The secret route through an ISP router
There are numerous reasons to install your own wireless router, but it’s not always possible. Geoff Meads talks through the process of using a ‘Double NAT’.
About a year ago now the subject of my column was the debate around replacing an ISP supplied router with a more professional one. There are few key reasons to swap out an ISP supplied router, mainly centred around the need for extra features, reliability or to simply ‘own’ the network.
But what if you can’t replace the ISP router? What if the ISPs service contract forbids it or their service simply won’t work without it? Furthermore, what if, as has happened to with my ISP recently, the landline phone becomes tied to the presence of the ISPs router? Is there an alternative strategy that can deliver what we need?
There is an answer. It’s called ‘Double NAT’ and it really is rather simple…
What is NAT?
NAT or ‘Network Address Translation’ is the process that happens when data packets are passed between two different networks. This is most common when you send a request to the Internet (the Wide Area Network or ‘WAN’) from inside your Local Area Network or ‘LAN’.
Routers need to know which direction to send messages, either inside the LAN or outside to the WAN. The router makes this decision based on two things: the destination IP for the message and the Subnet Mask of the network. The Subnet Mask tells the router the scope of LAN IP addresses and with this the router knows if the destination IP is inside the LAN or outside on the WAN. It then sends the message toward the right destination as appropriate.
One of the guiding principles of IP networks is that two separate but adjacent connected networks must have a different IP address scope. Thus, you cannot have a LAN network with an IP range of 192.168.1.x/24 on one side of a router and a WAN network with the same range on the other side. It’s for this reason that the IP protocol keeps three ranges of IP addresses back for LAN only use (10.x.x.x, 172.16.x.x to 172.32.x.x and 192.168.x.x).
NAT vs. Double NAT
While that arrangement suits most LAN networks you could also need two LAN networks connected, especially in a corporate network. This is fine as long as they have separate IP scopes. To achieve this, we use two ‘stacked’ routers and change the third octet of the IP address range for the second LAN so they work happily together. We call this ‘Double NAT’.
Here’s an example:
- Main Router has a LAN range of 192.168.1.x/24 and is connected to the WAN
- Secondary Router has a LAN range of 192.168.2.x/24 and is connected to the Main router as it’s ‘WAN’
The secondary router’s WAN port is connected to a LAN port on the Main router and they simply route messages automatically between them. Internet bound traffic in the secondary network is routed to the main router via the secondary network’s router and then the main network router sends it forward on to the Internet.
This is also how the wider Internet works, as a series of smaller connected networks.
Why Not Simply Replace the Router?
At first glance the Double NAT solution looks like adding extra complexity for no gain. However, there are plenty of occasions where this delivers a huge advantage in that it keeps the ISP supplied router as the one that ‘faces’ the WAN.
The first reason to do this is one of service and support. If (or when) Internet service to the house fails, the supplying ISP’s service department will expect their router to be the one connected before they will provide support.
Next, reliability. ISP supplied routers are made down to a very low cost. They do not have many of the advanced features we might want and fail much more regularly due to low build cost / quality. The next concern is one of security. While IP supplied routers are good to a point, there are far better solutions out there. The final reason is features. Remote access using VPNs and network segmentation using vLANs are not easily possible using just an ISP router.
Adding a router of your own ‘behind’ the ISP router in a double NAT configuration allows you to overcome many of the above issues. vLANs can be setup using more advanced routers to allow more control, traffic management or security between segments of a LAN. More advanced firewalls can be configured in a better router for greater protection from network intruders and improved control of traffic. In addition, using some extra configuration on the ISP router, VPN connections can be made to the secondary router so that it can offer a safe way ‘inside’ the LAN to configure host devices, monitor performance and even perform software updates without visiting the site.
The disadvantages of such a scheme lie mainly in the advanced levels of configuration. A double NAT system, by definition, uses two routers and that is more complex to understand for service personnel. In addition, if either router should fail then it becomes super important that the config files were already downloaded such that a replacement router can be up and running as quickly as possible. Finally, the ISP router is still being used, albeit for just Internet bound traffic and that may be a reliability concern.
The Work Arounds
If you wish to use VPN to securely access the remote LAN then a workaround is needed since the ISP router is the one connected to the Internet but the secondary router is probably the one containing the VPN server. This means we need to provide an onward transfer for VPN traffic through the ISP router and on to the outward (WAN) connection of the secondary router and, subsequently, the VPN server.
Fortunately a simple Port Forward (available an all routers, ISP supplied or not) configured to pass VPN traffic straight through to the secondary router will do the job.
An example configuration for an L2TP VPN might look like this:
Public port nos: 1701, 500, 4500
Private IP: 192.168.1.100 (replace this with the WAN IP of the secondary router)
Private port nos: 1701, 500, 4500
Note that most routers will need you to set three forwarding rules, one for each of the port numbers here (1701, 500, 4500).
So, what have we achieved with a double NAT system? Well, the ISP will be happy because their router is still in place, and they will provide front line support should their service go down. The customer is happy because you can provide them with better service, remote support, and a more stable and secure network. Finally, the installer is happy as they get more flexible network with better equipment and features.
What’s not to like about that?