Greetings
Looking at setting up a double NAT setup.
How do I access router #1 from a system connected to router #2?
(For operational control access or whatever.)
You know the IP address at downlink port of router 1 ?
The "LAN" side of router 1 and its IP address should be available by way of router 2 for hosts that have a default route through router 2. (Exceptions for the degenerate case where the IP address is on two of your routers' subnets.)
Haven't set things up yet but I will know that IP address.
then where is the problem ? ssh on it
Is there a reason why you're using double NAT?
Isolation of the two subnets is perhaps easier to configure and more robust through use of VLANs and subnets.
i think the OP has shown us the crop version of topology , like router 1 and router 2 may have switchs between them and connected to some other lans too
so he is opted for dual NAT. lets see what he replies
There are a number of reasons why I'm looking to use double NAT.
A while ago my ISP went down (I'm on a wireless internet connection and this happens often enough in this environment) and when this happened not only did I not have WAN access (the internet) I also lost my internal LAN. I am working toward where I have control/monitoring equipment that is on 24/7 and I really don't want downtime so want an internal LAN that at least has the potential to have very little down time.
I really want higher levels of security on/for my equipment here. I think I would like to reduce the likelihood of software tag along or where site scripts are pulling any of my information and then sending it back for their delectation (sale and/or whatever).
To date all I have is a single router running dd-wrt (not that that's bad but openwrt has been recommended as perhaps a larger router 'universe' per se). Looking for some way to achieve the aforementioned goals the responses (on various LUGs) have been few but consistently saying - - - some form of double NAT (a 3 router setup). When I have asked on how to set up such a beast I have been told that the reason there is no information to be found is that its just too easy/normal so no one has written it up. So when I found some guides on how to achieve what I'm wanting to do - - - well I'm trying to implement them. I have been working through any potential problems BEFORE implementation and it didn't seem straightforward as to how to access router #1 when my system is also behind router #2. As a networking noob (and finding very little information out there except for just using one router (very simple needs) or highly complex commercial systems (complex needs accompanied by very high costs)) I am walking through things one step at a time. There is much to know and very little of it that I do know so there very likely could be better ways to achieve what I'm trying to do but how can I know ahead of time what other options there are?
People often confuse NAT and firewalls. They are not the same thing. It's perfectly possible to have a firewall on router 2 without it doing NAT. What NAT does is it makes the whole network behind router 2 look like one host. I don't see any advantage to that really.
Your objectives are all very reasonable. Isolating various client classes on their own subnets with appropriate firewalls between them is a prudent plan, as is having a management subnet with very limited access to manage the various "sensitive" parts of your infrastructure.
Where I, and I would expect security/networking experts would disagree is in the use of NAT as a firewall. NAT is not a firewall, though it does provide some restrictions on connections. One can make an argument that a NAT is significantly less secure than a proper firewall, not only due to the lack of control, the fact that clients can open any outgoing connection, and further that, as far as I know, declined connections can't be logged with Linux NAT.
NAT also does absolutely nothing to manage IPv6 (and, for any home user, [Edit: IPv6 NAT of any flavor] should probably never be used).
NAT also breaks certain security features of TCP/IP transport, such as ESP (The encapsulated packet contains the "inside" address, though the packet has the "outside" address, so that it looks to be "forged".)
Multiple subnets, each with their own DHCP (if used at all) and DNS, and a proper firewall should allow you to:
Very often VLANs are used "trunk" multiple subnets over a single Ethernet cable. A "smart switch" (VLAN-aware) is able to filter out VLANs to specific ports, if additional isolation is required. OpenWrt, for most devices, can configure the device's switch as a smart switch.
For devices that have fewer Ethernet interfaces than subnets in use, VLANs are used within the device.
Edit: The subtlety that @dlakelan brings up is important, the use of NAT on Router 2 "hides" the identity of all the devices behind Router 2 -- You won't be able to either define rules around specific IP addresses, nor be able to log "interesting" behavior of those clients.
Just to point out the obvious, unless you've done something wrong (weird configuration) or unless your router firmware is [imagine some expletives], there is no reason why your LAN would be affected by WAN going down - and no, OpenWrt deals with this well.
@jeff @ajoeiam. Thx for giving such a wonderful topic
yes even i know few guys . but there are guys who knows the difference but even dont go beyond just knowing this 
Yes they very well , But you can see a lot many Firewall policy refers this non utilization of NAT as transparent NAT only
Moreover the if the purpose is solved just by disguising the devices behind one IP whats the purpose of using firewall then ?
Yes correct that hosts behind router 2 seems to be a single host but they still do server as different at application level ( like they will have different application level protocol header like Different HTTP clients header )
I can still give atleast a lot many reason to believe this topology is better and few more wny it shouldnt br used
**
But I prefer to make a other useful thread for our debate , lets do that this guy demanded from community
will get back to @jeff points later
**
Your objectives are all very reasonable. Isolating various client classes on their own subnets with appropriate firewalls between them is a prudent plan, as is having a management subnet with very limited access to manage the various "sensitive" parts of your infrastructure.
Where do I find some information on setting up subnets? (I can't see the topic in the documentation list and a search on subnets and subnet setup doesn't really return anything that I'm finding easy to understand.)
Where I, and I would expect security/networking experts would disagree is in the use of NAT as a firewall. NAT is not a firewall, though it does provide some restrictions on connections. One can make an argument that a NAT is significantly less secure than a proper firewall, not only due to the lack of control, the fact that clients can open any outgoing connection, and further that, as far as I know, declined connections can't be logged with Linux NAT.
NAT also does absolutely nothing to manage IPv6 (and, for any home user, [Edit: IPv6 NAT of any flavor] should probably never be used).
My suspicion is that IPv6 will be considered quite standard before this part of the world is using it.
NAT also breaks certain security features of TCP/IP transport, such as ESP (The encapsulated packet contains the "inside" address, though the packet has the "outside" address, so that it looks to be "forged".)
Multiple subnets, each with their own DHCP (if used at all) and DNS, and a proper firewall should allow you to:
Keep your networks running locally even without connection to the public Internet (though you'll be unable to resolve or connect to public services without connectivity)
Control traffic between subnets as you see fit with firewall rules
Very often VLANs are used "trunk" multiple subnets over a single Ethernet cable. A "smart switch" (VLAN-aware) is able to filter out VLANs to specific ports, if additional isolation is required. OpenWrt, for most devices, can configure the device's switch as a smart switch.
For devices that have fewer Ethernet interfaces than subnets in use, VLANs are used within the device.
Edit: The subtlety that @dlakelan brings up is important, the use of NAT on Router 2 "hides" the identity of all the devices behind Router 2 -- You won't be able to either define rules around specific IP addresses, nor be able to log "interesting" behavior of those clients.
I spent some time reading anything I can find in the openwrt docs re: VLANs and subnets. Most of what I have found is not really applicable. VLANs are recommended with managed switches which, AIUI I could do on the router but other than that I have only unmanaged switches. Subnets sound intriguing but I can't find any setup guide so other than the idea - - - well I'm still quite lost.
I understand the double NAT idea and get that there would be difficulties in putting a server behind both routers but if I wish to do that I could use something like wirequard to set up a private vpn so I think I understand that particular limitation and have a solution.
Sorry - - - until I have some data and hopefully even a setup guide I'm quite lost with the ideas of both VLANs and/or subnets.
Thank you for the ideas that you pointed out. I have looked for good information on how to setup networking but I haven't found much besides something like 'plug in a router and then plug your systems into the back end' and not really much more.
So that people here can give you some specific advice, would you lay out your goals?
From what I read, you would like to:
I am guessing that you would like to:
A clear set of goals as to what the various "classes" of clients you want to serve and which can (and can't) connect to each other will help others to give you good guidance.
Edit: This can all be accomplished without a "smart switch" past what you likely already have in your router, assuming it is running OpenWrt. You can even have more than one wired subnet where "wired 1" can be kept from "talking to" "wired 2" or the like (assuming your router has more than one "LAN" port).
I suspect everyone will be very surprised at how rapidly ipv6 transition occurs once it really gets going. Already in the US in the last couple of years it's grown by a factor of about 10 and constitutes something like 35 percent of US traffic to google's servers.
Once 50% of the US has ipv6 I expect a dramatic increase in the commercial availability, business accounts so far have lagged behind, but when lots of customers are on IPv6... there is reason for people to want to connect to them.
The basic idea of a subnet is that it's a network that doesn't share a broadcast and has a different range of IP values.... So imagine you have 2 VLANs, if you broadcast a packet to one VLAN it doesn't also wind up on the other...
192.168.1.0/24 vs 192.168.2.0/24 are two subnets, the /24 means that the network is identified by the first 24 bits (first 3 numbers) and all the devices in the subnet have to have a "host part" that fits in the final number.
Just set up separate ranges for IP addresses on your separate VLANs and you've got separate subnets. There is is no need to NAT these networks.
Just to point out the obvious, unless you've done something wrong (weird configuration) or unless your router firmware is [imagine some expletives], there is no reason why your LAN would be affected by WAN going down - and no, OpenWrt deals with this well.
Well - - - at this point what I have on my router is a fairly vanilla dd-wrt setup.
It may be true that my lan should not be affected by the ISP connection but I do know that the connection was lost while I was working on some things here and I got notice that I was losing my lan connections (x2go dying and giving notice of such) between my various machines, all of which were plugged into the same 4 port unmanaged switch.
As the last time the ISP went down the lan died I want to make sure that it doesn't happen again.

Given how much effort my isp puts into convincing me that a 9 Mbit/sec connection is not only fast but fully capable of handling multiple users easily for the last 2+ years tells me that they really aren't in any hurry to embrace any changes that might force them to change equipment. I asked about a possible eta on IPv6 about 6 months ago and the response I got informed me that although they had some idea of what it was - - - - it wasn't on their radar at all. My guess is that if I see it in 30 months that would be quick. Rural isps tend to be very much on the far back side of any adoption curve here in all of north america.
That is not normal and shouldn't happen with OpenWrt - and I do have to deal with unexptected downtimes (30-60 minutes, "unscheduled maintenance windows") too often for my liking - while WAN is (obviously) down, LAN and local DNS resolution remain unaffected.
From what I read, you would like to:
Have one set of devices that have Internet access ("wired computers")
Have another set of devices that also have Internet access ("wireless" and "TV streaming")
I am guessing that you would like to:
Restrict access from the "wireless" clients to the "wired" clients
Have a reasonably secure way of managing your routers and firewall from one or more of your "trusted", "wired" computers
What you are describing is my initial target (at least).
I don't know what can or can't be easily done and there are lots of other questions.
Reading through the docs I am intrigued with the idea of mesh wireless connections for my location. As there could be a number of different control points with each needing at least some connection to 'mother ship' I am not sure at this point if I want wired or wireless. I had thought so far of using wired connections - - - perhaps more expensive but security is higher than with wireless (far easier to eavesdrop on wireless from outside).
I may want to create a separate unconnected lan for these systems but one potential problem I see is how to update any parts (software) on these systems and then also how to oversee the various activities.
I would very much like to have a well defined action plan but as I really don't have enough background in networking technologies and their possibilities and/or capabilities I think that I am just shooting with one eye covered and the other badly occluded by a partially skewed patch - - - this means that I'm not sure even what questions to ask.
I understand that my lack of understanding makes responding much more difficult for anyone but hopefully there will be some intrepid souls willing to try to guide one more noob toward not only greater understanding but also to an effective network.
Yeah but any ISP equipment purchased in the last 10 years is already ipv6 ready, and once they realize they can ditch a lot of costly ipv4 hassle that's costing them money to support they may change their tune.