Avoiding double-NAT when using a locked down ISP modem/router



  • We have Vodafone Fibre broadband, with a VF Connect VDSL/router/wifi all-in-one, currently set up to provide two SSID: one for "normal" usage and a separate "guest" one (which gives internet access but doesn't provide access to the wired or wireless devices on the main wifi/LAN, and doesn't allow access to the VF Connect admin/status webui).

    This basic setup appears to work fine as far as it goes – guest wifi users connect on a different subnet (192.168.5.* for guest, 192.168.1.* for main network). However, the VF Connect wifi is nowhere near strong enough to reach the whole house and garden (its a 5 bed house, so quite big, but bigger issue is the 2 foot thick internal solid stone walls which effectively separate the house into 3 separate "zones" which its hard to get wifi signals to reach between).

    To address this I've bought 3 Access Points (Unifi UAP-AC-LRs) -- these are ceiling mounted and PoE powered, which means I can get them where needed to provide wifi coverage. The UAP-AC-LRs support multiple SSIDs (up to 4 each) and 802.1q VLAN tagging. I've also got a VLAN-capable managed switch (an old Dell Powerconnect 2716).

    What I want to know is how I can set up the Unifi APs so that they expose both the main and guest networks, while maintaining the separation between those networks that I have now.

    So far the possible solutions I've come up with are:

    1. Configure the VF Connect so that one of its LAN ports is associated with the 192.168.5.* VLAN, then set up the switch so that traffic from the APs on the guest SSID/VLAN is directed to that specific LAN port on the VF Connect. However, I can't find any VLAN configuration in the VF Connect webui (and its locked down so that there is no telnet/ssh access available, AFAIK).

    2. Put the VF Connect modem into PPPoE/bridge mode, then use another router as the gateway to the internet (either using the switch to separate the guest VLANs onto distinct physical cables into the gateway, or using 802.1q VLAN tagging on the gateway if it supports that). However, I have been told that the VF Connect modem doesn't support bridge/modem-only mode.

    3. As for (2), but using a separate modem-only VDSL2 device, together with another router as the gateway. Does VF allow equipment other than their own to be used to access their network? Unfortunately, it appears that Vodafone are unwilling to provide their customers with their own username/password details to allow a third-party modem to be used to connect to the VF network.

    4. Implement a "double NAT" solution, attaching all the "main" network devices (wired and wirelss) to a second router on a different subnet (e.g. 192.168.2.), with NAT between that and the 192.168.1. LAN network provided by the VF connect. This has the standard double-NAT disadvantages (e.g. peer-to-peer connections for gaming etc. are more likely to fail). It also allows the guest network users to attempt to access the VF Connect admin screens (though they would still have to guess the admin password).

    5. Implement a more complex routing solution using a second router, configured to bridge (most of) the 192.168.1.* subnet provided by the VF Connect router to a 192.168.1.* on the "other side" of the second router. It feels like this might be possible -- it sounds similar to the way that a gateway router would need to be configured where an ISP provides a /29 or larger IP range (with the connection being via PPPoE/external xDSL modem) and the available public routable IP addresses are assigned to hosts within the local network. All internet traffic would go via both the second router and the VF Connect. Does anyone know whether such a configuration is possible?

    I don't currently have a second router box (though I do have a couple of other VLAN-capable routers -- an Archer C5 v1, and an Archer C50 v1 -- which I believe could be flashed to run OpenWRT/LEDE/similar). but I don't mind buying an additional more powerful device if necessary (e.g. to provide sufficient CPU, memory and ethernet ports to run pfSense with a more complex routing configuration).

    Any help gratefully appreciated!

    Misha



  • UniFi AP's support filtering based on SSID.

    For this youll need to deploy the unifi controller either on linux/windows or in cloud. Whichever you choose, youd set a guest SSID, and tell it that the guest SSID cannot access your private IP networks, which would force traffic out of your WAN.

    You can also support this with VLAN tagging if you wanted separate broadcast domains. Personally I use VLAN tags in conjunction with separate subnets, which isn't technically needed but allows me to Identify at a glance which network belongs to which VLAN (eg. vlan 100 being 10.0.100.0/24 etc)

    For a VLAN setup, youll want to push each subnet's VLAN to the unifi AP, and tag each SSID with the correcponding vlan.
    Example:

    vlan 10 - 10.0.10.0/24
    vlan 100 - 10.0.100.0/24

    Switch -> vlan trunk (allowed vlans 10,100) -> unifi AP
    On the unifi AP controller:
    SSID: home-wifi (vlan 10)
    SSID: guest-wifi (vlan 100)

    If you need further information, i can set up a screen share through skype and show you the setup I currently have with my UniFi AP's, vlan setup, etc. I'm currently not running a guest network, but i can show you where to access the settings in the UniFi Controller WebGUI.



  • Thanks – I think I get the association of SSID to VLANs in the Unifi APs.

    Which DHCP server(s) would hand out the 10.0.10.0/24 and 10.0.100.0/24 IP addresses (in your example)? Is that done by a DHCP server on the APs? Is it part of the Unifi controller?

    And how would I set up the LAN side of the VF Connect modem/router? i.e. what subnet/mask would I use? 10.0.10.0/24? 10.0.100.0/24? 10.0.0.0/16?

    (I realise this doesn't relate to pfSense -- I asked here because I thought that by adding a pfSense box between the VF Connect modem/router and the internal networks I might be able to workaround the apparent restrictions of the VF Connect firmware. But if the solution doesn't actually involve pfSense and can be achieved with just the Unifi APs' configuration then happy to take offline/to PM.)



  • @mishad:

    Thanks – I think I get the association of SSID to VLANs in the Unifi APs.

    Which DHCP server(s) would hand out the 10.0.10.0/24 and 10.0.100.0/24 IP addresses (in your example)? Is that done by a DHCP server on the APs? Is it part of the Unifi controller?

    And how would I set up the LAN side of the VF Connect modem/router? i.e. what subnet/mask would I use? 10.0.10.0/24? 10.0.100.0/24? 10.0.0.0/16?

    (I realise this doesn't relate to pfSense -- I asked here because I thought that by adding a pfSense box between the VF Connect modem/router and the internal networks I might be able to workaround the apparent restrictions of the VF Connect firmware. But if the solution doesn't actually involve pfSense and can be achieved with just the Unifi APs' configuration then happy to take offline/to PM.)

    Which DHCP server would hand out addresses?
    Depends on how you want to set this up. PFSense can handle this if youd like, or if your VF Connect modem/router supports vlans and DHCP you can do it there. UniFi does support running a DHCP server (settings -> network -> edit -> enable DHCP server).

    LAN Side of the VF Connect:
    This setup depends on the capability of the modem/router. I'm unfamiliar with this specific device, but typically you can set these modem/router devices in a router mode or bridged mode. Either way can be used with PFSense, but setting the vf connect (if it supports this) in bridged mode would be the simplest solution. The way to tell what mode it's in is by the IP that PFSense picks up on its WAN interface (or whatever interface is plugged into the vf connect). If it receives a public IP, youre in bridged mode.

    Subnetting:
    This depends on your setup. If your vf connect doesnt support bridged mode, it would be preferable to have a separate subnet between the VF connect and PFSense, so that PFSense becomes the default gateway for the internal subnets.

    As far as wifi/lan subnets, i've seen it done many ways, and thats really up to you to pick which way you want. the two most common ways I see it implemented are:
    -3 Subnets. Wired, Trusted Wifi, Guest Wifi.
    -2 subnets. Wired/Trusted Wifi clients on same subnet, separate subnet for guest wifi.

    If you have a PS4 or XB1 on your home wifi, you'd probably want to go with the 2 subnet approach if you use the associated phone apps for their extended functionality. Otherwise having the gaming consoles on a separate subnet from the wifi causes the phone apps to fail when trying to discover/connect to the console.

    You mentioned wanting to avoid a PFSense install, and with the equipment you have this is possible. Unfortunately if this is the route you want to take you'd have to head over to the unifi forums for assistance in setup, but i think with the info you have now you should be able to accomplish what you're trying to do.



  • Oh no, I don't have any issue with installing pfSense (on a new node if necessary) to make this work - that's why I asked here! I just misunderstood first reply as meaning that pfSense wasn't required and it could all be done with just the built-in functionality of the Unifi APs.

    Unfortunately the VF Connect doesn't​ appear to support bridged mode. Nor does it support multiple subnets on the LAN side, except for the special case of a separate subnet for its guest wifi. It's a frustratingly restricted box!

    So if pfSense is going to be the default gateway for the internal subnets, does that mean that the internal devices (wired and wireless) will be double-NATted? Is there any way to avoid that?



  • @mishad:

    Oh no, I don't have any issue with installing pfSense (on a new node if necessary) to make this work - that's why I asked here! I just misunderstood first reply as meaning that pfSense wasn't required and it could all be done with just the built-in functionality of the Unifi APs.

    Unfortunately the VF Connect doesn't​ appear to support bridged mode. Nor does it support multiple subnets on the LAN side, except for the special case of a separate subnet for its guest wifi. It's a frustratingly restricted box!

    So if pfSense is going to be the default gateway for the internal subnets, does that mean that the internal devices (wired and wireless) will be double-NATted? Is there any way to avoid that?

    You can accomplish the setup without PFSense. The unifi controller can host DHCP out to your wireless clients, or you can leave the DHCP server on the VF Connect. The exact setup depends heavily on your equipment's capabilities (vlan support on the VF connect, if you have a managed switch etc).

    As for deploying the setup with PFSense, you will need it to be the default gateway for your subnets. Double NAT would be happening. There is a couple ways to prevent this from happening, depending on the VF Connect's capabilities.

    Scenario 1: VF Connect supports 1:1 NAT, in which case you would 1:1 NAT pfsense, effectively preventing double nat. Double nat would still be happening, but due to the 1:1 nat you wouldn't have the VF Connect alter the source:dest ports.

    Scenario 2: VF Connect supports port forwarding, in which you port forward all ports to PFSense. Inbound double nat would effectively be stopped, but outbound double nat could still happen.

    Scenario 3: VF Connect supports static nat + one of the above scenarios. In this case you tell the VF Connect to never alter the source:destination ports when natting. Double nat still technically happens, but wouldn't affect anything. This would cause PFSense to be the 'effective' nat.



  • Thank you! Very helpful indeed.



  • What country is this?

    3rd party VDSL2 modems are quite common, especially in Europe.

    Getting the pppoe credentials is another battle entirely. Your only options really are

    a) Trying to socially engineer support staff.
    b) Use exploits of the modem to extract the pppoe credentials



  • Vodafone fibre broadband in UK. Apparently their policy is to not give out the PPPoE credentials (despite there being nothing in their T&Cs saying that only their provided equipment can be used) - though a few customers do seem to have managed it (probably via the magical powers of the"retention" team).

    I've not been able to find any info on an exploit (unlike, say, the Sky UK boxes which leak PPPoE creds on the LAN ports).

    So currently I'm resigned to using the VF Connect box and working around its limitations as far as possible.



  • @mishad:

    Vodafone fibre broadband in UK. Apparently their policy is to not give out the PPPoE credentials (despite there being nothing in their T&Cs saying that only their provided equipment can be used) - though a few customers do seem to have managed it (probably via the magical powers of the"retention" team).

    Very unfortunate. I know in the UK you have lots of broadband options assuming you have access to BT or TalkTalk backhaul.