Reply
Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6
Accepted Solution

VLAN, nesting ERX inside another router & avoiding double NAT

This may be easy for the very experienced or those who can readily try-and-revise but I am neither.  Each trial deployment of a configuration entails mountain climbing, 100 mile drives and exposes the risk & complications of foul weather.

 

With that in mind, I've created a diagram to summarize the situation: see attached VT network diagram.

 

The path from cloud to house begins with a cable modem+router and traverses a four segment link (radios) to reach the house.  A single subnet (192.168.3.X) encompasses the router, radios and the house at present.

 

This would be fine if the link were highly tobust.  It is not.  The link traverses a mountain and is regularly hammered by winter storms.  The storms are severe enough that even when high winds don't damage structures, heavy precipitation disrupts radio links.

 

The solution that I've settled on is to build an island that functions in a selfcontained way when isolayed and that connects to the outside world when possible.  

 

The VT network diagram shows a larger, outer ring and a smaller inner ring which constitutes the island.

 

To make this work, the outer ring is hardwired to the internet and has its own router (Arris SBG7400AC2) that operate subnet 192.168.3.X.  The inner ring will use its own router (UBNT ERX) setup in a WAN2LAN2 configuration.

 

Here's where the questions arise:

 

1) The ERX WAN2LAN2 wants its WAN feed on interface port eth0.  I need to specify the port's  type (DHCP, static, or PPOE).  As the feed comes from a switch port on the SBG7400AC2, I need some guidance.  

 

Do I assign a static IP address to eth0 and set that address up as a DMZ port in the SBG7400AC2?  It seems to me that this would prevent double NAT.  Is this the best way to handle this?

 

2) Can I cheat on the subnet rules by setting the house (ERX) to use a 192.168.2.0/23 subnet and gain the ability to "reach" into the the SBG7400AC2's 192.168.3.0/24 subnet?

 

3) Finally, can I set up a VPN on the ERX to use the eth0 interface port and reach it from the WAN?

 


Accepted Solutions
Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Thank you for your response!  It's actually quite brilliant.  It's akin to recognizing that I've been looking through the wrong end of a telescope:  when the internet's inaccessible, who needs NAT? (or Masquerade).

 

When I turn off masquerade, there's no need for an eth0 ip address, so DHCP will do for eth0.

 

What's you thought about 'cheating' with a 192.168.2.0/23 subnet definition so I can access 192.168.3.X devices?

 

Finally, L2TP VPN should just work if I enable pass through in the Arris RBG7400AC2 router, right?

 

 

View solution in original post

Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Thanks for the proxy ARP tip. I know it's a 'dirty' trick (192.168.2.0/23) but I just have a few static 192.168.3.X addresses to check occasionally and I'll keep the DHCP restricted to 192.168.2.0-254.

The only static routes I can think of that point to 192.168.3.1 (when DMZ is dropped) is the default gateway setting in the UBNT radios. If I set them to point at 192.168.2.1 there are none. That solves the problem, right?

Finally, I've never set up a VLAN or tunnel before. If I set the Arris router to passthrough for IPSEC, PPTP & L2TP the ERX can create a tunnel on eth0. right?

View solution in original post


All Replies
New Member
Posts: 29
Registered: ‎10-22-2018
Kudos: 2

Re: VLAN, nesting ERX inside another router & avoiding double NAT

[ Edited ]

No one seems in a hurry to discuss this. So, I am very much a beginner so forgive me. I know it is sacrilege to have a double NAT and someone will likely chastise me for this. Unless you are gaming or doing something special, the double NAT isn't the end of the world. My network has 4 routers and three double NATs. This is by design. I don't game so it isn't an issue

 

Could the NAT be disabled in the ER-X? That is way above my ability to discuss but I have seen the setting in the Basic Wizard.

Veteran Member
Posts: 7,474
Registered: ‎03-24-2016
Kudos: 1934
Solutions: 858

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Getting rid of NAT:  remove the masquerade rule.

 

Assuming ER-X eth0 port is 192.168.3.11:

On the Arris modem, you need to add  routes

192.168.1.0/24 -> 192.168.3.11

192.168.2.0/24 -> 192.168.3.11

And of course, the Arris modem has to do NAT for those extra subnets

Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Thank you for your response!  It's actually quite brilliant.  It's akin to recognizing that I've been looking through the wrong end of a telescope:  when the internet's inaccessible, who needs NAT? (or Masquerade).

 

When I turn off masquerade, there's no need for an eth0 ip address, so DHCP will do for eth0.

 

What's you thought about 'cheating' with a 192.168.2.0/23 subnet definition so I can access 192.168.3.X devices?

 

Finally, L2TP VPN should just work if I enable pass through in the Arris RBG7400AC2 router, right?

 

 

Veteran Member
Posts: 7,474
Registered: ‎03-24-2016
Kudos: 1934
Solutions: 858

Re: VLAN, nesting ERX inside another router & avoiding double NAT

You still need a static IP on eth0, as static routes are pointing to that address  (a dynamic routing protocol could handle eth0 DHCP address.....but I doubt Arris can handle that, ER can)

Using 192.168.3.0/23 alongside 192.168.2.0/24 isn't the way they teach you in network books.  But it could work, when you enable proxy ARP on ER eth0 interface 

 

Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Thanks for the proxy ARP tip. I know it's a 'dirty' trick (192.168.2.0/23) but I just have a few static 192.168.3.X addresses to check occasionally and I'll keep the DHCP restricted to 192.168.2.0-254.

The only static routes I can think of that point to 192.168.3.1 (when DMZ is dropped) is the default gateway setting in the UBNT radios. If I set them to point at 192.168.2.1 there are none. That solves the problem, right?

Finally, I've never set up a VLAN or tunnel before. If I set the Arris router to passthrough for IPSEC, PPTP & L2TP the ERX can create a tunnel on eth0. right?
Highlighted
Member
Posts: 106
Registered: ‎09-28-2017
Kudos: 1
Solutions: 6

Re: VLAN, nesting ERX inside another router & avoiding double NAT

Thanks for the response. My double NAT concern is purely a performance issue.

16again helpfully pointed out that I was looking through 'the wrong end of the telescope'!
Reply