NAT-behind-NAT

Forums › New Zealand Broadband › NAT-behind-NAT

lyall

36 posts

Geek

#20669 2-Apr-2008 16:14

I've recently come across a couple of ADSL modems with NAT enabled. In both cases there are wireless routers involved too so the computers are effectively "double-NATted". I'm surprised the modems are using NAT - I thought the usual scenario was that the ISP allows for one IP, and if you have more than one device get a router. That's what TCL does. Quite what the need for NAT is in the modem I don't know.

Anyway, my question is: does anyone know if this is normal in NZ? How about with ADSL (or other) connections overseas?

Some background: I've developed a couple of products that make services available on the net; they're targeted at your average home or small office user. I use UPnP and NAT-PMP to open a port in the router for incoming connections. Great, usually, but this won't get through two layers of NAT of course.

Obviously there are ways around this with a bit of configuration - make the modem DMZ to the router, or put the router in bridge mode (the first being more useful because the modems seem not to do UPnP) - but I'm trying to take the burden of configuration away from the user. This NAT-behind-NAT scenario has me a little worried, so any advice as to how common it is would be great.

Adrian

bcourtney

652 posts

Ultimate Geek

Trusted

#120524 2-Apr-2008 16:20

You'd be damn lucky to find an ADSL modem out there that isn't also a router - hence the ability for NAT...

I haven't seen a standalone ADSL modem in a long time. I'm not saying that you can't buy them (well maybe I am - can you still buy them??), it's just that i haven't physically handled one in a long time. And I deal with my fair share of ADSL routers

lyall

36 posts

Geek

#120531 2-Apr-2008 16:45

Right. So I guess what I'm really interested in is whether the router functionality is turned on in your standard home ADSL installation.

It seems odd to act as a router when you can only have one device attached. Is it all about the firewall? Or perhaps there's something I'm missing about the way ADSL works?

bcourtney

652 posts

Ultimate Geek

Trusted

#120538 2-Apr-2008 16:57

With some of the ADSL routers that have only a single RJ45 (LAN) port, then it's just simply a matter of sticking a simple network switch behind it and then you can connect PCs till your heart's content.

Other than the ridiculous basic, single-port ADSL routers that many ISPs hand out for free with new connections, I'd hazard a guess that the majority of all other ADSL routers have 4 LAN ports. But increasing the number of PCs that can connect to the router (regardless of whether it's only got 1 LAN port or 4) is simply a matter of connecting a network switch (or several!).

Fraktul

836 posts

Ultimate Geek

Trusted

#120542 2-Apr-2008 17:19

You can setup your ADSL router as a half bridge if it supports it and then have it connected to your wireless router to prevent double NAT.

lyall

36 posts

Geek

#120556 2-Apr-2008 18:08

bcourtney:
Other than the ridiculous basic, single-port ADSL routers that many ISPs hand out for free with new connections...

Ah, it's exactly these that I'm interested in - the experience of the average punter.

I was playing with a Telecom-provided one today. It was using NAT - my fear is that this is what they do for the standard installation.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#120558 2-Apr-2008 18:11

Unforturnately not many ADSL modem/routers support half bridge, so I find normally its easier to just not use the router in the WiFi router, ie dont use the WAN port of the WiFi router and just connect a LAN port of that router to the ADSL modem, and turn the WiFi routers DHCP server off.

I have noted double nating is quite common, it seem more from ignorance than anything else. Bottom line is that for normal browsing and apps where LAN clients create connections with servers out on the Internet/Wan most users see no problems. As soon as you introduce anything more complex like SIP then the wheels fall off.

I was playing with a Telecom-provided one today. It was using NAT - my fear is that this is what they do for the standard installation.

Dont forget that NAT is the core of a basic Firewall for simple routers, so naturally its desired even in a single port modem/router.

Cyril

hpj2007

117 posts

Master Geek
Inactive user

#120559 2-Apr-2008 18:15

Half bridge it mate

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

coffeebaron

6234 posts

Uber Geek

Trusted

Lifetime subscriber

#120566 2-Apr-2008 18:46

Dynalink RTA1320 or Linksys AM300 are two common routers here that do half-bridge mode. (NB: the Linksys requires the lastest firmware to work correctly).

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

PenultimateHop

637 posts

Ultimate Geek

Trusted

#120573 2-Apr-2008 19:06

lyall:
I've recently come across a couple of ADSL modems with NAT enabled. In both cases there are wireless routers involved too so the computers are effectively "double-NATted". I'm surprised the modems are using NAT - I thought the usual scenario was that the ISP allows for one IP, and if you have more than one device get a router. That's what TCL does. Quite what the need for NAT is in the modem I don't know.

Anyway, my question is: does anyone know if this is normal in NZ? How about with ADSL (or other) connections overseas?

A NATing DSL gateway is common, given the PPPoA nature of the TNZ network. Half-bridge is a kludgey work-around and not common.

The NATing wireless gateway sounds like the problem to me - this is obviously user error in using the wrong device (or wrong device config) for their topology.

You can expect to see about 99% of the DSL population in NZ sitting behind NAT, on the DSL device.

lyall

36 posts

Geek

#120577 2-Apr-2008 19:25

Thanks a lot everyone. It sounds like the answer is yes, I definitely need to be aware of this situation.

A bummer, but better than not knowing about it!

PenultimateHop

637 posts

Ultimate Geek

Trusted

#120588 2-Apr-2008 20:01

lyall: Thanks a lot everyone. It sounds like the answer is yes, I definitely need to be aware of this situation.

Yes, it's definitely worth knowing about. It sounds like you've followed good development so far, but it's always worth it to keep on top of what the IETF BEHAVE working group is developing for NAT/multi NAT best practices.

There's been discussions inside IETF and other industry bodies about extending uPNP/NAT-PMP to support cross boundary port requests, which would resolve the issue you have raised.

richms

28187 posts

Uber Geek

Trusted

Lifetime subscriber

#122828 11-Apr-2008 12:52

This is because places are still telling people that they have a dsl modem.

There is no dsl modem that will operate on a pppoa network and present it on a ethernet interface currently available. The m1122 had its pptp to pppoa relay, which worked except there are stuff all routers that will do pptp on the wan interface.

The half bridge (ab)uses dhcp to hand out the wan address to a PC, it uses another valid internet IP as the gateway IP and that makes neighboring ips on the internet inaccessable since they are misused as the broadcast and network address on the lan segment.

There is internal and usb modems that will get the real ip onto the pc properly by running ppp on the computer, but they arent common, and are useless in your example since they wont connect to a standalone router that people buy anyway.

UDP and stun seems to be sweet as thru multiple nats, perhaps look into using that?

Richard rich.ms

PenultimateHop

637 posts

Ultimate Geek

Trusted

#122900 11-Apr-2008 17:22

richms: The half bridge (ab)uses dhcp to hand out the wan address to a PC, it uses another valid internet IP as the gateway IP and that makes neighboring ips on the internet inaccessable since they are misused as the broadcast and network address on the lan segment.

Anything that implements the half-bridge "workaround" should also implement local-proxy-arp to make the neighboring IPs available.

Any device that doesn't is flawed.