Jump to content
RESET Forums (homeservershow.com)
dvn

Home network config > double-NAT and more...

Recommended Posts

dvn

I'm checking into someone's home network, set up by people paid to do that sort of stuff. I'll describe what they did, and I really want to hear how you think they did or didn't mess this up, but what I'm mostly wondering is whether there might be good reasons for any of the things they did.


 


This is what I see: 


  1. Basically, they set up a Time Warner Cable wireless modem/router (Ubee) and came out of the LAN side to feed the WAN port of a Luxul wireless AC router. Both are doing DHCP. Double NAT, right? 

  2. They also 'hid' access to the admin page of the TWC device by assigning the same IP address to each device - 192.168.1.1.  That means anyone on the LAN side of the Luxul can never access the TWC device's admin page, unless they first thought to change the Luxul's IP to something else. Let's ignore for the moment that someone could connect to the wireless AP of the the TWC device and get in that way, or that they could also grab a cable and stick it in a LAN port on the TWC device which is the basement.

  3. They set all SSID's on the Luxul to the exact same name and password. No way of telling (for the average home user) whether they're connected to 2.4GHz or 5G, or whether they're on guest network. This to me is a complete mistake. No they weren't trying to set up a remote AP, they simply named and pw'd every wireless connection the same on the Luxul.

  4. Hahah... this one is kind of funny? Both devices 2.4GHz radios were using the same channel - 6. I'll set this to 1 and 11 and that'll be that. I was thinking about turning off TWC device's AP, but I probably won't. Maybe I'll set it to handle guest network w/ wireless isolation and let the Luxul handle the house. Thoughts on that?

So my question is this: Might there be reasons to deliberately set up a network this way? Maybe double-NAT makes the network more resistant to malware/ botnets? Just throwing that out there. Maybe 'hiding' the admin page to the TWC device is good because....? 


 


We've been doing CrashPlan backups between our servers for a few years. This new network config has borked that. I believe I can properly port forward the devices to allow our machines to see each other again. My thought here is that I would never think to double NAT my own household but now that I've encountered this, I'm wondering if there isn't a security upside to this. Thoughts? Thoughts on any of this? Thanks all!


Share this post


Link to post
Share on other sites
ikon

I was a little confused by the reference to DHCP and NAT together. They're 2 different things. Having 2 DHCP servers doesn't mean double NAT. However, having the LAN port of the TWC router connect to the WAN port of the Luxul does mean double NAT.

 

I would not set up a LAN with 2 DHCP servers, so I would suggest shutting it down on the TWC. I don't think having them both enabled is a problem in this case because the Luxul would almost certainly be the one to answer any DHCP requests - it's just more of a cleanliness thing on my part.

 

I also don't really see a good reason to have double NAT. Perhaps others can offer some good reasons.

 

I would give the TWC and Luxul boxes their own IPs.

 

Hiding the TWC admin page just seems silly to me.

 

I agree with setting the TWC and Luxul APs to different wireless channels.

 

if you can set different IDs and passwords for each frequency range on the Luxul, I can't see any reason not to. However, if you do keep the wireless enabled on both boxes, I would make sure the IDs and Passwords for each frequency range are the same on both. I hope that's clear. That helps with handoffs between APs.

Share this post


Link to post
Share on other sites
oj88

Short answer: This is typical workmanship of (no offense please) telco folks, IMO.

 

Long answer:

  1. The double-NAT configuration was unlikely done with security as the reason. The more likely scenario I think is that they just put in the default values just enough to make it work. Double-NAT will definitely improve security but at a cost of having more network latency. But if you already have a good router/firewall, there's little reason to do double-NAT.
  2. I’d say about 90% of all consumer routers have 192.168.1.1 as the default LAN address. Again, they stuck with the defaults for most of the router configs. I don’t think it’s about hiding the TWC router.
  3. Whether or not assigning the same SSID on both 2.4 and 5 GHz band is a good thing or not, depends on personal preference. For me, I am not particular about who uses what band and this allows for a more seamless hand-offs between the two bands when reception on one band becomes a problem. But if you want to pre-assign wireless clients to a particular band, having unique SSIDs for either bands will be necessary. Again, this is left to personal preference. They probably deployed it like that because that’s the simplest way to do it. Non-techie users wouldn’t have to figure out which SSID to connect to, if there's only one.
  4. Again, they likely left everything in their default values.

It’s not unusual for telco people to deploy routers like this… less headaches for them and it’s usually up to the end user to customize the setup. The one you described is pretty much similar to how mine was deployed initially. But instead of having to do double-NAT, I configured the telco’s router to do Bridging (functionally, a DSL modem) and only enabled its WiFi for admin purposes (in a different channel and SSID) so I can check on DSL parameters such as SNR and transmission speed, etc.) from anywhere in the house.

Share this post


Link to post
Share on other sites
dvn
 

I was a little confused by the reference to DHCP and NAT together. They're 2 different things. Having 2 DHCP servers doesn't mean double NAT. However, having the LAN port of the TWC router connect to the WAN port of the Luxul does mean double NAT.

Right. I was confused. Thanks for catching that. So to avoid double NAT, I configure TWC how?

 

 

If you can set different IDs and passwords for each frequency range on the Luxul, I can't see any reason not to. However, if you do keep the wireless enabled on both boxes, I would make sure the IDs and Passwords for each frequency range are the same on both. I hope that's clear. That helps with handoffs between APs.

I've heard this. It makes sense. I've also heard that not all mobile devices do handoffs well. But I think I'll add this to my configuration plan and see how it actually works for them.

 

 

Whether or not assigning the same SSID on both 2.4 and 5 GHz band is a good thing or not, depends on personal preference. For me, I am not particular about who uses what band and this allows for a more seamless hand-offs between the two bands when reception on one band becomes a problem. But if you want to pre-assign wireless clients to a particular band, having unique SSIDs for either bands will be necessary. Again, this is left to personal preference. They probably deployed it like that because that’s the simplest way to do it. Non-techie users wouldn’t have to figure out which SSID to connect to, if there's only one.

I'm glad I asked you guys. So what it looks like to me is that I should reset the SSIDs and pw's to the way they were initially - all with the same names and pw's. It makes sense for the average home user not to have to worry about what network they're connected to. I'm going to try this at my house to see how this auto-switching between same-named 2.4GHz and 5GHz APs goes. 
 
That said, I thought that mobile devices were supposed to do 'handoff' between differently-named APs depending on the stronger signal. That's why I set my 2.4GHz and 5GHz SSIDs to different names, and logged into each so that my phone would be able to connect to either.  I've been under the impression that my phone jumps bands as one band's signal strength drops. I'm strictly wireless n in my home. Same name, same pw APs work better?
 
 

 

It’s not unusual for telco people to deploy routers like this… less headaches for them and it’s usually up to the end user to customize the setup. The one you described is pretty much similar to how mine was deployed initially. But instead of having to do double-NAT, I configured the telco’s router to do Bridging (functionally, a DSL modem) and only enabled its WiFi for admin purposes (in a different channel and SSID) so I can check on DSL parameters such as SNR and transmission speed, etc.) from anywhere in the house.

Ok. How would I go about bridging the routers? I'm only familiar with bridging as it relates to NICs in a PC. Which is doing what?

 

I'm tempted to leave DHCP on for both routers as it's my impression that it makes the network a little more secure. As long as I can deal with port forwarding both routers, the trade off in latency (throughput wouldn't be affected, right?) might be not be bad at all. But I don't know. I'm in uncharted waters, for me. Thoughts? Talk me out of it if you think I'm making a mistake?

Share this post


Link to post
Share on other sites
Poppapete

I agree that the best thing to do with that setup is to bridge the ISP modem so that is is just that (only a modem). It shouldn't be to hard to find the model number and get a user manual. You may find that it can't be bridged.

 

Edit: A quick google search came up with this.

 

http://www.dslreports.com/forum/r28428899-How-do-i-put-new-Ubee-modem-in-bridge-mode-

 

and this

 

http://www.dslreports.com/forum/r29247502-UBEE-DDW365-Bridge-Mode

Share this post


Link to post
Share on other sites
ikon

Most ISPs these days will actually tell you how to put their router into Bridge Mode. I would give them a call.

 

DHCP enabled on both routers will not add to security. The only thing DHCP does is hand out IP addresses and other related info such DNS servers and Default Gateways. It is not involved in Port Forwarding or NAT.

Share this post


Link to post
Share on other sites
dvn

Most ISPs these days will actually tell you how to put their router into Bridge Mode. I would give them a call.

 

DHCP enabled on both routers will not add to security. The only thing DHCP does is hand out IP addresses and other related info such DNS servers and Default Gateways. It is not involved in Port Forwarding or NAT.

lol.. I did it again. Once I get an idea in my head... I did actually mean to say NAT.  

 

So putting the wireless modem in bridge mode defeats NAT? Is that how that works? 

Share this post


Link to post
Share on other sites
Poppapete

 

So putting the wireless modem in bridge mode defeats NAT? Is that how that works? 

It becomes a bridge just passing the data through to another device, it does nothing with it after it has acted as a modem.

Share this post


Link to post
Share on other sites
ikon

As Poppapete said, in Bridge Mode it just passes data back and forth. Basically, putting the router into Bridge Mode takes it out of Router Mode. Since it's no longer a router, it can no longer do NAT.

Share this post


Link to post
Share on other sites
dvn

As Poppapete said, in Bridge Mode it just passes data back and forth. Basically, putting the router into Bridge Mode takes it out of Router Mode. Since it's no longer a router, it can no longer do NAT.

Ok.

 

Another question? If I come out of the TWC and plug into a LAN port, I've effectively bypassed NAT on the 2nd router, right? If I don't involve the WAN port on the 2nd router, I've solved the double NAT problem. And I can shut off DHCP on one of devices;doesn't really matter which, it's only down to preference and perhaps features that one router might have over the other, right?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • JROrtiz
      By JROrtiz
      I've been banging my head for a few days now trying to figure this out and I've run out of ideas. Hoping the very intelligent crew here can help me out.
       
      I have a Drobo 5N and a Synology RS816 on my network, both of which have been working without issue for quite some time now. I've always connected to both via Windows Explorer by simply going to the network address i.e., \\N5 and \\SYN (sample names). 
       
      I recently got a new desktop which is where the issues are coming up. When I try to go to \\N5, it results in a message saying it cannot find that location. However, \\SYN works just fine. What's strange is that I can see and manage the Drobo through the Drobo Dashboard software. What could be preventing Windows from seeing the Drobo on the network? 
       
      I've already enabled the SMB 1.x protocol, ensured the workgroup names are the same, rebooted both the machine and the Drobo, made sure network sharing is enabled, and even did a fresh install to ensure that some program I installed didn't cause the issue. Every other machine I have can access the Drobo without issue. It's just this new desktop, and everything is running Windows 10.
       
      Another strange phenomenon that I discovered is that if I go to "\\DROBO" (verbatim, not a sample name) it leads me to the Synology. Where is Windows getting the mapping from that it is directing that address to the Synology?
       
      This is driving me nuts so any advice would be greatly appreciated.
    • Jason
      By Jason
      Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.
       
      But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...
       
      Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.
       
      Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?
       
      What is best practice?
       
       
      Sent from my iPhone using Tapatalk
    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
       
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
       
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Printers
       
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
       
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
       
      Thanks for any resources and advice provided.
       


×
×
  • Create New...