Why does this actually work? 2 LANs with 2 DHCP servers



  • I was using a Dlink router, but there's more vulnerabilities than options in those things… so I thought I'd search for better solutions and ended up discovering PfSense. However I'm a total network newbie. So far I managed to setup a "testlab" by running PFSense on an old laptop, one WAn and one LAN connection:-)

    My setup:

    WAN to internet
              |
    [isp cable modem/router incl. wifi] <–-> [ip camera via wifi due to no cable]
    LAN 1: 192.168.0.x
              |
              |
          [PfSense]
          LAN 2: 192.168.1.x
          Gateway set to 192.168.0.1, isp router
              |
              |
              | (one utp cable to livingroom available only)
              |
        [unmanaged switch]
              |
              |
              |–-> [2nd router set as Wifi access point only] <–---> [wireless clients]
              |
              |–-> [wired clients]

    • I don't have any control over the ISP router. Only port forwarding is possible, but DHCP/NAT is always on and cannot be turned off
    • that's why I want ot have PfSense right after the ISP router with DHCP/NAT to have more control… I know I know, double NAT is not great, but I have no option on the isp side
    • the wifi camera needs to be connected with the Isp router, because the other wifi ap is too far away.

    I'm not 100% sure why the following works:
    When I go from a wireless client on the 2nd LAN, I'm able to login into the wifi camera which is on LAN 1 and also receive the stream from it.

    Does this work, because they all have 192.168.0.1 as the gateway? Is my setup ok?



  • Double-NAT is bad.

    Your scenerio works because LAN2 clients are part of LAN1 via LAN2's NAT.

    The opposite (LAN1 accessing LAN2 clients) requires port-forwarding.



  • I know, double NAT is not a perfect thing, but I cannot turn of DHCP/NAT on the ISP router and I want more control in my own LAN.

    I have no portforwarding from LAN1 to LAN2, but still the videostream can be viewed… This could perhaps be the Upnp feature that is enabled on the wifi camera?



  • @Wim:

    I know, double NAT is not a perfect thing, but I cannot turn of DHCP/NAT on the ISP router and I want more control in my own LAN.

    I have no portforwarding from LAN1 to LAN2, but still the videostream can be viewed… This could perhaps be the Upnp feature that is enabled on the wifi camera?

    I'm kinda unclear about your topology but with NAT all downstream clients can access upstream clients.

    Isn't your wifi camera upstream?



  • Sorry for not being fully clear on the topology. The wifi camera is connected to the isp router (LAN1) and has an ip in the range of 192.168.0.x

    The client that I use is connected to LAN2 and has an ip in the range of 192.168.1.x

    I can understand that I can connect from LAN2 to LAN1, but I actually expected not to be able to get a videostream from the camera, since that travels from LAN1 to LAN2.


  • LAYER 8 Global Moderator

    "but I actually expected not to be able to get a videostream from the camera, since that travels from LAN1 to LAN2."

    But your client that is viewing the video stream created the connection.. Client said hey camera send me your stream.. It sends the SYN, that starts the conversation since your behind a double nat you look like to the camera you came from 192.168.1.x

    Why would you not do it this way?  If your forced to use nat on your isp device and can not disable it and actually get public on pfsense wan?

    Or better yet actually isolate your iot devices like camera's from the rest of your network using pfsense and then firewall the traffic you want/need to allow between your vlans/network segments.






  • Ok that makes sense to me. Makes me think it would be a good exercise to try and find this kind of communication back in the logs.

    Thanks for the topology picture. This would be better even, but the one camera is closest to the Isp wifi access point. I haven't tested if it can reach my own 2dn wireless accesspoint. If it can handle it, I can defintely switch it over and pull everything behind PfSense  :)


  • LAYER 8 Global Moderator

    I forgot to add the even better way.  I just added it to the previous post.

    Using AP with vlan support and proper placed for best cover (you may need more than 1) and smart switch gives you the most flexibility in your network.


Log in to reply