On SoHo (small office/home office) networks, a common configuration error is double NAT. What usually happens is the ISP, for whatever reason, supplies its own pre-configured ADSL router/modem. The ISP router/modem is required since they must configure its end of the Internet WAN link on the ISP’s device. They also do not give away passwords or allow access to the device, which again is reasonable – after all, they do not want people messing with the configuration on ADSL links.
The problem with ISP configurations is that they leave the customer with usually only one Ethernet port to work with, and this causes problems when you want to build a small home network.
This setup causes issues when you want to build a network and need Wi-Fi access for portable devices and local access for desktops. You might, like many SoHo customers, have an iPad, a Kindle, and a Wi-Fi notebook along with an Ethernet laptop and desktop PC. In order to accommodate all these Wi-Fi only devices as well as the two Ethernet devices, you trot off down to your local store and buy your own Wi-Fi access point and a little eight port Ethernet switch thinking that your purchases will solve the connectivity issue. You are correct, or rather would be, if you had bought a Wi-Fi access point, but you likely buy a Wi-Fi router.
Why does buying a router instead of an access point cause a problem? At first it doesn’t seem like a problem. The router is plugged in and works for a while, and then everything starts to work. For a while, you and other connected devices can access the Internet, but if you take notice, the router causes duplicate IP addresses.
What happens is that by plugging a new router into the back of the ISP’s modem/Gateway, the network has been segmented and double NAT is introduced.
What happens is a layer of unnecessary equipment and complexity is added to the network. You should have bought a layer-2 Wi-Fi access point, which is a local area network device. If a Wi-Fi access point is connected to the newly acquired Ethernet switch and the switch connected to the ISP LAN port, you would transparently connect all the Wi-Fi devices to the LAN and then Internet.
Instead, by attaching a router, you place an unwanted lump between yourself and the Internet. To compound the problem, both routers are presently contesting each other to hand out DHCP IP addresses causing occasional IP conflicts due to duplicate IP addresses.
Consider the table below to visualize the problem.
|The Ideal Topology & Configuration (this was what was envisaged)|
|Internet||ISP Router||Home LAN with Ethernet Switch/Access Point|
|<——– NATDHCP —>||—->|
|The Actual Topology with Double NAT Introduced|
|Internet||ISP Router||New WiFi Router||Home LAN with Ethernet Switch/ AccessPoint|
|ßà (1)NAT(1) DHCP –>(1) F/W ßà||<—-> (2) NAT —>(2) DHCP —>(2) F/W ßà||—> double NAT breaks remote access2 x DHCP address server, 2 pools2 x layer of firewalls|
|Internet||Public IP||Private NAT Address for Router||NAT done again for Private address/Private address for LAN& DHCP conflicts|
From the table above, the installation of the second Wi-Fi router that is plugged into the LAN port of the ISP router. The result is the router is given the private address 192.168.1.1 from the ISP DHCP address range. Because it is a router and configured as such, it offers DHCP IP leases to its connected hosts on its own LAN. It provides NAT for private IP/private IP NAT translation totally unnecessarily.
Before considering any potential solution there are certain restrictions;
- The ISP router password is unknown
- The ISP route cannot be switched out as the configuration for the ADSL WAN link is unknown
- Similarly, the DHCP on the ISP router cannot be changed as there is no access to the router
Potential Solution No 1
Then consider the next steps;
1) Unplug the new Wi-Fi router from the LAN port on the ISP Gateway/ADSL modem
2) Connect the Ethernet switch by an RG45 cable to the ISP router’s LAN port
3) Connect the desktop, laptop etc and check DHCP and the Internet
4) Connect a laptop directly to the Wi-Fi router and configure on admin port 192.168.1.1
5) Enter the login password for new Wi-Fi router
6) Switch of DHCP & Firewall
The next stage is to reduce the functionality of the new Wi-Fi router to a simple layer-2 device by switching off NAT, DHCP and configure layer-2 bridging.
7) Switch off layer-3 routing
8) Configure for layer-2 mode bridging (pass-through)
9) Connect Wi-Fi router (access point now) to the Ethernet switch and power up
10) Connect Wi-Fi devices to the new beacon
11) Check the Internet through browser
|The Proposed Solution with Double NAT, DHCP & F/W Removed|
|Internet||ISP Router||New WiFi Router & Home LAN with Ethernet Switch|
|220.127.116.11||18.104.22.168||—-> L-2 Bridge, switch off NAT, F/W & DHCP192.168.1.0/24—> Private LAN|
|<—— (1)NAT(1) DHCP –>(1) F/W|
The final test is to try and connect through the ISP router/modem using the remote access application as now the double NAT is gone, as is the double DHCP and the twin firewalls.