how-to block ads
Doing NAT in two routers is undesirable because it tends to break some software such as VPN and online games. By purchasing the correct equipment you can eliminate double NAT.
Router one must support NAT for IP addresses that are not on the same subnet as the router and support static routes. If router one is providing wireless access, it needs to support WPA to be secure. Router one should also have SPI firewall for security. You could also use a wired router and a separate wireless access point. For testing this I used a Netgear WGR614 version 5 wireless router ($20 after rebate). As far as I know, all the Zyxel routers, firewalls, and DSL modem/routers support all of these requirements except wireless/WPA and some of them support WPA. Router one will support the DMZ/wireless subnet.
The second router must support a SPI firewall with NAT disabled to secure the protected LAN. To use DHCP on the protected LAN, the second router must support manually assigning DNS servers (which will be given to the DHCP clients). I used a Zyxel P334WT for the second router (less than $62 shipped). As far as I know, all the Zyxel routers and firewalls currently in production support these requirements. Router two will provide Internet access to the secure LAN through router one.
You must use two subnets. For this example I use 172.30.100.0 for the DMZ and 192.168.8.0 for the LAN both with masks of 255.255.255.0
(172.30 is a class B block under the now obsolete IP class rules and the normal mask for a class B is 255.255.0.0 but you could always subnet a class B)You can use your existing subnet for the LAN as long as you use a different subnet for the DMZ.
• Create a static route in with a destination of 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2
• Set the DHCP server -start- address to 172.30.100.100 and -end- address to 172.30.100.149 (or any range you want as long as it doesnt include .1 and .2 and is part of the same subnet)
• Optionally Set the default DMZ server to 172.30.100.2 if you want to see port probes in the P334WTs logs.
• If you are going to be using wireless, setup and enable Router one's wireless LAN
• Connect the WAN port of Router one to your DSL or cable modem.
• Disable Router Two's wireless LAN if it has one.
• Assign router two a LAN IP address of 192.168.8.1 mask 255.255.255.0
• Set the DHCP -start- address to 192.168.8.100 and -end- address to 192.168.8.149 (or any range you want as long as it doesnt include .1 and is part of the same subnet)
• Set the first DNS server to IP address assigned by your ISP as first choice (You can get these from Router one's status)
• Set the second DNS server to IP address assigned by your ISP as second choice (You can get these from Router one's status)
• Set the third DNS server to 172.30.100.1 (LAN IP of router one)
• Set Windows networking Netbios over TCP/IP to allow between LAN and WAN (on the LAN setup page)
• Assign Router two a WAN IP address of 172.30.100.2 mask 255.255.255.0 gateway 172.30.100.1
• Set address translation to NONE on a Zyxel P334WT (uncheck -enable NAT- on a Zywall 5)
• Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the WAN setup page)
• Connect the WAN port of Router two to a LAN port of Router one.
You should install a software firewall on all the wireless and DMZ PCs. I use the free version of Zone Alarm and set it to trust the LAN subnet.
• Connect any wired DMZ PCs to LAN ports on Router One (use a switch if you need more ports).
Connect your secure LAN PCs to LAN ports on Router Two (use a switch if you need more ports).
If you need to access shares on a PC attached that connects to the DMZ subnet (wired or wireless), go to the PC and at a cmd prompt enter:
Route add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2 Or Route -p add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2if you want the route to be semi permanent (you can delete it).
Then use find compute to find the DMZ PC. If you share a folder read/write on the PC, you can transfer files in both directions.
If you need to access share on the LAN from a DMZ PC, the cheap way is to temporarily disconnect the PC from the DMZ ane connect it to the LAN.
Since the P334WT has a limited VPN server the other option to access the LAN from the DMZ is to setup a VPN rule on the P334WT and install VPN client software on the DMZ PC(s). I use this method to access a shared printer from my wireless notebook PC. You can download a free (but old) VPN client here:
This link is from the top of the VPN forum here.
If you are using P2P software, you may want to consider a more robust router than the Netgear WGR614 such as a second P334WT for Router One. I did a second successful test using my P334T as Router one and my Zywall 5 as Router Two.
This entry is from a post by janderso1
»Using two routers for securtity without double NAT
Although this method can be used to isolate any two network segments, a wireless network is the most frequent reason for a home user to want to isolate a network segment.
Feedback received on this FAQ entry: