Airplane777
join:2004-06-20
4 edits | NAT behind NAT not a bad thing ?
I will be hooking up my first commercial WISP customer Thursday afternoon.
I will be connecting the WAN side of their wireless router to the LAN side of my CPE. Their wireless router does NATing and DHCP.
But my CPE is also set up to do NATing. I will be providing a private static IP address to their wireless router.
This causes me to be doing NAT behind NAT. Am I correct in thinking that this should work ok? That is...NAT behind NAT, isn't necessarily a bad thing? |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX | I would be concerned if they use VPN -- I understand double NAT can give it problems. I provide public static IPs so I don't have any first hand knowledge. |
|
Airplane777
join:2004-06-20
1 edit | Hi robbin:
Thanks for your post.
Since you give public static IPs to your clients, I assume your CPEs are then set to bridging-client mode? I'm trying to get this bridging and client stuff streight in my head...lol.
How do you get those public static IPs through your edge router (since I assume your edge router is NATed)? You do some kind of port forwarding? (Isn't an edge router the one connected directly to the modem that goes to the Internet backbone?) Or do you do bridging of your edge router also? |
|
cmaenginsb
Premium,MVM
join:2001-03-19
Palmdale, CA
| reply to Airplane777
Airplane, robbin uses Trango equipment which only works as a bridge.
As to the edge router, most of us simply don't have the edge router set to NAT.
I haven't seen a problem with double NAT yet but in theory I would think VPNs could be an issue depending on the subnets used for each.
Why not turn NAT off in your CPE?
--
CCNA, Comtrain Certified Tower Climber |
|
robbin
Premium,MVM
join:2000-09-21
Leander, TX
| reply to Airplane777
Well, to start with, I use Trango equipment. The AP / SU (CPE) link is a bridge (no choices). It's hard to explain if you are used to WIFI equipment but basically my APs and CPEs do not exist on the client to internet network -- they are totally invisible. So whatever I do with them has no effect on the IP address assignment of the client router.
I am currently 100% bridged. As I get larger, if I decide to grow that much, I will probably do 1 to 1 NAT. Many (perhaps the majority) of my customers use a VPN on a regular basis and there has never been a problem for them. They are extremely grateful as this means that they don't have to drive 75 to 100 miles on the days they work from home!
My edge router is my T1 router -- you don't need a modem for a T1, only for DSL. |
|
superdog
I Need A Drink
Premium,MVM
join:2001-07-13
Lebanon, PA
| reply to Airplane777
said by Airplane777  :How do you get those public static IPs through your edge router (since I assume your edge router is NATed)? You do some kind of port forwarding? (Isn't an edge router the one connected directly to the modem that goes to the Internet backbone?) Or do you do bridging of your edge router also? Bob, when You have a T1 or larger to the net, all of us use a router at the edge that basically bridges all of our static IP's right thru to the end user or at least to the CPE. If You are using DSL as a backhaul, You may only have 1 real world IP?, and that is used in Your modem. If that is the case?, You would then in all reality be NAT'ing 3 times?. Once at Your NOC, once at the CPE and then the 3rd time on Your customers router. This is a really bad idea. While I have seen VPN's work thru 2 NAT boxes, I have also seen some strange things happen to programs like Citrix(allows You to use a local computer to run a remote one across a VPN and special software). I would use that DLB2300 or Highgain CPE as a bridge. That way You are at least only NAT'ing twice. Once at the NOC(modem) and then again on the customers router. 
--
»www.wavecrazy.net Join WISPA today! »www.wispa.org/ |
|
Airplane777
join:2004-06-20
2 edits | Thank you superdog, robbin, & cmaenginsb:
Bridging it is.
I had to do some thinking since this commercial establishment had their own wireless router. Your ideas on me doing bridging makes sense. So I just got done setting up a test DLB 2300 in bridge mode (just to make sure I can do it quickly on the clients CPE).
I finally got the CAT5 run yesterday. I'm using NPRM with my tripod tapconned to some concrete patio blocks, which are sitting on 3 rubber mats. Seems to work pretty good. I still may go up and put a sand bag on each concrete block. I'm hoping it will take a lot of wind without blowing over...lol.
This stuff is fun...especially when I was crawling around on the roof setting up the tripod when it was snowing a few days ago.
To make it even more fun, I'm doing MAC authentication, hidden SSID, and WPA 2...lol. |
|
Wisp
join:2005-09-07
Bryn Athyn, PA | reply to Airplane777
We do it like Superdog says, NAT at the NOC, all aps are bridged, and then NAT again at the CPE. So far it's been ok. |
|
lutful
Premium
join:2005-06-16
Ottawa, ON
| reply to Airplane777
said by Airplane777 :This causes me to be doing NAT behind NAT. Am I correct in thinking that this should work ok? That is...NAT behind NAT, isn't necessarily a bad thing? I setup a few tiny rural networks this way - to the best of my recollection - in 2004/5:
A DSL home's NAT router (10.1.1.1) to wireless backhaul to rural home's NAT router (10.2.1.1) to broadcast AP to multiple CPEs and NAT routers (10.3.1.1).
Each NAT router has at least one local customer PC served by DHCP. The wisp radios are on static IP for easier management.
We usually hardcode good DNS server addresses at NAT routers but leaving them as 10.x.1.1 also works as most NAT routers implement DNS caching.
It works for all common internet apps including most VoIP and some VPN. GoToMyPC and VNC also works. |
|
cmaenginsb
Premium,MVM
join:2001-03-19
Palmdale, CA
| reply to Airplane777
By double or more NATing you increase the possibility of overlapping your NAT scheme with that used by the VPN user's company network.
IE if your house is on 192.168.1.x and your the LAN you VPN into is on 192.168.1.x you can and will have routing problems. By increasing the number of NATed networks you increase the odds of winning the funky VPN traffic lottery.
--
CCNA, Comtrain Certified Tower Climber |
|
Airplane777
join:2004-06-20
4 edits | Hello all:
Thanks for your info on NATing. I set my CPE to bridge.
I had minimal problems in setting up the CPE in bridging mode, and using MAC authentication, WPA2, and hidden ssid. I hooked it to my laptop and got on the Internet right away.
After that I had to set up the customers wireless router. Even though I spell out in my TOS that my liability ends at the RJ45 plug coming from my CPE, I still took the time to set up the customers wireless router. They had no idea how to do it. It wasn't too bad.
I tested the wireless router using a pc card in my laptop, and it worked real good.
The next thing, the customer didn't know how to set up WEP in their wireless client device in their desktop computer. I set that up. I got lucky...lol. It worked.
She had me set up WEP so her business neighbors can no longer steal her WiFi signal. I showed her how to change the WEP code, so she can change it frequently, so her neighbors can't get on.
Only one problem...tonight I tried to log into the CPE from my NOC. I couldn't do it. I can't even see the CPE at all on my AP GUI. Now I'm worried. Did the wind blow over my NPRM?
So I drove there about 30 minutes ago, to see if the tripod is still standing. It was still there. Looked ok.
I'm hoping the customer just turned off the power to the CPE...maybe to save power. I hope the cold weather didn't kill my DLB2300...lol. I'd hate to think I had a case of "infant mortality" on the CPE.
Gee...this is fun. I want more customers...lol. |
|
superdog
I Need A Drink
Premium,MVM
join:2001-07-13
Lebanon, PA
| said by Airplane777 :Only one problem...tonight I tried to log into the CPE from my NOC. I couldn't do it. I can't even see the CPE at all on my AP GUI. Now I'm worried. Did the wind blow over my NPRM? So I drove there about 30 minutes ago, to see if the tripod is still standing. It was still there. Looked ok. Bob, The DLB2300's will sometimes lose their web interface on port 8080. I was told it is because so many idiots are scanning the web looking for open holes that the DLB just quits responding. What I would do is change the port# (It allows You to do this) and then Your issues will go away. There is also no need to drive all the way over there?. If this happens, just ping the radio and see if it replies?. If it does?, then ping the customers router (IF it is setup to answer a ping?. Most newer routers will not answer as a security feature?). If it replies too, then You know that everything is OK.
--
»www.wavecrazy.net Join WISPA today! »www.wispa.org/ |
|
Airplane777
join:2004-06-20
| Thanks for that good info Tim.
I heard that the owner turns off her wireless router at night. I'm hoping the CPE was also turned off (since it is on the same power strip).
In this cold weather, wouldn't it be best to keep the CPE powered all the time, so the CPE keeps warm? If so, I'll tell the customer to keep it on. |
|
superdog
I Need A Drink
Premium,MVM
join:2001-07-13
Lebanon, PA
| Bob, In the winter months, I would push the customer to keep the radio on at all times. The radio itself only uses a few cents of electricity every month, so turning it off isn't really saving them a lot?, maybe $1 dollar a year if You are lucky?. I personally have not tried to fire up a DLB in our climate when it is cold out, so I have no clue what would happen?. I guess we will find out very soon huh?. 
--
»www.wavecrazy.net Join WISPA today! »www.wispa.org/ |
|
Airplane777
join:2004-06-20
2 edits | I got the customer to leave the CPE turned on. That should keep it a little warmer now.
Where do I go in the CPE GUI to change the port number you were talking about?
When I do try to log into this customers CPE, the window for the user name and password doesn't come up for login, like it does for my other customer. Not sure why. |
|
Semaphore
Premium
join:2003-11-18
Arnprior On.
| reply to Airplane777
For reasons that are not explainable (e.g. I still don't understand why they wanted it like that) I've done quadruple bi-directional 1:1 (Static) NAT before with almost any protocol/application you care to think of running across that link. Everything works, but if there is a problem, troubleshooting is WAY beyond difficult. Bridge if you can. NAT if you must. |
|
