Avoiding Double NAT with multiple routers

kaptain1 · Tue Sep 06, 2011 11:08 pm

Hi Everyone,

I need to split-up the network according to their building's physical locations, and need to add 4 x RB450G routers to do that. However, the only way I know how to achieve that, would create Double NAT for the hosts/servers, and I would like to avoid that. I only have 1 Public IP to work with.

How would I add 4 routers to the mix without creating Double NAT? What are my options and what's the most straight-forward way?

Please advise. Network topology picture is attached.

Thank you in advance!

nat.JPG

fewi · Tue Sep 06, 2011 11:12 pm

What are my options and what's the most straight-forward way?

Just straight up routing. Either add static routes, or run a routing protocol.

In this case static routes on the main router would do:

/ip route
add dst-address=192.168.210.0/24 gateway=192.168.200.5
add dst-address=192.168.220.0/24 gateway=192.168.200.4
add dst-address=192.168.230.0/24 gateway=192.168.200.3
add dst-address=192.168.240.0/24 gateway=192.168.200.2

On the other RB450Gs use 192.168.200.1 as the default route for 0.0.0.0/0.

You may want to read up on basic TCP/IP routing first, though. This is an extremely basic question.

kaptain1 · Wed Sep 07, 2011 12:56 am

Thanks Fewi,

I believe that I understand this concept well enough, but just not clear how to avoid Double NAT.

With your proposition, wouldn't I need to set-up NAT on the Main router, AND will need to set-up NAT's on the secondary routers? That would create a double NAT scenario which I'm trying to avoid?

Thank You

fewi · Wed Sep 07, 2011 1:03 am

No. You'd only set up NAT on the main router. Why would you need NAT on the secondary routers if the main router has routes to the IP space behind them? You only need to NAT when you can't route, because NAT changes the source IP address of the packet to a directly connected one as seen by the connected router. This is necessary on WAN interfaces because you can't route private IP addressing space across a WAN. Within your autonomous system you can route without changing IP addresses via NAT as long as you have valid routes between all the networks involved. Hence no NAT on the secondary routers.

kaptain1 · Wed Sep 07, 2011 1:05 am

Got it! thank you

I'll give it a try today.

WirelessRudy · Wed Sep 07, 2011 1:34 am

fewi is completely right.
On the other hand, double or even triple nat ain't such a problem. If it would make building the network more easy I would not see it as a problem.

What happens if one of your users connect a wifi router to your network? Most of these can only be used in nat anyway.
You have double nat in such instance but performance hardly degrades.
My network has nat take place in the main router to the internet, in each CPE device (because I don't want to bother about how many devices client want to connect to their connection) and most users have a simple wifi router attached that also performs nat.
I could put the CPE in bridge mode but than I need double as much IP addresses. One for the CPE for management purposes and one for the next client device.
Any performance degrading that could be a result of two or three nat's is hardly noticeable and is completely out weight by the many other issues a network can have. Like too many firewall/mangle/filter/routing rules or a poor designed QoS system or congested network.

So please follow fewi's advice but if not possible no need for real bothering about some double or triple nat.....

kaptain1 · Wed Sep 07, 2011 2:20 am

Thank You.

I try to stay away from Double NAT because VPN can have issues, forward ports may be more challenging, and VoIP may not work well.

I'll try Fewi's method and will report back!

WirelessRudy · Wed Sep 07, 2011 2:35 am

VoIP may not work well.

I have many users with Skype phones that are behind 3 nat firewalls and still they claim to have perfect communications. Better at times than the national pstn provider and certainly better than the cell phones!
About VPN I don't know but voip hardly suffers from more than once nat.

This remark is just for the general readers info. With your road to go is nothing wrong.

I make these remarks since it is a wide spread ´story´ that many nat's are not a good thing. While the reality proofs otherwise. And why should it anyway? NAT router only replaces source address and translates it back for return traffic.
With nowadays cpu speeds this is hardly what you could call ´a task´....
But ok, 10 or more NAT's would probably become noticeable.

MCT · Wed Sep 07, 2011 8:12 pm

I'd personally never pay for a connection that doesn't have a public IP. I'll NAT (PAT actually) at the edge of my network but only because I have to.

I wish they'd get on the ball with IPv6. The only downside of that is a lot of people relied on NAT(PAT) to protect their network. I've done testing on two companies with IPv6 connectivity, and they were proud of having that capability. Well, they were proud until I took over their network because they'd neglected to put their carefully crafted firewall rules on the IPv6 side. They had a combo of a NAT/PAT pool and a firewall on the IPv4 side, leaving IPv6 wide open.

FYI for those unfamiliar with the 'PAT'

PAT which stands for Port Address Translation is actually what you're doing with multiple computers behind a single ip.

NAT is technically mapping a single address external to an internal address.

They generally both get referred to as simply 'NAT'

changeip · Thu Sep 08, 2011 6:52 am

double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times ... design your network properly and you will be in a better position down the road.

WirelessRudy · Thu Sep 08, 2011 3:37 pm

double nat is bad, it fills up conntrack tables and locks up cheap resi routers. if you are properly using established / related / invalid rules, the first incoming router closes the connection and then the ones behind it never get the close and therefore sit there filling up conntrack tables until they lock up. Seen it many times ... design your network properly and you will be in a better position down the road.

OK, interesting info. Although I'll do it for 5 years and haven't noticed any problems as of yet (maybe I just don't recognize the problem if they are there...?) in my network. But that doesn't make your statement invalid.
I would like to get a bit more explanation if you don't mind. What "established / related / invalid rules" are you talking about? The standard firewall rules to protect the router and LAN network?
And why should the residential routers lock up? I don't seem to understand what the reason is for that?
"design your network properly and you will be in a better position down the road." What is considered as being properly? I see so many different ways of setting up a network. But it is hard to distil what is exactly the best way to do it. Maybe you give some directions?

changeip · Fri Sep 09, 2011 12:44 am

The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don't get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can't track all the connections. And then they 'power cycle' their router to get it back online again (clearing the table). The asus routers now market using 'high p2p connections' because they have more ram in them and have a larger conntrack table.

Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )

Sam

WirelessRudy · Fri Sep 09, 2011 2:04 am

The cheapie routers like dlink, netgear, linksys, etc only have 2-4mb of ram in them, of which only a few kb is used for the connection tracking table. In mikrotik you can see the conntrack table can handle a few thousand or tens of thousands of connections, yet in these off the shelf routers they can handle maybe 200-400 connections in their table before they fill up. If the tcp connections don't get closed properly, they stay open and take up slots in the conntrack table, so when I say lock up, I mean you cant get new connections to open. This is why when people run p2p on their cheapie router they notice problems with other connections - the router can't track all the connections. And then they 'power cycle' their router to get it back online again (clearing the table). The asus routers now market using 'high p2p connections' because they have more ram in them and have a larger conntrack table.

Will elaborate more on the established / related piece in a bit, got a few more installs to do today and gotta get out of here : )

Sam

OK, that all makes sense to me. Maybe indeed some issues reported to us are of the nature you prescribe. I always looked into my own network to see if things could be improved/solved and I must say I already limit the amount of connections a user can make in my main gateway.

I have a /24 network I own (well, I pay for the use of it, but the network is mine to use, no share) and now the nat takes place in this main gateway.
So here always nat will take place and since 99% of domestic routers have the limitation you show (memory) and I mentioned (no nat bypass or disable) I am wondering how others are doing this.
Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
I am anxious to see with what you come up.

I always have had this itch that my network should be different set-up in the authentication and routing ect. But so far they it works, it works fine and like you, always a full agenda.....

fewi · Fri Sep 09, 2011 2:16 am

Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?

Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.

WirelessRudy · Fri Sep 09, 2011 11:06 am

Or is there a way we can directy pass the public IP to the clients domestic router? This way avoiding the nat in my main gateway?
Of course. Instead of using the /24 on your WAN border interface directly have it routed to you via a separate /30. Then you can do with the /24 of public IPs whatever the hell you please. Your provider just routes those IPs to you, and you route them within your network.

OK. Let me think out loud: Now my ISP routes that /24 range to my main router, where they are indeed all to be found on the WAN interface and than that main router takes care of NAT and receives/routes traffic from/to client by the info in its routing tables. Because I have some 20 AP's all with their own dhcp server in their own network (/24 to /28 ranges) I have nearly the same amount of routing tables (less because I can combine some which are split up later in the network. My network is at places 6 levels deep and each node is a router.

Now, to distribute the /24 network over my clients I have to find a way that they all are assigned by one and the same dhcp-server. So each client request IP by server and that same server also assigns authentication and do QoS and limiting for each client. (Use MT user manager? Or auth. server program? I think user manager on rb1000 can do for roughly 300 clients and QoS and routing and queuing?)
But how to tell now the main gateway where this public client IP is to be found on my network? I leave the original networks with their routes in place and make a route table in the main gateway to each single public IP?
I mean, in this topology IP .4 can be assigned to a complete different AP-client than IP .5. So they both need their own route. And since dhcp-server in main gw only answers requests by clients randomly, it spreads the IP all over my network without any order. So with the existing 20 routes I build another 250 or so routes? And can they all be done automatically? Or by hand? (pffff)

So, how is this done? I think different but it would be nice if someone can give me a sort of framework to start with. This can become a good tutorial for others than also.

fewi · Fri Sep 09, 2011 4:33 pm

You split up (subnet) whatever public IPs you have to route around your network, into smaller pools (networks) in different parts of your autonomous system. You implement one of them as the gateway, and hand the rest out via DHCP. Alternatively you could look into using PPPoE instead, where you can use /32s directly.
If you don't want to route statically and insert routes to the pools all over the place look into a dynamic routing protocol such as OSPF.

tombee79 · Wed Jun 27, 2012 7:29 am

Hi Few

1st thx, for your help, regarding the Nating on main router.

Ok, My question is do you also enable UPNP on the main router so the let say VOIP and VPN works plug-n-play style? so you don't have to do any special port forwarding, opening port etc.

Do i have to have the UPnP enable on the main router? to have VOIP and VPN working properly.? Or it doesn't matter? or it does?

Need your opinion.

P.S Do you know any online tool to test VOIP and VPN behind NAT?

Thanks

Arxondas · Wed Jul 26, 2017 4:08 pm

Hello,

I was searching for help and I found this post. I have similar setup in a
my network and Im using nat and routing as suggested above to avoid double nat.

In your network topology if you want to port forward e.g. port 3389
from outside to a pc in network 192.168.210.0/24 for remote desktop
what nat rules I must use.

Thanks

WirelessRudy · Wed Jul 26, 2017 4:56 pm

Use dst-nat in IP / firewall / nat

Setup a rule for traffic (udp/tcp/icmp) that has the destination (IP) of the router and mention de port number (dst-port) and then under 'action' setup where you want that traffic to leave to (dst-to). Hence the IP of the host behind that firewall. that's it.

Arxondas · Thu Jul 27, 2017 8:28 am

Hello,

Thanks for your post.

I'm not so good in Router OS. So you mean I need to make
3 rules in main router that with the config you suggested or I need
on both routers

Thanks

WirelessRudy · Thu Jul 27, 2017 12:05 pm

You need to setup the dst-nat rule (or also called "port-forwarding") in each router that functions as NAT-router and is not bridging networks. If your network has a gateway router functioning to masquerade all your users behind one IP (the public IP of your gateway) then it needs a dst-nat rule in here.
If you also have your client behind a Mikrotik router (like an antena that funcions as router with LAN for the client, and thus a NAT firewall) you have to do the same in this router.
And if the client then has a Wifi router you'd also have to setup portforwarding in this wifi router to allow to have server on the clients LAN to be reachable from the internet.

Arxondas · Thu Jul 27, 2017 3:08 pm

Hello,

I have only one masquerade nat rule in my main router.
chain=srcnat action=masquerade out-interface=ether1
on second mikrotik I dont have any nat rule.

On main router I ceated the nat rule
chain=dstnat action=dst-nat to-addresses=10.10.10.2 (ip of 2cd mikrotik) to-ports=3389 protocol=tcp
in-interface=ether dst-port=3389

On second mikrotik I created the nat rule
chain=dstnat action=dst-nat to-addresses=192.168.1.2 (pc ip) to-ports=3389
protocol=tcp in-interface=ether1 dst-port=3389

I can't find what is wrong because is not working.

I attached a picrure of my network to get a better idea.

thanks

RodrigoBrito · Wed Apr 17, 2019 2:02 pm

Good morning everyone.

I do not understand NOTHING of Mikrotik and I am looking for help about a specific situation where I did not find help on the internet. I apologize for the lack of technical terms.

The situation is as follows: I live in a condominium and hired a company to do the following installation: we signed 4 internet links 100/30 MB, which "enter" the Mikrotik (model RouterBOARD 750G r3 - lan ports) at the concierge, and a cable "exits" Mikrotik (PoE in port), going to a switch right there at the gate. This switch, sends 4 or 5 network cables to the condominium posts, and we have another 4 or 5 switches on the posts, from which network cables go straight to the houses. Inside the house, I use a router (TP-LINK TL-WR849N) where it is necessary to put a user and password to authenticate (PPPoE).

Regarding usage, everything works very well: navigation, downloads, streaming, apps and etc, all in a satisfactory way.

The only drawback would be in relation to video games, more specifically online games:

- PS4: downloads are ok, rare connection errors with other users and allows online game in a satisfactory way;

- Xbox One: downloads ok, some connection errors, and shows the NAT as "strict", in addition to "double NAT detected"

- Nintendo Switch: here is the main problem ... downloads are ok, but it is practically impossible to play online ... I mention Mario Kart 8 Deluxe as an example. The game establishes a connection, but in match search it returns an error: "Could not connect to other consoles. There was a transverse NAT error."

I am absolutely sure that the error occur due to our internet "scheme", since before, when each resident had his own ADSL internet, none of this happened.

Anyway, I strongly encourage you all to help me solve this problem, and I will asap provide any clarification. Thank you.

I think the answer is right here, but I need a pass to pass solution. Please help.

anav · Wed Apr 17, 2019 5:19 pm

@Arxondas if the second router is not changing public to private IPs (as you stated no NAT). Then you only need the DSTNAT rule on the first router. it should point to the correct PC being used not the IP of the second unit for too address. Also you will need a firewall rule in the first(main router) allowing dstnat.
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat in-interface=eth1

@RodrigoBrito suggest you start a new (your own) thread...........

RodrigoBrito · Sun Apr 21, 2019 5:07 pm

@Arxondas if the second router is not changing public to private IPs (as you stated no NAT). Then you only need the DSTNAT rule on the first router. it should point to the correct PC being used not the IP of the second unit for too address. Also you will need a firewall rule in the first(main router) allowing dstnat.
add action=accept chain=forward comment=\
"Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat in-interface=eth1

@RodrigoBrito suggest you start a new (your own) thread...........

@anav I already did it (viewtopic.php?f=13&t=145144), but I got no answers... l don’t know what to do.

CZFan · Sun Apr 21, 2019 6:02 pm

@anav I already did it (viewtopic.php?f=13&t=145144), but I got no answers... l don’t know what to do.

You now have an answer...

Avoiding Double NAT with multiple routers

Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Re: Avoiding Double NAT with multiple routers

Who is online