not the right way to do it.'

the reason ISPs try to stay away from NAT is that NAT does not mix well with redundant links and redundant routers. for example, if your network is "flat" (without NAT), you can add additional links between your POPs, and let OSPF manage the routing. you can add additional capacity like that, and if a link fails, OSPF can navigate the traffic around the problem.
if NAT done within this network, OSPF (and any other routing protocol) stops to work. as a result, with NAT you force yourself to non-redundant links, and whenever something fails you loose service and you have to run and fix it immediately.
similarily, with NAT it is hard to manage & test the network from a single place. you probably have to log in from one router to the next router, and from there login to the next router, and so on.

if you design it right, you can still for example do NAT at your border router to the internet, and then run OSPF within your network. the key is to not do any NAT *within* your network.

andy

The reason against double NAT'ing at the ISP level is the number of connections and limited forwarding. If I have 100 clients behind 1 real IP I can only let 1 client run a mail server, another a SIP gateway. Outbound connections get limited by the number of dynamic ports and inbound is limited by the number of services ports along with tunneling.

Double NAT might work ok in your home network but you run into some very interesting issues at a ISP level

yes i think unfortunately we are all soon going to explore those 'very interesting issues at the ISP level'...
IPv6 is still useless --

Useless in what sense?

useless from the perspective what an end customer can do with it. it feels like the IPv4 'web' clearly before 1994.

technically IPv6 fine, say, except for the sort of things like OSPF requiring IPsec, IPsec not being implemented in lots of places, etc. here too, the state of development gives me that 'early-90ies' impression.

we'll have to use NAT at the ISP level to stretch IPv4...

I have seen an increase in bandwidth capacity of the link disabling NAT, and also a better latency.
Like you said previously I had an end client behind 5 NAT-s and was getting a maximum of 3MB through
wireless link.
Later I changed the configuration using a VPN from client to the first router, and I saw an increase in bandwidth
at nearly 3.5 (sometime 4MB) and better ping to the internet.

Old thread, but first google result on the topic.

Another thing that makes many NAT routers a bad idea, is the fact each router preforming NAT will have to keep a NATing table. It will take your router time to check the NAT table every time it has to forward a packet. Not to mention that in theory your router could run out of portnumbers when NATing many (MANY) connections.

As long as you have the SIP-helper active, RouterOS should keep VoIP traffic ok. I assume the FTP-helper is the same.

It may work fine for a hundred users, but if you had thousands of users, chances are a certain amount of them would have some sort of infection and use up all sorts of port/connections, creating intermittent problems or overloading a weak router.

And one more thing. Don't forget the Internet is more than TCP, UDP and ICMP. With double natting things like IPSec, custom IP-based protocols and L2TP tunneling would cease to work.