Attempting to design an ASUS Mesh Network purposely using a double NAT? Good or bad idea?

[charose1745]

Hello,

I’m looking for any advice, comments or positive/negative criticisms regarding my setup intentions described below:

-I have Xfinity Gig+ service

-I am using my own Arris S33 cable modem first in line attached to the incoming coaxial cable

-Next in line I have a Firewalla Gold Plus (it has one WAN port and four 2.5G ports) that is a firewall/router device that can be run in a handful of different modes. However, it is recommended to be run in “Router Mode” as that is when the device is using all its protective features properly and most usefully. (Side note: it does also have a WiFi antenna port but that isn’t going to be part of this setup).

-Then comes the setup for the ASUS mesh network. I have the AXE16000 using Merlin firmware and two ASUS Zen ET12 units running official ASUS stock firmware. All firmware is up to date.

So here is where the situation starts to get complicated for me. No way am I putting the AXE16000 in AP mode. As it has Merlin’s firmware there is a whole of host reasons like control, security and speed that I don’t want to give up. The two ET12’s are Ethernet backhauled to the AXE16000. So essentially the AXE16000 is in the center of my house and one ET12 goes 2.5G Ethernet backhauled to one end of the house and the other the same but to the opposite end of the house. This makes for an incredible “wired” WiFi mesh network.

Now, I have multiple options on how to setup and include the Firewalla Gold Plus unit but after reading all about how bad double network setups can be, it just didn’t always seem to make sense. The FWG+ unit when run in Router Mode essentially allows you to create four separate private local networks. My thinking was wouldn’t the Firewalla protect the mesh network even further using the Double NAT?

Let’s say I setup the mesh network as one would normally do. DongKnowsTech has great guides and info on how to achieve this correctly. I use the private IP address like 172.16.16.1 assigned internally to the AXE16000 which then assigns any devices that connect wirelessly those private IP address ranges. Once the mesh network is setup completely and correctly I would create a local network using one of the FWG+ ports. I would assign this LAN something very different like 10.20.20.1. In fact, given the AXE16000 will be the only device assigned a private IP from FWG+ on this LAN, I can prob just make the gateway assignment like 10.20.20.15 and then make the DHCP start/end also 10.20.20.15.

Any additional LANs created on the FWG+ will have no communication with this LAN (in theory). Any separate wireless networks I create within the mesh network won’t even be seen from the internet let alone the devices themselves connected wirelessly.

Furthermore I have been considering setting up a raspberry pi as my own DNS server for which I can create its own LAN for on one of the FWG+ ports and direct all local DNS queries (even from the mesh network) to.

The public IP originally assigned to the AXE16000 when setting up the mesh network now is replaced with the new private IP, in this case 10.20.20.15. So my wireless mesh network will first be protected by the Firewalla and any rules I put in place for its LAN. The private IP will pass along the internet connection to the AXE16000 and from there the ACE16000 will control any wirelessly connected devices through its own DHCP assignments and Merlin firmware based security scripts I implement. Plus any additional security settings I use within the AXE16000 itself. This is why I desperately do not want to change it to AP mode and lose a ton of of control and security abilities and options.

Ok so I’m sorry for the long post but I was hoping to be clear and concise on any understandings or misunderstandings I have about the setup. I am currently in mid-process of setting all this up so if anyone has any questions, comments, advice, criticisms or ideas please don’t hesitate to post. I am looking for as much info as I can and if this setup doesn’t work then perhaps someone will post something that will achieve the same results.

Thank you in advance for taking the time to read my post and possibly share any feedback, experience or help you can think of. Happy new year.

-John

 

[ColinTaylor]

What you're proposing (one router behind another router) will work and is quite a common setup.

The supposed problems with double NAT are largely a myth perpetuated by gamer kiddies. It only becomes a problem when you want to allow unsolicited incoming connections from the internet. In that case it requires an additional step of manually forwarding ports on the primary router, or putting the secondary router's WAN IP in the DMZ of the first router.

 

[CaptainSTX]

Colin is spot on. Double NAT's only problem is as he states in trying to run a server on the second network.

Be prepared that if you call for tech support for network problems first line support individuals will immediately claim your double NAT is the root of your issues.

 

[Tech9]

So here is where the situation starts to get complicated for me.

You don't need the Firewalla in front of your Asus setup. Use your GT-AXE16000 as main router.

 

[charose1745]

What you're proposing (one router behind another router) will work and is quite a common setup.

The supposed problems with double NAT are largely a myth perpetuated by gamer kiddies. It only becomes a problem when you want to allow unsolicited incoming connections from the internet. In that case it requires an additional step of manually forwarding ports on the primary router, or putting the secondary router's WAN IP in the DMZ of the first router.

Yes I have read that gaming in particular could be affected with a setup like this however gaming isn’t something I would be using the mesh network for even if it is only a myth. And of course creating a DMZ for the second router using the first would of course defeat all purposes of the setup. Thank you for your response. I am interested to see if any conflicts occur as I am nearly finished.

 

[charose1745]

Colin is spot on. Double NAT's only problem is as he states in trying to run a server on the second network.

Be prepared that if you call for tech support for network problems first line support individuals will immediately claim your double NAT is the root of your issues.

Lol. Very true. Of course Xfinity tech support would hardly help me at all anyway without first renting and using their equipment. And since the mesh network setup I described doesn’t have a need for a server then I don’t have to worry about different LANs and private IPs not being able to access a device like a server or NAS. This is more for testing to see if any other conflicts occur and if not then does it ultimately increase security. Thank you for your input.

 

[charose1745]

You don't need the Firewalla in front of your Asus setup. Use your GT-AXE16000 as main router.

Thank you and yes I don’t “need it”. The FWG+ can actually be run as a security add-on of sorts without using it in router mode. As I mentioned it does have other modes that can be used without having the double NAT issue. For example I can disable the DHCP abilities of the AXE16000 and put the FWG in what is called DHCP mode where it will control the private IPs of the LAN mesh network. It also has another mode called “Simple” that can work in this setup without it being a “router”. The point really, as I mentioned earlier is that the FWG device was designed and is documented to work best in its “Router” mode. Therefore if no real conflicts or negative outcomes occur, I believe the FWG coming first and operating in Router mode AND purposely using a Double NAT would increase the security further of the wireless mesh network by actively being protected by the FWG’s capabilities first and directly after the cable modem in addition to Merlin’s firmware additional security capabilities within the AXE16000. I appreciate your input. Ty.

 

[Tech9]

For example I can disable the DHCP abilities of the AXE16000

And you'll break your AiMesh by doing so. Experiment with your Asus GUI and watch the pop-up message when disabling DHCP server. This Firewalla is the extra complication in your setup and with your hardware choices you lose either Firewalla features either Asuswrt features.

I believe the FWG coming first and operating in Router mode AND purposely using a Double NAT would increase the security further of the wireless mesh network

Not really. It won't see anything encrypted and this is most of the traffic. If you need extra security with true IDS/IPS inside SSL none of your devices can do it. You need something like pfSense appliance running Snort/Suricata and SSL proxy. What you have is just an extra device passing traffic. It will be mostly blind for what your Asus router and attached to it clients are doing. It won't even see your DNS queries if you set DoT on the Asus.