Double NAT - is it really that big of a problem?

[timeshifter]

I understand that your networks shouldn't have more than one router doing NAT. All of the networks that I deal with are home based or very small businesses, and they'll only need one NAT router. BUT, I see it all the time. And I notice it not because I'm working on a networking issue, I just happen to notice while I'm called in for something unrelated.

Typically these days they've got a new cable modem / router with WiFi combo box connected to their old Linksys or Netgear router. In years past I'd see it on DSL connections.

I've asked in other venues about this and the best I've heard that double NAT might interfere with Skype connections. When I ask the customers who have this about any issues they've noticed I get blank looks.

Sometimes I'll remove the extra router and reprogram stuff the right way. Other times I'll leave it alone because I don't want to get a call back with the complaint that it was working fine until I messed with it. Plus I may not have the time or feel like the customer would be happy to pay for the extra time.

Anyway, what's your experience? How do you feel about double NAT?

 

[jft135]

Yes.

 

[backwoodsman]

I used to run a wireless system to get broadband to a remote area. Most users were on the end of a chain of routers 8 or 9 deep, all doing NAT. Never had a problem.

I'd be more concerned about channel conflicts where multiple routers are in close proximity. If they really need multiple wifi networks, I'd check on that and correct if necessary.

 

[timeshifter]

I'd be more concerned about channel conflicts where multiple routers are in close proximity. If they really need multiple wifi networks, I'd check on that and correct if necessary.

Oh, I'm worried about that alright. If both boxes are doing WiFi I will disable one of them. Many times I'll ask "what about the WiFi system called 'WIFIDG12345'?" and they'll say they have no idea what that is. So I turn it off. So yes I agree that multiple WiFi networks is an issue. More concerned about purely Double NAT.

 

[Mick]

I think the Skype reference is possibly because Skype is 'kind of' remote access (i.e. incoming traffic). You probably won't run into too much trouble if a home network is double-natted, but you can get serious problems trying to remote in to, say, an office server because the external and internal networks aren't talking to each other.

 

[Markverhyden]

Double NAT only matters if you are providing an Internet facing service, whether public or private. Such as your own mail server, etc. If it's typical usage, email, web browsing, etc, etc it does not usually matter. Those services tunnel out and build a reverse tunnel back.

 

[mr m]

I've seen small networks with two gateways both performing address translation work ok for a few users. It was usually designed by somebodies cousin "who knows computers" but it is sloppy and unprofessional.

I have seen issues with VoIP and double NATting.

 

[freedomit]

It's not recommended but it often works

 

[seedubya]

You'll have issues with anything that involves incoming traffic like VoIP, remote access, VPN etc. You CAN get around it by building routes carefully but why would you ever end up in the situation where you'd have to? If you want separate subnets just get a decent router that does VLANs well. The answer to most networking issues is good network design and capable equipment.

 

[YeOldeStonecat]

I've always hated it.
Many.many times, seen issues with it. Why put a sloppy lazy poorly implemented design in place...which may/can lead to further trouble calls down the road because things don't work right?

It's inefficient Each NAT hop adds latency. While sure..doesn't matter for many situations (like home/residential, or casual light office use)...it's...just poor design. The result of someone of "home network skill leveL" trying to build a larger network and doesn't know how".

NAT molests traffic. Certain types of traffic do not like getting molested by NAT. Adding multiple NATs introduces more molestation. NAT sensitive traffic such as certain VPN, VoIP, remote desktop, conference/video, gaming, certain httpS tunnels...they don't like it.

Not to mention the complexity of documenting/designing a network. .

 

[HCHTech]

One of my least favorite things - installing a Sonicwall where the ISP modem won't go properly into bridge mode (I'm looking at you Comcast). Sometimes it works, sometimes not....or it appears to work but ports won't forward correctly. Always when you're working with home-based businesses and they don't have business service from the ISP. I will absolutely double-NAT if that's the only way to make the damned thing work.

 

[YeOldeStonecat]

One of my least favorite things - installing a Sonicwall where the ISP modem won't go properly into bridge mode (I'm looking at you Comcast). Sometimes it works, sometimes not....or it appears to work but ports won't forward correctly. Always when you're working with home-based businesses and they don't have business service from the ISP. I will absolutely double-NAT if that's the only way to make the damned thing work.

What model Comcast gateways do you face? Comcast is our most common ISP with most of our clients, I always set the gateways to pass the public IP to our own edge router. Generally we have 3x models of the gateways up here...but generally there are 2x firmware versions with them..both pass the pub IP very well.

 

[TAPtech]

What model Comcast gateways do you face? Comcast is our most common ISP with most of our clients, I always set the gateways to pass the public IP to our own edge router. Generally we have 3x models of the gateways up here...but generally there are 2x firmware versions with them..both pass the pub IP very well.

StoneCat, I think when comcast is giving a dynamic IP, that the gateway mode isn't 100% functional on their equipment. You can turn the firewall off and such, but you still have no choice but to give your downstream router a 10.0.0.0/24 or 192.168.1.0/24 address. It won't pass the public IP down. That's my experience at least, but have not setup a new Comcast modem in at least a year. Dang... I need new clients!!

 

[YeOldeStonecat]

StoneCat, I think when comcast is giving a dynamic IP, that the gateway mode isn't 100% functional on their equipment. You can turn the firewall off and such, but you still have no choice but to give your downstream router a 10.0.0.0/24 or 192.168.1.0/24 address. It won't pass the public IP down. That's my experience at least, but have not setup a new Comcast modem in at least a year. Dang... I need new clients!!

The newer XFinity gateways, which is what they use for the dynamic IPs...has a "Bridge mode On/Off" slide switch right on one of the front pages. I just set one up this past Friday with a Unifi system behind it. Slide to the switch to On....the gateway goes through an about 2 or 3 minute reboot...and done, set your edge device to "obtain auto" and it'll have the public IP address within another minute.

 

[TAPtech]

That is a very welcome change! Thanks for the info.

 

[Markverhyden]

In the last couple of years or so I've had nothing but problems if I used that bridge mode toggle. According to several Comcast reps just turn of the DHCP server in the modem and you'll get the public IP if it's DHCP or plug in the available static on your router. You can go in and turn off all packet filtering to keep it from mangling traffic.

 

[YeOldeStonecat]

In the last couple of years or so I've had nothing but problems if I used that bridge mode toggle. According to several Comcast reps just turn of the DHCP server in the modem and you'll get the public IP if it's DHCP or plug in the available static on your router. You can go in and turn off all packet filtering to keep it from mangling traffic.

For the statics....you'll have one of the SMC/Netgears (same firmware, just different hardware platform)...I leave the DHCP enabled, doing the 10.1.10.0/24 Up here they don't use the XFinity modems for statics...so bridge mode isn't an option for that, but the other directions I use for the statics on my own edge always work fine. I'll plug the statics in on my edge device...and just put a check in the public subnet passthrough.

Leaving the DHCP enabled does zero harm to your router that has a static plugged in its WAN port, makes it a few seconds easier to manage the gateway via web admin, and gives you the option of uplinking a "guest" wireless to that 10.1.10.0/24 network to separate from the production network behind your own edge

 

[HCHTech]

What model Comcast gateways do you face?

For residential service, I see a lot of the Arris models (the older ones with a bullnose front and square back) - those seem to be the most troublesome w/r/t bridge mode. The Xfinity gateways work ok. You can replace the modem and use a better one if they only have internet service, but it they also have the digital voice, then you're stuck with their modem unless you have them split the line.

 

[YeOldeStonecat]

They stopped using those combo Arris MTAs a while ago around here....they split them off now, 2x units. The XFinity modem, and a small..quite a small..err (jeeze and I just had one in my hand last Friday)..little box for the voice/phones.

 

[HCHTech]

Leaving the DHCP enabled does zero harm to your router that has a static plugged in its WAN port, makes it a few seconds easier to manage the gateway via web admin, and gives you the option of uplinking a "guest" wireless to that 10.1.10.0/24 network to separate from the production network behind your own edge

This is a good point. I did this a couple of months ago for an el-cheapo chiropractor client who wanted to add wireless for patients but didn't want to buy a WAP.

For FIOS statics, you can eschew the modem altogether and take the enternet directly from the ONT into your UTM. I've never tried this with residential dynamic service - I've got one or two home businesses with firewalls & FIOS, I should test it out just for kicks.