Is double NAT bad?

  • If you search the internet the suggestion is to avoid double NAT.
    On the other side there are DMZ's for more security.

    Isn't a DMZ not always a double NAT?
    ISP <-> Router/Firewall <-DMZ-> Router/Firewall

  • NAT is always bad, as it breaks things.  Beyond that, there's little problem with double NAT, except it can break more things.

    This is why it's essential the world moves fully to IPv6, where NAT is no longer a necessary evil.

  • Galactic Empire


    Isn't a DMZ not always a double NAT?
    ISP <-> Router/Firewall <-DMZ-> Router/Firewall

    lol a double negative.

    Single Firewall :-

    Dual Firewall :-

    With a single firewall setup you NAT Internet - LAN & Internet - DMZ but from LAN to DMZ you wouldn't need NAT.

    With a dual firewall setup you'd only NAT on the internet facing firewall.

  • IPv6 directly to the web for every device? I guess until this will happen I'm dead.
    And how do the devices communicate in your LAN if they all have a IP from your ISP?

    How do you translate from subnet 10 to subnet 192 without NAT?

  • NAT by itself is not bad.  Double-NAT is a pain when you need to configure inbound services, as you have to work on forwarding traffic on two routers.

  • @MrGlasspoole:

    How do you translate from subnet 10 to subnet 192 without NAT?

    By using static routes that tell one of the routers how to reach the other subnet. Chained routers like you have are suboptimal though if not using NAT because you have asymmetric routing for first subnet ( in your case). Ideally you would always have all the different subnets that are used connected to a single router that has multiple interfaces or if you must have multiple routers you use transit networks which again requires more interfaces on the main router.

  • The problem is that you can have only bridged modems/router here in Germany if you pay for a expensive business contract.

    Its just some month ago that they changed the law that you can have your own router/modem.
    Before that you had to use what the ISPs dictate/send you.
    Still the problem is that there is no selection. There are just 2 cable routers available you can buy and they come from the same company that every ISP here is using.
    If you buy the old model from eBay you had before, they don't activate them because this models where never available for private people.
    Also you don't get firmware updates because for this models the manufacturer does not have them on there side.
    Updates are only delivered through the ISPs.

    I changed to another speed and they did send me another router and i have to send back they 9 years old box i have.
    The old box had a "exposed host" function and doing this to pfSense worked without problems for 2.5 years now.
    The new router has a DMZ function but activating that seems to do nothing. I still have to do port forwarding on that new device.

    With that "exposed host" function i still had double NAT - didn't I?
    VoIP was working without problems the whole time…
    Also reaching the server at home with the public IP was no problem...

  • Keep the double NAT, it's not worth fixing something that isn't broke. The only issue for you is if you have to do multiple port forwards to the innermost network where you have to do them twice, once on the outermost router and then also on the inner one.

  • So not really drawbacks except that i have mow the work to open the ports on 2 devices?
    It's not really much work because just ~6 ports i have to open.

    What was work was to change my LAN behind pfSense from 192… to 10....
    It was the other way around and on that new box you can't even change the subnet *lol

  • LAYER 8 Global Moderator

    "subnet 10 to subnet 192 without NAT?"

    Do you mean from 10.x.x.x to 192.168.x.x ??  Why would you need to nat those?  The really only time you need to NAT is when when you go from rfc1918 space to public space.  Now if your on a large corp network with bad planning or different customers/locations that need to talk to each other and they are using overlapping rfc1918 space then you might have to be nat if you can not reip one of them, etc.

    But yeah in general Im with JKnott, nat is normally something that should be avoided..  Until such time as everyone is using ipv6 for all their devices its a necessary evil needed to get your multiple devices on the public internet when your ISP only gives you 1 public IP to use.

    Double nat can work, triple nat can work - shoot even quad and higher nats can work - but sure the more nats you put in the more likely you will run into some sort of problem. Keep in mind that every nat is also a performance hit, some device has to do work to nat and keep track off all the nats.  You might not actually really notice this hit.. but its going to be here - so if your purest your going to want to minimize such things.

    If possible public IP should be on your pfsense wan, and then you can use all the rfc1918 you want behind that and there is no reason to nat between those networks.  But if your behind some isp device that does not allow you to turn off their nat and or edit it to allow for multiple networks behind it will also nat, etc.  And you want to have a segmented network behind say pfsense for example - then sure you can double nat.  And if you put your pfsense wan rfc1918 IP into the "dmz" function of that isp device you will be as close as your going to get to not having to worry about it.  And all your port forwards if needed can be handled on pfsense.

    "Isn't a DMZ not always a double NAT?
    ISP <-> Router/Firewall <-DMZ-> Router/Firewall"

    Not sure where you got idea that is a the only dmz.. Yes sure you can have multiple firewall dmz, but doesn't have to be natted.  As long as that router/firewall connected to the public internet will nat that 192.168.0/? network along with any other segments you would not nat there.

    You can also have a "dmz" hanging of that first router/firewall in your setup.  All a dmz actually is a firewalled segment.  There is not saying that it has to use dual firewalls or nat..  I have a segment hanging off my pfsense that is my "dmz"  other than the firewall blocking it from talking to my other segments other than the pinholes I have allowed its no different any other segment on my network.  You can allow public traffic into that segment, but it can not from their freely go to any other segment in your network.. Ie a demilitarized zone or DMZ..

    "In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. "

  • And how do the devices communicate in your LAN if they all have a IP from your ISP?

    Every IPv6 capable device, including cell phone & tablet get an IPv6 that's part of the /56 block I get from my ISP.  That's 2^72 addresses available for me to use.  I haven't used them all yet though.  ;-)

    How do you translate from subnet 10 to subnet 192 without NAT?

    You have to use NAT for that.  But bear in mind NAT is a hack to get around the IPv4 address shortage.  It also breaks several protocols and gets in the way when you want remote access to your network.

  • NAT by itself is not bad.

    It breaks some protocols and violates the Internet principle that every device has a unique and unambiguous address.

    As I mentioned, with IPv4 it's a necessary evil that we can get rid of with the move to IPv6.

  • LAYER 8 Global Moderator

    ^ exactly..

    Any sort of protocol that would have the ip of the device in the message its sending to the other device can be broken with a nat..  For example.. FTP is a prime example where nat can break it.. The IP of either the client or the server will be in the control message be it your using active or passive.  If either of those hand out its rfc1918 address the other end is not going to be able to connect for the data channel.

    This is why you need helper/proxy that will convert that rfc1918 to the public IP for the other end.  Or you need to use a client and or server that hand out its actual public IP in use when doing active or passive vs its local rfc1918 address.  Or you need something on the nat device that can fix it for the client.  This can be a real problem if your using ftps and the control channel is encrypted.

    Now personally ftp should of died off long time ago - so to be honest its a bad example.  If your using ftp, shame on you - wake up and smell the freaking century.. But it was a prime example of how nat can break protocols.  And is brought up a LOT here..

    While you can work around these issues.. All and All the internet not really meant to work with nats, and I would avoid them whenever possible.  Especially when talking rfc1918 to rfc1918 since there should really never be a reason you should have to do that..

  • ^^^^
    No problem with FTP for anonymous downloads.  However, NAT still messes up more modern things such as VoIP and peer to peer gaming or simply having remote access to multiple devices with the same protocol.  What's really evil is some ISPs are using NAT to provide access to customers, which means a lot of things that work OK through a customer's NAT are flat out broken with carrier NAT.

  • @JKnott:

    However, NAT still messes up more modern things such as VoIP and peer to peer gaming

    This is highly debatable. If the designers of those protocols just had some common sense and hadn't designed a protocol that requires encoding of the peer IPs or port numbers into the data packets there would be no problem NAT'ing the traffic.

  • I don't have much experience with gaming, but with SIP, the end points have to exchange IP addresses via the SIP server.  Once that's done they're supposed to operate peer - peer, without using the server.  This means some mechanism (read another hack) is required to get past NAT.  With SIP, and some other apps, that mechanism is STUN, which allows the SIP apps to discover the other end's real address.  So, as long as we have NAT, we'll have hacks on a hack, to make things work around it.

  • @johnpoz, thanks for the explanation.
    All the DMZ explanation in the www i saw look like the NAT is what makes the DMZ secure.
    All the diagrams have different subnets and i thought going from 10.1.x.x/16 to 192.168.0.x/24 needs NAT?

    If you don't need NAT, how to the devices talk? If i put two different devices to a switch with this different addresses they can't see each other?
    I don't need NAT on pfSense because only the router from my ISP needs to do it?
    If you don't need NAT then my pfSense was setup wrong the whole time?

    Or is it that i can't disable NAT in pfSense because it's mainly a router and a lot of people (like me) abuse it as firewall?

  • ^^^^
    The only reason for NAT is a lack of IPv4 addresses.  There is nothing else it does that can't be provided by a properly configured firewall.

  • LAYER 8 Global Moderator

    "If you don't need NAT, how to the devices talk? If i put two different devices to a switch with this different addresses they can't see each other?"

    That is what a router is for.. Pfsense a firewall/router..

    Pfsense does not nat between your local segments.. So for example I have multiple local network 192.168.9/24 is my lan, 192.168.3/24 is my dmz if you will.. See below

    Out of the box pfsense is only going to nat when you go to the internet, ie out your wan interface.. When it sees a gateway set on an interface it sees that as a WAN connection and will create an automatic outbound nat for any of your other networks lan, opt1, opt2, etc.

    So see it has outbound nat for my wan and all my local networks..  If you look at a state table entry for example 3rd attach you will see my box talking to internet on 443.. You see that a nat has been done to my public IP.. To get to the public IP.  But then right below that you see my box talking to a httpd running on a box in my dmz on - you notice there is no nat there for that state

    So my wanted to talk to (crashplan IP) on port 443, so you see it created a connection from port 49314.. So pfsense created a connection from its WAN the 24.13.x.x address but in this case it used source port 1094.. So when that 162 box sends back traffic to my public IP to port 1094, pfsense says knows to send that traffic to my box on port 49314..  This is called NAPT (network address port translation)  This is your typical nat for every wifi router you get at the computer store, etc.

  • "If you don't need NAT, how to the devices talk?

    NAT is a hack to allow sharing a single address or, in some cases, for combining networks that happen to have the same address range.

    I have IPv6 available with a /56 prefix.  That means I have 2^72 addresses available in 256 blocks of 2^64 addresses.  The main purpose of NAT was to stretch the IPv4 address space, breaking a few specs in the process.  All my IPv6 capable devices have their own global IPv6 address, with no need for NAT to share a single address.

    How do my devices talk?  Every one, that's IPv6 capable, including all computers, tablet & smart phone have their own IPv6 address that's reachable from outside my network, as I allow with my firewall configuration.

    NAT is a hack, which is used to get around the IPv4 address shortage.  Even with it, there are simply not enough IPv4 addresses to go around.  Those 2^72 IPv6 addresses I have are  2^40 times the entire IPv4 address space.  That's about a million, million addresses, so there's no need to use hacks like NAT to extend the life of the IPv4 address space.

    As I said, NAT is a hack and it breaks some things.  Using it has blinded people to how the 'net is supposed to work.

Log in to reply