Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Double NAT  (Read 3554 times)

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Double NAT
« on: July 11, 2019, 10:39:44 AM »

Hi,

I've been thinking about this and I think I have convinced myself that even if one subscribes to the "NAT is evil" viewpoint, the "damage" if any is done the first time the original source address is changed.  Unless some sort of payload re-write is also carried out, I can't see that there is any further affect from the traffic passing through a second or even a third NAT.   There are a few systems I'm aware of that use double NAT as a matter of course, Meraki guest wireless being one example.

Any comments or anything I'm missing?  I'm assuming that the kit at each stage is capable of NAT at the required throughput.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Double NAT
« Reply #1 on: July 11, 2019, 10:54:13 AM »

Hi

We use double nat and treble nat for some devices at home, such as Xbox steaming terminal wap etc, and each nat also has firewalls.

We experience no issues and I play a racing game (with all helps turned off) and rated in top 1% of players even though Xbox is double nat and ping times around 22ms.

Many thanks

John
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Double NAT
« Reply #2 on: July 11, 2019, 01:03:45 PM »

I think one of the main problem with double NAT arises when setting up port forwarding rules for incoming traffic, or allowing it to be set up automatically, with UPnP.   There would, I think (?) need to be a separate set of forwarding rules set up, at each level of NAT.   Of course, for those of us who simply refuse to allow any port forwarding rules, and disable UPnP, that is not an issue.

Personally I have always wondered whether double NAT might actually be a reasonably safe way of setting up a guest network, isolated from my own private LAN.    The first NAT, closest to the internet, would have a WiFi AP, and allow visitors to access the internet, and to access one another.    But my own LAN, buried behind a second NAT, whilst still having access to Internet and all my own devices, would not be easily accessible from the guest LAN.

Most routers do offer guest LAN facilities, but it can be tricky to configure, and easy to mis-configure, and you are dependent upon the router manufacturer’s code working.   A second NAT seems to me, a more convincing alternative.  I suspect there are good reasons against that suggestion, but don’t know what they are, happy to be educated. :)
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Double NAT
« Reply #3 on: July 11, 2019, 01:18:12 PM »

Personally I have always wondered whether double NAT might actually be a reasonably safe way of setting up a guest network, isolated from my own private LAN.    The first NAT, closest to the internet, would have a WiFi AP, and allow visitors to access the internet, and to access one another.    But my own LAN, buried behind a second NAT, whilst still having access to Internet and all my own devices, would not be easily accessible from the guest LAN.

Interestingly that's pretty much the opposite of the way that Meraki (and I think OpenMesh) implement guest access with double NAT.  What they do is issue DHCP from the wireless AP to the guest devices, then that gets translated onto the AP's own address on the normal LAN.  That's coupled with access control preventing the devices from talking to anything on the LAN other then the default router.  So in effect where your design hides your LAN from the guests, there design hides the guests.

I con't see why your design wouldn't work.  From the point of view of your private network, you've put the guests effectively outside your firewall where normally you'd find the wholly untrusted Internet.  It has the disadvantage of needing a separate physical access point for guests, except by using some VLAN jiggery.
Logged

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 952
Re: Double NAT
« Reply #4 on: July 19, 2019, 09:22:49 AM »

NAT is evil, and the reason why IPv6 adoption has been very slow.

However, NAT is admittedly also very bloody useful and can be used for good. Carrier grade NAT truly is evil though.
Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Double NAT
« Reply #5 on: July 19, 2019, 11:45:50 AM »

NAT is evil, and the reason why IPv6 adoption has been very slow.
I'd turn that around and say that NAT is making IPv6 unnecessary in the real world.  Or putting off the day when it will be come necessary. 

In any case I can't see IPv6 removing the need for NAT, except for organisations each with only one Internet connection and who are prepared to readdress their network if they change provider.  Accepted that it's not called NAT, and that Prefix Translation may be superior to typical IPv4 address sharing port translation. 

What's the particular beef with CGNAT, is it because it prevents inbound connections, or do you have other reasons?
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Double NAT
« Reply #6 on: July 19, 2019, 03:35:10 PM »

One example: you end up on the same IP as loads of other users. One of them gets their IP banned on some forum(s) - you are banned as well.
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 952
Re: Double NAT
« Reply #7 on: July 19, 2019, 03:59:12 PM »

I'd turn that around and say that NAT is making IPv6 unnecessary in the real world.  Or putting off the day when it will be come necessary. 

And therein lies the problem! We need to move away from IPv4, and NAT. It is simply not fit for purpose in today's internet.
Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Double NAT
« Reply #8 on: July 26, 2019, 04:30:10 AM »

> I suspect there are good reasons against that suggestion, but don’t know what they are, happy to be educated.

It’s all down to either having or not having enough IPv4 addresses. Let’s say your ISP gives you a modest sized but adequate address block - eg AA now gives out address blocks of whatever size you need, within reason, and they are free. Then you simply don’t need NAT to do the guest LAN thing. You either use a VLAN or you put another firewall router in place and then jail your guests behind that device. It’s the firewalling that you need for the guest restrictions, not NAT.

I didn’t have to do that, because I had another mechanism. My ZyXEL WAPs have an L2 firewall facility called ‘isolation’ where you can prevent devices talking to anything else on the LAN as you wish - all at L2. This can be set up to be different for each one of multiple SSIDs, so the guests on wireless log in to the ‘guest’ SSID and are then subjected to these L2 firewalling restrictions.

But at work I did once do exactly your plan, sort-of: putting a subset of users behind a NAT translator, where I had a few IPv4 addresses available to me but couldn’t be sure to always be able to get enough additional ones in future.
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Double NAT
« Reply #9 on: July 28, 2019, 06:13:31 PM »

I don't think address availability is really the issue, or solution.  Nobody has made any comment about how using native Internet reachable addresses can be made to work when an organisation has multiple Internet provider, or for an organisation with one only one connection having to renumber their entire network if they change provider.   

As a matter of fact I worked with two organisations that used their own official Class A network to number their internal networks worldwide, but I wasn't involved with their firewalls or Internet provision so although I think it highly unlikely that they accessed the Internet using their internal addresses, I don't actually know for sure.  If they did then at least one of them will have had to change, as they've sold their Class A to Amazon.  (I wonder if they've renumbered internally since then, that would be a major job).  It looks like the other has sold a quarter of theirs to Google and a quarter to Amazon.

Anyway since we're diverging from the original question, I'd be interested to hear from those who subscribe to "NAT Is Evil" some examples of actual end user applications or protocols that don't work.  In the early days some IPsec VPN clients wouldn't work but that was pretty quickly resolved.  The only disadvantage that I've seen in the real world has been traceability, correlating external activity with the internal user.
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Double NAT
« Reply #10 on: July 28, 2019, 06:15:08 PM »

One example: you end up on the same IP as loads of other users. One of them gets their IP banned on some forum(s) - you are banned as well.
Would that not potentially apply to any service with a dynamic IP address?
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 2054
Re: Double NAT
« Reply #11 on: July 29, 2019, 09:10:47 AM »

Yes, but it is far, far, far worse with CGNAT because there will be many more other users all using the same IP as you.

As most people leave their routers on 24/7 their dynamic IP addresses won't change that often so there may of only been a handful of previous users of the IP in the last few months.
Logged
Broadband and Line rental: Zen Unlimited Fibre 2, Mobile: Vodaphone
Router: Fritz!Box 7530
 

anything