We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Setting up a Double Nat Network

High Priority
72 Views
Last Modified: 2020-05-26
I currently have a home network with a router that contains parental controls but does not support a dual WAN configuration.  All my local devices are in a 192.168.1.xx subnet as is the LAN on the existing router.  The gateway on all devices is the the ip address of the LAN on the router (192.168.1.243). The WAN on that router is currently connected to my ISP. In addition, I have several "virtual servers" set up on this router to forward incoming requests (VOIP, remote access requests, etc.) to various devices on the LAN network.

I want to implement dual WAN functionality by placing a router that supports that function (but NOT parental controls) between that existing router and the internet.  I plan to run a cable between the WAN port of the existing router and the LAN port of the "edge" router (router connected to the internet), setting the WAN on the existing router to 192.168,100.1 and the LAN address of the Edge Router to 192.168.100.243, setting the WAN gateway on the existing router to 192.168.100.243. The new Edge Router will be connected to 2 ISP's and draw WAN ip dynamically from them.

My questions are:
1.  I believe I will not have any problems with outgoing requests by the devices make to the internet or responses finding their way to the requesting devices.  Is that correct?
2.  How do I make sure all incoming requests (such as income SIP calls or other requests originating from the internet) make their way first to the original router so that they can be forwarded by that router to the proper device using the port forwarding information set up on that router?  Will that happen automatically or do I need for somehow forward all incoming on all ports to the original router?

Thanks you, in advance for your help and insight!
Comment
Watch Question

Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Dual WAN or Dual NAT per the title of the question?
How about a diagram just to be clear?
CERTIFIED EXPERT

Commented:
It should work as you described.  The one complication is if you ever need to set up port forwarding to any device on the second router.  You'll have to do the forwarding on both routers.
CERTIFIED EXPERT

Commented:
Fred's question is very appropriate.  You are describing dual NAT (two routers in series) as opposed to dual WAN (two WAN connections on a single router).

Adon RaxinManager

Author

Commented:
I need both!  Dual NAT because my router that supports parental controls does NOT support dual WAN so I want to add a router in front of it between it and the internet.

I don't understand what CompProSolve says about port forwarding on both.  If I forward all ports on the EdgeRouter to the original router and it port forwards to the appropriate device, isn't that sufficient?

One of my questions was: Do I need to port forward ALL ports from the Edge Router connected to the internet to the original router and let it handle all the device forwarding?
Adon RaxinManager

Author

Commented:
Or will all incoming automatically go to the original router, which is the only connection on the Edge Router lan?

Adon RaxinManager

Author

Commented:
Or I can put he original router in the DMZ or the Edge router so that all lincoming goes there?

What do you guys suggest?
Adon RaxinManager

Author

Commented:
CompProbSolve, maybe I do understand?  Are you saying to port forward all the ports for which I have set up port forwarding on the original router with a destination of the original router, as opposed to the specific device? In other words, the destinations would all be the same 192.168.100.1?
CERTIFIED EXPERT

Commented:
I don't think you're talking about dual WAN, but we can set that discussion aside.

If you forward all ports to the second router, then devices on the first router won't receive any packets.

Assume for the moment that you want TCP port 443 forwarded to a device with a static IP of 192.168.1.200 on the second router.  You would forward TCP 443 on the first router to 192.168.100.1.  The existing rule you set up on the second router should already be forwarding TCP 443 to 192.168.1.200 (assuming it is forwarding now).

Keep in mind that you shouldn't need any forwarding set up for incoming SIP calls.  Your phone will set up NAT in the firewall to handle that.  Where you need port forwarding is if you have devices on your LAN that need access to them from devices on the internet where the internet device is initiating the connection.  An email or web server or remote access (RD, VNC, etc.) would be typical examples of this.

Two suggestions that don't relate to your exact questions.  First, I'd try to move away from a common subnet such as 192.168.1.x.  If you ever want to do a VPN elsewhere, there may be a subnet conflict to complicate matters.  I'd avoid 192.168.0.x, 192.168.1.x, 10.0.x.x, 10.1.x.x, or any other common "default" subnet.

Secondly.... consider a different approach with a single firewall that can do what you want.  I've become a fan of the pfSense software (others on EE like Untangle) to create a firewall.  It can run on any regular PC and is free.  I buy used i5 computers, add a new (small) SSD, and a used Intel 4-port NIC, typically under $200.  That's likely more expensive than what you are using in hardware (unless you have a used PC lying around), but there is a LOT you can do with it.
Adon RaxinManager

Author

Commented:
That's very helpful and I think answers my question. I don't think I need the router connected to the internet to do ANYTHING but forward packets to the current router. Setting aside your recommenation for new hardware this is what I understand:

1. Duplicate all port forwarding rules implemented on the original router to the Edge Router but with a destination of 192.168.100.1 (original router WAN) instead of the individual devices that should receive the packets; This is preferred to putting 192.168.100.1 in the DMZ of the Edge Router.
2. Leave all other settings as is.

I am talking about dual WAN as I have 2 ISP's (Spectrum and Verizon) that I want to be able to use to load balance as well as for backup.  That is why I need the new Edge Router. Does that make sense?

Can you confirm?
CERTIFIED EXPERT

Commented:
OK.... makes more sense now.  I missed anything about having two ISPs.  I was going to ask why you were bothering with the edge router!

The simple answer to both your questions (other than "This is preferred...") is "yes".  That will work.

The DMZ approach may be easier to maintain.  I've not worked with DMZ configuration much at all, but I would try setting 192.168.100.1 as the DMZ of the edge router, then use specific port forwarding in the second router (should already be set up from your description).  If that works as expected, it will mean that you don't have to do port forwarding changes on both routers in the future.

If that doesn't work (though I think it should), you could duplicate the port forwarding from the existing router to the edge router, except that the IP address in the forwarding on the edge router will always point to 192.168.100.1 as you suggested in 1 above.

With all of that said.... I'd still try to find a single router that does the dual WAN and whatever parental controls you want.  Nevertheless, what you are trying to do should work.
Adon RaxinManager

Author

Commented:
I did try and buy something that would serve both purposes.  I ordered an ASUS RT-AC3100 which runs ASAUWRT.  Unfortunately, the dual wan function is notoriously buggy and doesn't work. Although the parental control works great

Previously, I had been using a Ubiqutty Edgerouter X to manage my dual WAN (before I realized my kids wer on the net at all hours and needed to be limited).  So, now, I am trying to combine both functions and it appears my best alternative is to separate the functions - use the ASUS to limit access and use the Ubiquity for dual WAN.

Probably TMI, but this is the genesis of my request.




Adon RaxinManager

Author

Commented:
*ASUSWRT, which is the ASUS version of DDTWRT.
CERTIFIED EXPERT

Commented:
I've used other Ubiquiti products and have been very impressed.  I'd give a strong consideration to trying to make it the only router/firewall.

Take a look at this thread (and search for others) on the issue of parental controls on the Ubiquiti:
https://community.ui.com/questions/Parental-controls-time-of-day-routing-content-filtering/b0667f8c-309c-43fc-a24f-ab9c95895993 

Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
Duplicate all port forwarding rules implemented on the original router to the Edge Router but with a destination of 192.168.100.1 (original router WAN) instead of the individual devices that should receive the packets; This is preferred to putting 192.168.100.1 in the DMZ of the Edge Router.
2. Leave all other settings as is. 
I'm not sure this really works.
Example: Original router has port forwarding for port 333 to IP 192.168.1.45 Port 222, and other incoming ports on the WAN side are similarly forwarded to IP:Port.  Note that the incoming ports need not match the ports that they are forwarded to on the LAN IP:port.
Now, you intend to set the original WAN port address to 192.168.100.1 and have it looking upstream to the new router at 192.168.100.243.  OK.(Actually, to me that's "backwards" but it can be whatever you like).
You could, but need not, use the same ports (ports are just address extensions after all).
But, you likely want the incoming ports to remain the same as they have been.
So using the same example:
WAN IP:port where port=333 is still destined for 192.168.1.45 Port 222.
So you could do this:
WAN IP:port where  port=333 is forwarded to LAN1 192.168.100.1 Port XXX and Port XXX is forwarded to 192.168.1.45 Port 222.
Other ports are similarly done.
Now, there's nothing to stop you from using XXX=333 or XXX=222 or XXX=999 unless the devices won't do it that way -but most do.
What WAN IP:port where  port=333 is forwarded to LAN1 192.168.100.1 Port 222 and LAN1 192.168.100.1 Port 333 is forwarded to 192.168.1.45 Port 222.  That doesn't work because the original router doesn't understand incoming on Port 222 does it?  No, it only understands incoming on Port 333.  So the port forwarding can't be "the same".  But it's not a big deal to do it consistently and correctly.



CERTIFIED EXPERT

Commented:
@Fred: My comment was incorrect as I made the assumption that the existing port forwarding had the same ports on both sides.  As you stated, that need not be the case.

I would revise my comments by saying: duplicate the port forwarding from the existing router to the edge router, except that the IP address in the forwarding on the edge router will always point to 192.168.100.1 AND the inside port should be the same as the outside port.

For example, if the existing router forwards TCP 1234 to 192.168.1.200 on TCP port 4567, the forwarding on the edge router should be TCP port 1234 to 192.168.100.1 on TCP port 1234.  This should allow you to avoid changes to the existing router.

CERTIFIED EXPERT

Commented:
1. as mentioned above, yes that will work out of the box for outgoing ip trafic. i would not recommend the unnecessary double-NAT if the existing router can work as a regular router without NAT

2. the edge router can be configured to send all trafic on all ports to the existing router which should save you the hassle of duplicating every port redirection rule with a limited security impact
Adon RaxinManager

Author

Commented:
Skullnobrains, how would I configure all ports forwarded without putting, in my example, 192.168.100.1 in the DMZ of the Edge Router?
Adon RaxinManager

Author

Commented:
Fred: I was planning on the Edge Router to always forward the incoming port to the same incoming port on the original router.  That way the original router will be getting requests on the same port that it would if it were connected directly to the internet and it can decide which device and port to forward to.

Does that work?
Adon RaxinManager

Author

Commented:
A related question:  Will I be able to get to the Edge Router GUI interface by going to 192.168.100.243 on one of my devices in the original router subnet of192.168.1.x?
Fred MarshallPrincipal
CERTIFIED EXPERT

Commented:
I was planning on the Edge Router to always forward the incoming port to the same incoming port on the original router. 
Yes, that should work.
 Will I be able to get to the Edge Router GUI interface by going to 192.168.100.243 on one of my devices in the original router subnet of192.168.1.x?     
Yes.                           
Adon RaxinManager

Author

Commented:
Great.  Thanks Fred.
Adon RaxinManager

Author

Commented:
Skullnobrains, how would I configure all ports forwarded without putting, in my example, 192.168.100.1 in the DMZ of the Edge Router?
CERTIFIED EXPERT

Commented:
Skullnobrains, how would I configure all ports forwarded without putting, in my example, 192.168.100.1 in the DMZ of the Edge Router? 

if the router has such a "DMZ" concept, that's how you would do it and i see no point to do it otherwise. it should be feasible to setup port translation of range 1:65535 to same range as well, though. the DMZ settings preserves incoming ports. most likely it will preserve outgoing ports as well, but you had better check if that matters to you.
Adon RaxinManager

Author

Commented:
Is setting up a DNAT rule for incoming traffic more secure than DMZ?
CERTIFIED EXPERT

Commented:
probably not. ( actually just no )

in itself DMZ does not mean much : in best practices that date back from the 90s, it used to be the intermediate zone between your lan and the WAN where your proxies and reverse proxies would sit.

some firewalls create a DMZ zone that does no specific mapping but justa allows simple management through 3 preconfigured zones : WAN, DMZ, LAN

many home routers allow to set a DMZ host that basically receives all internet traffic and is strictly equivalent to setting network translations for all ports in both direction. i assume you are in that latter case which would make things equivalent.

in any case, as long as you only have one up and one down link, and do not expect the edge router to filter traffic, the way it is setup does not matter much as long as it works. plug the router in one zone, call it DMZ, LAN, or whatever you want and do not bother. just check you can access the edge router properly which might be automagically disabled from the DMZ zone



Adon RaxinManager

Author

Commented:
The dual WAN router I am using as the "Edge Router" is actually a Ubiquity ER-X running EdgeOS, which has pretty granular destination nat and firewall rule flexibility. It definitely handles port range forwarding with a dnat rule that can forward ports 0-65535 to analagous ports on the target LAN ip address. I think I'd have to do this separately on both WAN interfaces, but it should work. Thoughts on doing it that way?

I'm assuming that will not interfere with any outbound traffic originating on the original router's LAN or responses to that outbound traffic coming back into the edge router?
CERTIFIED EXPERT

Commented:
it will work as expected for the inbound part

original outbound ports may not be preserved but the connections WILL work. is is likely your existing router does not preserve ports in the first place and few applications actually require that ( active FTP and peer to peer networks mostly ) so that may or may not need something to check.

if the ubiquity router has a setting that allows to declare one host as "the" dmz host, using that feature will produce the same results with much less hassle.

again, the double NAT setup will work but a single layer would be better if possible. your existing router may or may not allow that. the edge router handles the wan addresses so you need NAT on that router. obviously, if the existing nat rules are used as a basic firewall layer, there will be an issue.

on the other hand, there is a point in using the dns of the edge router as it will likely react better when a link fails. again, that may or may not be worth the hassle. my vote would be no unless experience prooves otherwise which is highly dependent on how the forwarder of the existing router is configured.
Adon RaxinManager

Author

Commented:
On second thought, I only have about 12 port forwarding rules and I'd prefer for security purposes not to open all ports on the Edge Router, so I think I'll just set up those ports.
CERTIFIED EXPERT

Commented:
i would advise against that.

maintaining 2 sets of firewall rules does not add security. that will only make the setup more messy.
remember that you would need to use the IP of the existing router rather than actual server IPs.

if your existing router supports it, removing that nat layer is a little bit of work, but makes copying 12 rules worth the effort.

even better, if that's only 12 rules, it might be much simpler to replace your existing router with the new one for a cleaner setup. or keep it for dhcp only.
Adon RaxinManager

Author

Commented:
Problem is the basic reason I am doing this.  I want to use the parental control capability on the original router.  The Edge Router is very messy to implement vs. the GUI on the existing router.  That's why I want to route all traiffic through the original but implement dual WAN through the ER-X.

My impression - and correct me if I am incorrect - is that anytime I forward a port on the ER-X I open it.  If I forward all ports, I have opened all ports - which is less secure than only opening the 12 ports I really need to open.  Do I misunderstand this?
CERTIFIED EXPERT

Commented:
hmm... chances are the router does parental control through dns so it may not require to actually route traffic to work. but i get your issue, now.


My impression - and correct me if I am incorrect - is that anytime I forward a port on the ER-X I open it.  If I forward all ports, I have opened all ports - which is less secure than only opening the 12 ports I really need to open.  Do I misunderstand this? 

not entirely, but mostly. allowing everything in your first firewall will merely allow traffic to bounce on the closed ports of the second one. there is no DOS issue since the internet link will be saturated before the local link anyway.

there are a few specifically crafted attacks that could mostly allow to disrupt established traffic by sending special packets optimistically trying to hit open ports. either or both routers probably prevent that traffic from reaching the inside hosts and i do not believe much of these would succeed more significantly either way.



given the new information, i would suggest you plug in any computer that can be reached from the outside directly to the edge router, remove the ports redirections from the home router, and isolate the domestic network behind your existing router. if that can be achieved in routing/bridging mode, all the better. the edge router would likely use static addressing.

another way might be to put all hosts on the same network, including both routers. the existing router can provide dhcp and dns services but issue the edge's ip as the gateway so it does not actually route trafic. this provides no network isolation but best performance.

what you have in mind will also work. i'd pick either of the above, though. i can help with the setup whatever solution you pick.
Adon RaxinManager

Author

Commented:
"another way might be to put all hosts on the same network, including both routers. the existing router can provide dhcp and dns services but issue the edge's ip as the gateway so it does not actually route trafic. this provides no network isolation but best performance."

But if traffic does not go through the existing router, how can it stop outgoing internet requests from my kids' devices to certain sites and at certain times.  It does this by MAC address?
Adon RaxinManager

Author

Commented:
It does this by MAC address is not a question.  That and associated ip is what it uses to decide to drop packets in both directions.
CERTIFIED EXPERT

Commented:
nope.

either it applies some kind of proxy or level 4 filtering which is unlikely on a home router and would require it actually handles the trafic, or it simply redirects DNS queries to a dummy location which is much more likely.

dns based filtering will work as long as the computers use the appliance's dns. if it handles dhcp, it will normally provide it's own address as the dns server, the gateway, perhaps the time server... just make sure there is no other dns server on your home network if you suspect the users will try to break through somehow.
Adon RaxinManager

Author

Commented:
I think it simply drops packets by MAC address during the prescribed times to the prescribed destinations.  but regardless, I think I need to use that router as a gateway for those devices, no?  And then have it pass traffic to the Edge router that it doesn't drop, no?

Not sure why you seem ot think that's bad?
CERTIFIED EXPERT

Commented:
not a chance. destination mac is always the upstream router's which does not allow any kind of actual filtering.

you can easily check how it behaves by running dns queries against the router. my bet is the router merely redirects said queries to itself and features a small web server that responds with a page notifying the user he was blocked.

i think double nat is suboptimal. more setup, more error prone, more added latency. 2 routers may not be strictly required but look like a decent solution whether they are chained or not. but ultimately, you are the one to decide how you want your network designed
Adon RaxinManager

Author

Commented:
I would prefer one with a dual WAN capability that is reliable and works and an easy parental control interface to set access schedules by mac address.  Any suggestions?
Adon RaxinManager

Author

Commented:
I don't need wireless at all.  I have access points where needed and wired connections everywhere else.
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Adon RaxinManager

Author

Commented:
Thanks.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.