Hello,
my ISP offers internet access with one static public IP + a standard internet access with public IP that could change.
The ISP router has a function that allows bridge-mode for the static public IP only.
I want to isolate any internal network from this router/modem provided by ISP. The ISP router will only be used for telephone communication service provided by ISP.
Therefore I have added another router to my network that will be deployed with OpenWRT.
However this router cascade would typically result in a double NAT scenario.
I found this OpenWRT documentation that explains the problem and discuss different solutions.
In my case at least 2 solutions apply as the ISP router supports “exposed host” feature:
Considering the pros & cons I would prefer the solution with additional rules.
My question is:
Can this solution be applied on an OpenWRT router with multi WAN?
This means WAN1 is connected to IPS router port in bridge-mode and configured with static public IP, and WAN2 is connected to another ISP router port.
NAT must be enabled for WAN1, but disabled for WAN2.
Can this work?
IPv4 Double NAT isnt villain-evil, it just has some technical limits. Do you have software that is affected? Do you use inbound traffic or peer-to-peer games?
Gaming might also depends a bit, how well your ISP router handles port mapping during UDP-hole-punching. Cable-CGN does this usually quite decent.
You might also want to check, if your ISP router supports a delegated IPv6 prefix at all, otherwise you will not have internet-routable IPv6 in your inner network, except in an exposed host scenario (and that would no longer extra-isolate your inner net)
IPv6 is not an option.
Means, if I would ask my ISP to switch to IPv6, I would loose the static public IP and would need to switch the contract.
I'm aware of the disadvantages (peer-to-peer, inbound traffic) related to double NAT, and currently this would not impact the users.
A VPN server for inbound traffic could be setup on the static public IP anyway.
However, these topics are not why I opened this posting.
I need to understand if additional routing rules would work with multi WAN.
I have not tried your scenario, but network-wise it does not matter if one of the WANs would use NAT or even nested double NAT.
The NAT config is specific to the affected WAN interface software-side config, not to the overal routing. the policy based routing would not care about NAT activities later in the chain.
Although I would start setting up mwan3 temporarily without any NAT config, so you can be sure that your mwan3 config is working first, before adding up all the remaining network parts you want. Otherwise debugging config issues might be difficult.