|
NAT behind NAT not a bad thing ? |
|
|
|
|
Written by Airplane777
|
|
Thursday, 25 January 2007 |
" I will be hooking up my first commercial WISP customer Thursday afternoon.
I will be connecting the WAN side of their wireless router to the LAN side of my CPE. Their wireless router does NATing and DHCP.
But my CPE is also set up to do NATing. I will be providing a private static IP address to their wireless router.
This causes me to be doing NAT behind NAT. Am I correct in thinking that this should work ok? That is...NAT behind NAT, isn't necessarily a bad thing?"
robbin:
I would be concerned if they use VPN -- I understand double NAT can give it problems. I provide public static IPs so I don't have any first hand knowledge.
Airplane777:
Hi robbin:
Thanks for your post.
Since you give public static IPs to your clients, I assume your CPEs are then set to bridging-client mode? I'm trying to get this bridging and client stuff streight in my head...lol.
How do you get those public static IPs through your edge router (since I assume your edge router is NATed)? You do some kind of port forwarding? (Isn't an edge router the one connected directly to the modem that goes to the Internet backbone?) Or do you do bridging of your edge router also?
cmaenginsb:
Airplane, robbin uses Trango equipment which only works as a bridge.
As to the edge router, most of us simply don't have the edge router set to NAT.
I haven't seen a problem with double NAT yet but in theory I would think VPNs could be an issue depending on the subnets used for each.
Why not turn NAT off in your CPE?
robbin:
Well, to start with, I use Trango equipment. The AP / SU (CPE) link is a bridge (no choices). It's hard to explain if you are used to WIFI equipment but basically my APs and CPEs do not exist on the client to internet network -- they are totally invisible. So whatever I do with them has no effect on the IP address assignment of the client router.
I am currently 100% bridged. As I get larger, if I decide to grow that much, I will probably do 1 to 1 NAT. Many (perhaps the majority) of my customers use a VPN on a regular basis and there has never been a problem for them. They are extremely grateful as this means that they don't have to drive 75 to 100 miles on the days they work from home!
My edge router is my T1 router -- you don't need a modem for a T1, only for DSL.
superdog:
Bob, when You have a T1 or larger to the net, all of us use a router at the edge that basically bridges all of our static IP's right thru to the end user or at least to the CPE. If You are using DSL as a backhaul, You may only have 1 real world IP?, and that is used in Your modem. If that is the case?, You would then in all reality be NAT'ing 3 times?. Once at Your NOC, once at the CPE and then the 3rd time on Your customers router. This is a really bad idea. While I have seen VPN's work thru 2 NAT boxes, I have also seen some strange things happen to programs like Citrix(allows You to use a local computer to run a remote one across a VPN and special software). I would use that DLB2300 or Highgain CPE as a bridge. That way You are at least only NAT'ing twice. Once at the NOC(modem) and then again on the customers router. 
Original thread location |
Equipment and Network Configuration