Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Double NAT  (Read 202 times)

aesmith

  • Reg Member
  • ***
  • Posts: 847
Double NAT
« on: July 11, 2019, 10:39:44 AM »

Hi,

I've been thinking about this and I think I have convinced myself that even if one subscribes to the "NAT is evil" viewpoint, the "damage" if any is done the first time the original source address is changed.  Unless some sort of payload re-write is also carried out, I can't see that there is any further affect from the traffic passing through a second or even a third NAT.   There are a few systems I'm aware of that use double NAT as a matter of course, Meraki guest wireless being one example.

Any comments or anything I'm missing?  I'm assuming that the kit at each stage is capable of NAT at the required throughput.
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 849
Re: Double NAT
« Reply #1 on: July 11, 2019, 10:54:13 AM »

Hi

We use double nat and treble nat for some devices at home, such as Xbox steaming terminal wap etc, and each nat also has firewalls.

We experience no issues and I play a racing game (with all helps turned off) and rated in top 1% of players even though Xbox is double nat and ping times around 22ms.

Many thanks

John
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4074
Re: Double NAT
« Reply #2 on: July 11, 2019, 01:03:45 PM »

I think one of the main problem with double NAT arises when setting up port forwarding rules for incoming traffic, or allowing it to be set up automatically, with UPnP.   There would, I think (?) need to be a separate set of forwarding rules set up, at each level of NAT.   Of course, for those of us who simply refuse to allow any port forwarding rules, and disable UPnP, that is not an issue.

Personally I have always wondered whether double NAT might actually be a reasonably safe way of setting up a guest network, isolated from my own private LAN.    The first NAT, closest to the internet, would have a WiFi AP, and allow visitors to access the internet, and to access one another.    But my own LAN, buried behind a second NAT, whilst still having access to Internet and all my own devices, would not be easily accessible from the guest LAN.

Most routers do offer guest LAN facilities, but it can be tricky to configure, and easy to mis-configure, and you are dependent upon the router manufacturer’s code working.   A second NAT seems to me, a more convincing alternative.  I suspect there are good reasons against that suggestion, but don’t know what they are, happy to be educated. :)
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 847
Re: Double NAT
« Reply #3 on: July 11, 2019, 01:18:12 PM »

Personally I have always wondered whether double NAT might actually be a reasonably safe way of setting up a guest network, isolated from my own private LAN.    The first NAT, closest to the internet, would have a WiFi AP, and allow visitors to access the internet, and to access one another.    But my own LAN, buried behind a second NAT, whilst still having access to Internet and all my own devices, would not be easily accessible from the guest LAN.

Interestingly that's pretty much the opposite of the way that Meraki (and I think OpenMesh) implement guest access with double NAT.  What they do is issue DHCP from the wireless AP to the guest devices, then that gets translated onto the AP's own address on the normal LAN.  That's coupled with access control preventing the devices from talking to anything on the LAN other then the default router.  So in effect where your design hides your LAN from the guests, there design hides the guests.

I con't see why your design wouldn't work.  From the point of view of your private network, you've put the guests effectively outside your firewall where normally you'd find the wholly untrusted Internet.  It has the disadvantage of needing a separate physical access point for guests, except by using some VLAN jiggery.
Logged
 

anything