Preventing double NAT but keeping devices separate

Chaos · February 12, 2020, 12:55am

Hey everyone,

I’m a bit of a newbie when it comes to networking so excuse my ignorance here. I’m looking at connecting two buildings but I would like to keep each building have their own separate subnet. However in this example, building 2 will be double NAT’d which I’d like to avoid. What is the recommended setup for something like this?

Here’s a picture I made to try and help explain, thanks guys.

I would like the IP subnets to be separated like this, but I do not want to have building 2 double NAT’d which it would be with this wiring. Any suggestions on what the best practice for a type of deployment like this is?

BuckeyeNet · February 12, 2020, 9:03am

If the router in building 1 has 3 full routed (layer 3) interfaces, you can use one for internet with NAT masquerading. Then one for building one LAN (I wouldn’t use 192.168.2.1, use something less used. If you still want to use 192.168, use something high, like 192.168.213.1 and 192.168.214.1 for the two buildings).

To keep broadcast from building 2 from using bandwidth on the P2P radio link, use a second router in building 2 and configure it without NAT.

For example

Building 1 RTR1
eht0 ip dhcp from ISP (configured with NAT masquerade)
eth1 ip 192.168.213.1/24 for building 1 LAN
eth2 ip 192.168.215.1/24 for building to building transit network
static route to 192.168.214.0/24 via 192.168.215.2

Building 2 RTR2
eth0 ip 192.168.215.2/24 (link to building 1)
eth1 ip 192.168.214.1/24 for building 2 LAN
default gateway 192.168.215.1 (RTR1 eth2)

RTR1 and RTR2 dont’ have to be the same, i.e. you could use pfsense in building 1 and ER-X in building 2. (but those depend on # of users, etc.)

But I wouldn’t use a “consumer” router in ether building.

Chaos · February 12, 2020, 4:07pm

Wow, thanks fo the detailed response @BuckeyeNet. I’ll be looking up more information about this configuration over the weekend as well.

Just to clarify, the RTR2 eth1 default gateway is 192.168.215.1, but all devices on the 192.168.214.x should use 192.168.214.1 as their gateway (since the 192.168.214.x devices would not know how to reach 215)?

Example client leaving the network:
192.168.214.3 -> 192.168.214.1 -> 192.168.215.1 -> ISP IP

As well, for RTR1 and RTR2 what IPs would they assign themselves on the 192.168.215.x side? Since you gave the IPs for the transmitters, unless you mean those are the IPs for the router on either end of the transmitter and the transmitters themselves should be assigned 192.168.215.3 for example.

Since RTR2 is not doing any NAT masquerading, is it not just doing what a basic consumer router is doing with a WAN port being eth0 and the LAN being eth1?

Thanks again

BuckeyeNet · February 12, 2020, 10:05pm

Chaos:

Wow, thanks fo the detailed response @BuckeyeNet. I’ll be looking up more information about this configuration over the weekend as well.

Just to clarify, the RTR2 eth1 default gateway is 192.168.215.1, but all devices on the 192.168.214.x should use 192.168.214.1 as their gateway (since the 192.168.214.x devices would not know how to reach 215)?

Yes, if RTR2 has a dhcp server configured, it should send its own 192.168.214.1 address as the default gateway for its clients. The RTR2 router itself should forward packets that are not on any of its connected networks to RTR1’s eth2 (192.168.215.1). Once the packet gets there, RTR1 will route to appropriate network (either 192.168.213.0/24 out RTR1 eth1 or to internet after being NATed)

Example client leaving the network:
192.168.214.3 → 192.168.214.1 → 192.168.215.1 → ISP IP

As well, for RTR1 and RTR2 what IPs would they assign themselves on the 192.168.215.x side? Since you gave the IPs for the transmitters, unless you mean those are the IPs for the router on either end of the transmitter and the transmitters themselves should be assigned 192.168.215.3 for example.

I was just treating the transmitters (P2P wireless) as a wire (this is just a conceptual overview or one possible way to approach the problem). I would configure the P2P radios in bridge mode. For management, you could use a separate vlan on the inter-building link (i.e. you could carry the 192.168.215.0/24 via a tagged vlan and the radios management interface could be on a separate subnet (e.g. 192.168.216.0/24 or you could split the 192.168.215 into two /25 subnets, but private ip address space is “free”). Each radio should have its own management ip address, and best practice is to prevent access to the management interface from the users in the buildings (and the internet) using the firewall in the RTRs.

Since RTR2 is not doing any NAT masquerading, is it not just doing what a basic consumer router is doing with a WAN port being eth0 and the LAN being eth1?

Many consumer routers don’t allow you to disable NAT. They are “hardwired” for the home use case that 99.99% of the users will use, a connection to a single ISP on the WAN interface, and a single LAN (likely connected to an internal 4 port switch and bridged to a Wifi).

A router like the Ubiquiti ER-X does not have any Wifi built in, but for most use cases, having separate Wifi Access points is much better, because where you have the router is probably not the best place for an Access point. So having a router that has a wifi built in is of limited value in most businesses. They may be ok in a small home, but once you use separate access points, you will never want to go back to an all-in-one Modem/Router/wifi device (at least I won’t).

For your use case, (depending on the number of users, which you haven’t mentioned), a device like an ER-X at ~ $60 - $65 is a much better fit. It is much more flexible, supports multiple routed interfaces, vlans, etc. in other words, it is a more general purpose router.

Plan on purchasing some access points. Ubiquiti Unifi is what I would use, but that’s what I have at home, so I am biased. But see Tom’s reviews as to why he likes them.

I haven’t used the SG-1100 pfsense device, and depending on the number of users it may be able to handle the load, but may not. There are larger models, and you can also load pfsense on a PC for more horsepower.

The outline I gave is pretty generic (although I used ER-X terms for the router interfaces).

Thanks again

My comments are bolded inline in the above quoted section.

BTW, if anyone else has comments, feel free to chime in. You may have a better way to accomplish the same goal.

Chaos · February 12, 2020, 10:15pm

Just to clarify @BuckeyeNet this is actually for a home setup, due to a rural situation the plan is to send the internet connection using a pair of Ubiquiti LiteBeam’s .

I understand now why something like an ER-X would be required on the building without internet as well now. I may run a ER-X on that building to a home router I have laying around into one of it’s LAN ports to provide Wifi and act as a dummy switch. Actually, wouldn’t it be possible to just connect from the transmitter on the receiving building to a LAN port of a consumer router? As long as the consumer router provides DHCP over it’s Wifi and the other ports, it would not do NAT in that configuration I believe.

Regarding your earlier comment, yea the LiteBeams each have their own management interface that I would need to be able to access if I VPN’d through the ER-X most likely, but does not need to be accessible outside of that. I’m not sure if I fully understand what you’re saying about the VLAN configuration for that, perhaps it would be easier to follow your second suggestion about splitting 215 into two /25 subnets. Since neither of the ER-X have static routes to get into the 215 subnet I figured they were safe from being accessible by any of the clients.

I appreciate you taking the time to explain some of this to me, I’m learning a lot and really excited to play around with this project

BuckeyeNet · February 12, 2020, 11:59pm

But they will have connected routes (which are like static routes that are automatically added to the routing table for every “up” interface with an IP address). So all the clients using either router as a default gateway will have access to the 192.168.215.0/24 network.

BuckeyeNet · February 13, 2020, 12:03am

If this is a home network being extended to another building, then I am not sure why you are worried about double nat.

What problems do you think it will cause? (It may, but I am just wondering why your have the concern).

You haven’t stated why you want the two locations to have separate subnets. That is normally best practice, but again, without knowing what the goals are, making recommendations is pointless.

Chaos · February 13, 2020, 12:18am

I see. I’m not sure I follow what your way of separating the transmitters from the rest of the networks is then?

The networks should be segregated as the reseller is a small business with some extra bandwidth, I do not want the two networks to be associated at all if possible.
The problem I’m looking to avoid with double NAT is mainly because I want to challenge myself and learn more about networking honestly and do this the “proper” way. Hence my post here. I also want to avoid some double NAT issues when it comes to gaming without special port forwarding rules.

BuckeyeNet · February 13, 2020, 12:30am

A forum isn’t the place to get networking tutorials.

Start with the fundamentals and do some stuff in with some real routers, or if you can’t afford that, you can load up GNS3 (and run real cisco IOS on an emulator). There is a lot of free tutorial type info on the net and youtube.

For some links to some good network fundamentals, see the last half of the links in this post on the Ubiquiti forum.

Chaos · February 13, 2020, 12:32am

I see. I wasn’t looking for a networking tutorial, just an idea on how this would be setup in the real world. Thanks though…

BuckeyeNet · February 13, 2020, 1:09am

So I assume now, that you are in the left building (i.e. your house)?

Anything the left side does is going to be associated with the right building’s connection to the internet. There is nothing you can do to prevent that. All traffic to the left building will show up as traffic on the right building’s interenet.

Chaos · February 13, 2020, 1:11am

That’s correct @BuckeyeNet . I just mean devices in either building should not be able to interact with eachother, that’s all. Which you provided a good description of.
The only thing I wasn’t sure about was how you described running the management network for the transmitters.

BuckeyeNet · February 13, 2020, 4:01am

To keep the two networks from seeing each other, at least the right router would need to have firewall rules to not allow 192.168.213.0/24 from sending to 192.168.214.0/24. And preventing 192.168.214.0/24 from sending to 192.168.213.0/24. Depending on who is controlling the radios, you would also want to limit access to their addresses. For you use case, a separate vlan or even subnet is probably overkill. Do set good passwords on the radios and routers.

And you said
“I understand now why something like an ER-X would be required on the building without internet as well now. I may run a ER-X on that building to a home router I have laying around into one of it’s LAN ports to provide Wifi and act as a dummy switch. Actually, wouldn’t it be possible to just connect from the transmitter on the receiving building to a LAN port of a consumer router? As long as the consumer router provides DHCP over it’s Wifi and the other ports, it would not do NAT in that configuration I believe.”

You could just extend the network from the second router port in the right buildind 1 to the house and not need a router at all in the house, just a switch. But then all broadcast traffic in the left house will traverse the P2P link and take up bandwidth. If you don’t have much broadcast traffic, and the link is short, high speed and low latency, then it probably won’t make much difference. But then you are putting all your trust in the router in building 1 to “do the right thing”.

I but the router in building one needs to be a multiport router with at least three routed interfaces. So something like the ER-X or ER-4, or SG-1100 or SG-3100 etc. i.e. not a Negear Nighthawk.

Chaos · February 13, 2020, 4:09am

Thanks again @BuckeyeNet

Think that’s all the information I need to proceed. Sorry for annoying you today with questions have a good rest of your evening/day!

Going to try and get this setup the next week or so. Excited to play around with a ER-X