Is double NAT bad?
-
And how do the devices communicate in your LAN if they all have a IP from your ISP?
Every IPv6 capable device, including cell phone & tablet get an IPv6 that's part of the /56 block I get from my ISP. That's 2^72 addresses available for me to use. I haven't used them all yet though. ;-)
How do you translate from subnet 10 to subnet 192 without NAT?
You have to use NAT for that. But bear in mind NAT is a hack to get around the IPv4 address shortage. It also breaks several protocols and gets in the way when you want remote access to your network.
-
NAT by itself is not bad.
It breaks some protocols and violates the Internet principle that every device has a unique and unambiguous address.
As I mentioned, with IPv4 it's a necessary evil that we can get rid of with the move to IPv6.
-
^ exactly..
Any sort of protocol that would have the ip of the device in the message its sending to the other device can be broken with a nat.. For example.. FTP is a prime example where nat can break it.. The IP of either the client or the server will be in the control message be it your using active or passive. If either of those hand out its rfc1918 address the other end is not going to be able to connect for the data channel.
This is why you need helper/proxy that will convert that rfc1918 to the public IP for the other end. Or you need to use a client and or server that hand out its actual public IP in use when doing active or passive vs its local rfc1918 address. Or you need something on the nat device that can fix it for the client. This can be a real problem if your using ftps and the control channel is encrypted.
Now personally ftp should of died off long time ago - so to be honest its a bad example. If your using ftp, shame on you - wake up and smell the freaking century.. But it was a prime example of how nat can break protocols. And is brought up a LOT here..
While you can work around these issues.. All and All the internet not really meant to work with nats, and I would avoid them whenever possible. Especially when talking rfc1918 to rfc1918 since there should really never be a reason you should have to do that..
-
^^^^
No problem with FTP for anonymous downloads. However, NAT still messes up more modern things such as VoIP and peer to peer gaming or simply having remote access to multiple devices with the same protocol. What's really evil is some ISPs are using NAT to provide access to customers, which means a lot of things that work OK through a customer's NAT are flat out broken with carrier NAT. -
However, NAT still messes up more modern things such as VoIP and peer to peer gaming
This is highly debatable. If the designers of those protocols just had some common sense and hadn't designed a protocol that requires encoding of the peer IPs or port numbers into the data packets there would be no problem NAT'ing the traffic.
-
I don't have much experience with gaming, but with SIP, the end points have to exchange IP addresses via the SIP server. Once that's done they're supposed to operate peer - peer, without using the server. This means some mechanism (read another hack) is required to get past NAT. With SIP, and some other apps, that mechanism is STUN, which allows the SIP apps to discover the other end's real address. So, as long as we have NAT, we'll have hacks on a hack, to make things work around it.
-
@johnpoz, thanks for the explanation.
All the DMZ explanation in the www i saw look like the NAT is what makes the DMZ secure.
All the diagrams have different subnets and i thought going from 10.1.x.x/16 to 192.168.0.x/24 needs NAT?If you don't need NAT, how to the devices talk? If i put two different devices to a switch with this different addresses they can't see each other?
I don't need NAT on pfSense because only the router from my ISP needs to do it?
If you don't need NAT then my pfSense was setup wrong the whole time?Or is it that i can't disable NAT in pfSense because it's mainly a router and a lot of people (like me) abuse it as firewall?
-
^^^^
The only reason for NAT is a lack of IPv4 addresses. There is nothing else it does that can't be provided by a properly configured firewall. -
"If you don't need NAT, how to the devices talk? If i put two different devices to a switch with this different addresses they can't see each other?"
That is what a router is for.. Pfsense a firewall/router..
Pfsense does not nat between your local segments.. So for example I have multiple local network 192.168.9/24 is my lan, 192.168.3/24 is my dmz if you will.. See below
Out of the box pfsense is only going to nat when you go to the internet, ie out your wan interface.. When it sees a gateway set on an interface it sees that as a WAN connection and will create an automatic outbound nat for any of your other networks lan, opt1, opt2, etc.
So see it has outbound nat for my wan and all my local networks.. If you look at a state table entry for example 3rd attach you will see my 192.168.9.100 box talking to internet on 443.. You see that a nat has been done to my public IP.. To get to the public IP. But then right below that you see my 192.168.9.100 box talking to a httpd running on a box in my dmz on 192.168.3.10 - you notice there is no nat there for that state
So my 192.168.9.100 wanted to talk to 162.222.43.129 (crashplan IP) on port 443, so you see it created a connection from port 49314.. So pfsense created a connection from its WAN the 24.13.x.x address but in this case it used source port 1094.. So when that 162 box sends back traffic to my public IP to port 1094, pfsense says knows to send that traffic to my 192.168.9.100 box on port 49314.. This is called NAPT (network address port translation) This is your typical nat for every wifi router you get at the computer store, etc.
-
"If you don't need NAT, how to the devices talk?
NAT is a hack to allow sharing a single address or, in some cases, for combining networks that happen to have the same address range.
I have IPv6 available with a /56 prefix. That means I have 2^72 addresses available in 256 blocks of 2^64 addresses. The main purpose of NAT was to stretch the IPv4 address space, breaking a few specs in the process. All my IPv6 capable devices have their own global IPv6 address, with no need for NAT to share a single address.
How do my devices talk? Every one, that's IPv6 capable, including all computers, tablet & smart phone have their own IPv6 address that's reachable from outside my network, as I allow with my firewall configuration.
NAT is a hack, which is used to get around the IPv4 address shortage. Even with it, there are simply not enough IPv4 addresses to go around. Those 2^72 IPv6 addresses I have are 2^40 times the entire IPv4 address space. That's about a million, million addresses, so there's no need to use hacks like NAT to extend the life of the IPv4 address space.
As I said, NAT is a hack and it breaks some things. Using it has blinded people to how the 'net is supposed to work.