Double nat only a problem for devices behind the second nat?

double nat only a problem for devices behind the second nat?

in the config I envisage :-

a) openwrt wireless ap (wlan) handing out a separate 192.168.xxx range, devices in this network use nat for access to lan side and lan then nats the lan sides dhcp address on it own 192.168.yyy range. devices in this wap will have no general access to lan, accept, reject reject and some firewall rules to allow forward.

b) lan side of openwrt a dhcp client off dhcp router, with full access to wlan side accept accept accept

So any device off the main wan connected router should still function ok viz games and dmz etc, but a device behind the openwrt second nat wireless, will not be accessible. ???

In general yes. This is the way how NAT works.

Rather than having double NAT, have you considered just configuring 2 networks / VLANs on the same router? Much easier to manage and the firewall rules will be pretty straight forward (by default, OpenWrt doesn't route between subnets)

2 Likes

the question of convenience vs security and overall topology is a tricky one, only been messing with openwrt on 1 wifi 1 lan port devices like raspberry pi to familiarise myself with it. Theres a whole world of multiple radio multiple switch routers I cannot afford, but reckon I am now confident enough to upgrade my old wifi router which probably does not even support vlans.

and I needed an alternative hotspot to shift all my nodes onto while I upgrade the router.

essentially my reasoning is a wifi hotspot to segregate iot devices so if the wifi key is cracked it does not get them anywhere except inside that segment, where devices should still be reasonably hard to crack anyway as they are kept up to date.

What OpenWrt router are you using now? Many (but not all) routers supported by OpenWrt can handle VLANs without any issues -- you just have to configure accordingly.

If you do double NAT, you must keep in mind that the innermost layer (double NAT) is inherently more secure than the outer layer, assuming proper firewall and NAT configurations.

For example:
Internet > Router A > Router B (both routers with NAT, each must have different LAN network/subnets relative to each other)

Router B devices will be double-NAT'd but will be able to access the internet AND the clients on Router A*. Clients connected to router A, on the other hand, will only be able to get to the internet and will not be able to access clients on Router B.

EDIT: Adding that you can create firewall rules to prevent access to devices on Router A from Router B, but without explicitly creating such rules (i.e. the default configuration), B devices can reach A clients.

You’re probably better off with a single, well-configured firewall and subnets/VLANs. Most multi-port routers support both with OpenWrt.

(Security is not a reason to use NAT, as NAT is not a firewall, nor is a double layer of unthinking security any better than one)

1 Like

I am running openwrt on arduino yun and raspberry pi. The reason being, when using esp8266 hard coding the wifi password in the program is simplest, and once set running remote upgrading the password on an 8266 requires extra coding and/or manual intervention so a separate segregated "untrusted" network is ideal for the purpose, and yun and raspberry a useful place to deploy an mqtt broker as they are always on anyway and a useful powerful iot node in themselves.

I was going to upgrade my wnr antique main router to openwrt but just discovered only the rus version with 16mb flash is supported and I probably have the 8mb version which I assume could be built using the openwrt-builder package which if I get time I will look at.

Looks like time to buy a new router, or stick ipfire on as the main router (which seems more intuitive to configure) and use old wnr as another segregated wifi on orange if required.

I noticed the real problem with double NAT from the network I have behind ipfire on router not being able to connect to the network behind openwrt on router obviously because any node behind ipfire is already masqueraded so the net on openwrt does now how to return that as it is not the actual ip it needs to be returned to. (I think)

Now having problems with following the routed client example

https://openwrt.org/docs/guide-user/network/routedclient

I will post another topic on this once I make sure that the reason it was not working is not because openwrt needed a reboot to apply the static route.

But I think that page is not as detailed as I would like, does not describe the set up of the static route in luci and the terms used do not match. Plus what I want to do is inverse of the example, connect lan one way to wlan.

The solution was to set up the correct static route on the internet facing router, and understanding what values you need

so to forward an entire network 192.168.99.0 need netmask 255.255.255.0

was helpful to install tcpdump and run

tcpdump -i eth1 -n 'not (port 22 or 80)'

to see if the rule was getting ping traffic to openwrt.

though that appears to introduce its own problems in that now no concept of forwarding between the networks with accept accept reject, ping gets through both ways.... even with no zone forwarding in either direction,

though wlan cannot ping internet i.e. google.com but does get dns lookup (because dns port is open)

its a whole complex area when you want to step outside the simple LOL

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.