Double nat what problems could one get?

[JoeBee]

Hi I have my isp supplied Router in Router mode currently connected to my pfsense box, I use a VPN provider and also use torrent, normal internet.

I hear the term double nat and its best avoided, you can have issues with port forwarding or websites or programs not loading. I currently prefer to keep my ISP supplied router to defaults while fault testing and allowing the family to still have internet via wifi while I go on with my testing.

Are there any security or privacy or serious issues I could face, ip or dns leaks etc ?

 

[dosborne]

Nothing wrong with double Nat. May mean extra setup steps and understanding, but can make your life easier in the long run. Isolates your internal lan make ISP changes transparent.

 

[Val D.]

Are there any security or privacy or serious issues I could face, ip or dns leaks etc ?

In general Double NAT = Double Work with everything that needs port forwarding. You can set your pfSense box in DMZ on the ISP router, but it depends how it is implemented, there are some variations. You may have issues with game services, VPN servers behind the ISP router, some sites with SSL, a bit added latency. And make sure in pfSense "Block private networks and loopback addresses" on WAN interface is disabled (enabled by default), otherwise you won't have Internet after your ISP router. Then if you need devices connected to the ISP router to see devices connected to pfSense (and vice versa) it's a different game. Double NAT works, but you need to know what are you doing.

 

[JoeBee]

Thanks much appreciated for the advice, I have switched off uPnP all routers and no PF in my pfsense or Asus router, also block private and loop is checked under pfsense wan interface but great to know, will double check in the Asus router.

I only have 1 computer connected to the entire network and rest are via the ISP wifi so quite a simple set up for now, but long term it does sound safer and less headache to not double nat.

 

[Klueless]

In "theory" there's more that "could" go wrong but I've never had a problem. In "theory" there could be a performance hit but I could never measure one.

I never wanted to run double NAT. It just happened that way. Our ISP provided a modem/router combo and wouldn't "bridge" it. Their combo unit wasn't meeting our needs so I had to put in my own and double NAT it was.

We ran that way for years, about 15 users and 30 devices with no problems. Yeah, on the rare occasion, when I had to do a port forward I had to remember to do it for both routers but, really, that wasn't much of a "problem".

There was an unexpected plus. When we had Internet problems, well, ISPs are notorious for blaming customer equipment. In this case I could simply plug a device or two into their equipment and say, "It's all you!"

And, in hindsight, I guess having a "double firewall" wasn't a bad thing.

 

[CaptainSTX]

I have run double NAT for similar reasons as Klueless. Never bothered with any port forwards and I have turned UPnP off on both routers.

I don't currently run a server VPN or other type of server on my second router so port forwards not needed. I do run VPN clients on both routers. Also I have never had to put my second router in the DMZ.

Attached is a copy of the tests I ran comparing speeds with single and double NAT. Judge for yourself if you think it impacted latency or speed. I didn't statistically see any impact.

 

[Klueless]

Attached is a copy of the tests I ran comparing speeds with single and double NAT. Judge for yourself if you think it impacted latency or speed. I didn't statistically see any impact.

I totally agree.

I was also most impressed by the rock solid consistency of your tests.

For a change no one was home so I ran a quick set of tests (fast.com) over an unusually quiescent network (one router, single NAT) over my 100 Mbps x 10 Mbps cable Internet service. As usual, my numbers were all over the place. (Yes, I was lazy and ran over WiFi but I've seen similar variability over Ethernet in the past.)

Downloads; 150, 120, 140, 180, 150, 210, 150, 190, 130 & 200

Mean = 162, Median = 150, Mode = 150 & Std Dev = a whopping 30.84!

(I, for one, would never notice a "hit" from Double NAT ; -)

And, since all tests were greater than my paid for service speed I'm guessing I'm not one to be complaining about variability : -)​

 

[Val D.]

Attached is a copy of the tests I ran comparing speeds with single and double NAT. Judge for yourself if you think it impacted latency or speed. I didn't statistically see any impact.

This is correct. Speed has to be the same, latency a bit higher, but with relatively modern devices not user measurable nor noticeable.

 

[Klueless]

... with relatively modern devices not user measurable nor noticeable

That seems to be a true statement.

... latency a bit higher

Yet his tests "showed" the opposite, but, as you said, not readily measurable : -)

I took particular interest in this thread because some years ago our network at work was a real mess!

The router forum I was on back then convinced me the problem had to be Double NAT. In the midst of that a lightening storm fried my old router and I replaced it with an Asus N66U. The new tools that Asus/Merlin provided convinced me to look elsewhere and we were able to fix the real problems.

Afterwards I ran some tests and, like the Captain, was never able to document a difference between NAT and Double NAT.

 

[Val D.]

Yet his tests "showed" the opposite, but, again, as you said, not readily measurable : -)

It's there, but below 1ms, usually below 0.1ms. You can't see or measure any difference with no equipment. Every router and switch on the way adds something to latency. How much exactly depends on what devices are used. Latency is the least concern in Double NAT. I mentioned it above because it's technically there.

 

[Klueless]

It's there, but below 1ms, usually below 0.1ms. You can't see or measure any difference with no equipment. Every router and switch on the way adds something to latency. How much exactly depends on what devices are used. Latency is the least concern in Double NAT. I mentioned it above because it's technically there.

Yes, I agreed with you. It's so hard to measure his tests actually showed a minor sway to the opposite.

 

[Val D.]

his tests actually showed a minor sway to the opposite.

Yes, ping times, too many variables. Captains are not good in networking, obviously.

 

[Klueless]

Yes, ping times, too many variables. Captains are not good in networking, obviously.

I know you're teasing but, just to be clear, the Captain's contribution to this thread was significant and his tools were representative predictors of the "user experience" (namely speed and responsiveness). I applaud his efforts on our behalf.

Again, I agree. The theoretical hit is there but in day to day life it's just a nit and I think the Captain did a fine job in showing it is just a nit.

(I think a bigger issue is "failure points"; instead of one we have two, if each device has a 0.5% chance of failure we now have a 1% chance of failure, that kind of stuff ; -)

 

[Val D.]

I know you're teasing...

Yes, of course...

I had Double NAT setup too for number of years. Double work was the main issue from time to time. I don't like double work.

 

[dosborne]

In some cases 2xNAT makes life a whole lot easier and more secure.

Your internal network is, theoretically, completely isolated from the "middle" network 1xNAT. This makes it, again theoretically, more secure as a hacker would have to get past 2 routers. For me, the main advantage is that I can use whatever router the ISP (I have 2) gives me. Since I can't control the firmware (ISP controlled) on at least one router , I can still isolate my equipment behind a second router.

By dual homing various devices (2 or more network interfaces) you can also put other devices (such as NAS boxes) on both networks and limit external exposure.

It opens up quite a few options in terms of flexibility and security. But, yes, I can mean some extra work, but the same can be said about many other options. For me, I only setup 1 port forward rule. Not a strenuous task.

Is it for everyone? No.
Can it be beneficial? Perhaps. It all depends on what you need to accomplish.
Is it a big hassle? Definitely not, unless you mess around with your setup every day.

I've run this way for almost 20 years and would NEVER consider removing it.