Double NAT, but I have no need to access the inner NAT
-
Touching things again, and it's still not working as expected so thread I make!Previously in
@izzion said in The Official Status Thread:
you can't run them both on the same LAN side segment.
Honestly I don't need to be able to access my home shit from within the "office" network. It would be totally fine to be double-NAT'd in this case.
But apparently having the uplink's IP be "inside" the same subnet is fantastically confusing I guess.
dd-wrt is still confusing so...
@izzion said in The Official Status Thread:
feel free to DM me or tag me in a help thread with more details of what you're trying to accomplish and I can help.
Maybe in a few days, this was just a spot check to see if the recovered equipment even powered on at all.
Summary:
- I have my house network which occupies the 192.168.1.0/24 subnet.
- I wish to (hopefully temporarily) run the office network (has its own router and switch, etc), but it is also occupying the 192.168.1.0/24 subnet.
- I have no intention of being able to access the office network from "outside" in my home network in any way, and expect no routing to take place between the two, except for the office router to talk to the home gateway in order to reach the Internet.
In theory, the office router should get a "WAN" IP address from the home router and happily pretend its world is all good, but all is not good and it gets confused as fuck, I'm guessing due to iptables not doing things on the interface level? Or something?
When I plug it in, my home-man's IDS (in the form of a FingBox) immediately goes "Hold the fuck up, someone plugged in a router and it's trying to become the gateway!" and indeed it seems to be doing wacky things, with the end result being office computers that were able to talk to each other are suddenly telling themselves it's impossible to do so.
I'm going to assume it's because I'm using a dd-wrt router that just wasn't prepared to handle this situation, but what hints should I be taking to get this working?
Keep in mind I don't care or need to access computers on the other side of the NAT, so all the googles that talk about "hur dur you can't do that" I don't care for.
-
You can't have the same network on the WAN and LAN side of the office network. The only functional way to make it work is to have the office network pull a "WAN" address that's not in the same subnet as the office network LAN.
The easiest way to do it would be to overlay a VLAN on your house network or split off a port that will be the office network's "Internet uplink", and then assign a different LAN (e.g. 192.168.2.0/blah -- minimum of a /30 but larger subnets won't break anything) to the link from your home router to the office router's WAN. I would expect dd-wrt should be able to support a second LAN network and JustWork with the outbound NAT required for that, but I'm not well versed in the how to make that happen. The easiest option would be to just designate the physical port the office router is connected to as the separate LAN.
The other choice would be to re-address one LAN or the other so they don't overlap. From a technical perspective, there just isn't any way to make it work with the overlap -- the office router can't possibly distinguish where traffic needs to go if it has two different networks with overlapping subnets.
-
@izzion said in Double NAT, but I have no need to access the inner NAT:
the office router can't possibly distinguish where traffic needs to go if it has two different networks with overlapping subnets.
That's the conception I'm trying to eliminate: There should be no overlap from the perspective of the office router (despite that the "wan" and "lan" sides are technically in the "same" subnet).
For example, say a computer in the office lan side sends a packet to 192.168.1.199. Since that's in the office lan subnet, it should not care and the packet should go straight through the switch(s) to the destination.
Say a packet destined for 192.168.1.198 gets sent, and the router knows there is no such active device. It should not attempt to forward that packet out to the home network by any means and should just tell the source computer "Yeah that's not on the network bai"
Say a packet to 1.1.1.1 gets sent out, the office router knows it doesn't have that in the office subnet so NATs it out, which the home router then NATs out again, and all is hunky dori.Why is this not possible?
-
@Tsaukpaetra
Then you're trying to bridge the two networks, and basically make the office router a dumb switch. At which point you'll only have single NAT and everything can talk to everything.Ultimately, routers work by a priority list of available routes. The routing table of your home network will look something like:
Destination Via ---- --- 0.0.0.0/0 1.2.3.4 192.168.1.0/24 connected - LANWhere the via for the default route is the gateway of the WAN interface. When the router has traffic to send, it looks up the most specific route that matches the IP and sends it that way. So if it has traffic for 192.168.1.2, that matches the directly connected route for the LAN interface -- the router looks in its ARP table (and sends an ARP request if needed) to find out what device actually has 192.168.1.2, and then uses the MAC address information to forward the packet to the correct device.
If the router has two interfaces connected with the same network, it won't know where to send the ARP requests to. Most enterprise grade routers will flat out prevent you from configuring overlapping static addresses, though you can obviously get things into a wonky state via DHCP.
It's just a straight limitation of the network protocol, there flat out isn't a way to do what you want to do while keeping the networks separate - you either just put a switch in instead of the office router (and basically only have the home router as the "router" for your network), or you have to fix the overlap.
-
Ignoring what hypothetically should or shouldn't work, why do you want to have both networks be 192.168.1/24? I'd think to help with future diagnosis you'd want them separate just so you can immediately tell what's coming from where in a context where you may not have hostnames.
-
@izzion said in Double NAT, but I have no need to access the inner NAT:
Then you're trying to bridge the two networks, and basically make the office router a dumb switch. At which point you'll only have single NAT and everything can talk to everything.
The opposite. The office network should have no knowledge or care about the home network; it should assume its' WAN port is directly connected to the Internet.
@izzion said in Double NAT, but I have no need to access the inner NAT:
So if it has traffic for 192.168.1.2, that matches the directly connected route for the LAN interface -- the router looks in its ARP table (and sends an ARP request if needed) to find out what device actually has 192.168.1.2, and then uses the MAC address information to forward the packet to the correct device.
Right, operation as normal, it knows what's inside its own network, and should not assume that IPs inside its subnet could be found on the WAN side.
@izzion said in Double NAT, but I have no need to access the inner NAT:
If the router has two interfaces connected with the same network, it won't know where to send the ARP requests to.
:butwhy.png: They're not connected to the same network and aren't configured to pretend to be the same network (except for the fact that they happen to have the same information).
For all intents and purposes it should have the LAN side be the "authoritative" scope for that interface, and should not have any question "where to send the ARP to" since it should not care what the other interface is doing.
@izzion said in Double NAT, but I have no need to access the inner NAT:
you have to fix the overlap.
That's the main point: I want the office network to be completely ignorant that there might even be overlap. It should not care that the WAN IP is 1.2.3.4, 10.0.245.9, 127.99.121.91, or 192.168.1.2, up to and until it gets sent a packet for routing outside its known scope. And even if it does get a packet destined for the LAN subnet (which so happens to overlap apparently with the WAN subnet) it should always prioritize the LAN interface in all things.
@ObjectMike said in Double NAT, but I have no need to access the inner NAT:
Ignoring what hypothetically should or shouldn't work, why do you want to have both networks be 192.168.1/24? I'd think to help with future diagnosis you'd want them separate just so you can immediately tell what's coming from where in a context where you may not have hostnames.
To avoid having to reconfigure a dozen machines (on either side).
It's not impossible, just very arduous as lots of things are hardcoded in sundry places.
If I can just have it work as described, I don't have to touch anything except one device (the router) and move on with fuckery elsewhere.
And in theory this situation won't be permanent at all (famous last words) so spending significant effort to rejigger the network for this seems... well, where's that chart...
-
Status: Massaging frustration levels.
So, attempting to go the VLan route to create a bogus hop to obfuscate that there's two networks overlapping (essentially, creating a 192.168.2.1/28 network just for the office WAN port).
Telling the main router to do this seemed somewhat straightforward, create a new VLan interface, assign it as an interface, give it an IP and tell it to provide DHCPv4, all good so far.
Go to the office router, tell it the WAN port should be VLan tagged and connect it.... all hell breaks loose.
Remember when I said the IDS was freaking out that the network's gateway changed? Well now dd-wrt decided the WAN port should be a LAN port (I did NOT check that option) and everything broke.
So yeah, not super excited.
What the shit? VLan is supposed to explicitly isolate networks, not force them to become one!
-
@Tsaukpaetra If you're assigning the vlan to the port, is the traffic even still vlan-tagged on that cable? If there's no dumb switches between the two routers, there probably doesn't need to be.
-
@Tsaukpaetra I don't think you technically need a VLAN for that that even, since the main router will know which port the traffic is coming from. You should just be able to tell that anything on that interface gets DHCP addresses from a different pool (and potentially has some separation between the networks / separate NAT and so on).
Alternatively, it might even be possible to turn your 192.168.1.0/24 into 192.168.0.0/23 (assuming that /23 is a thing). That should give you the range from 192.168.0.0 -> 192.168.1.255. Tell your outside router to use 192.168.0.X for the inside router (based on MAC or so). That way it'll get an address that isn't in its inner 192.168.1.x network.
-
@cvi said in Double NAT, but I have no need to access the inner NAT:
@Tsaukpaetra I don't think you technically need a VLAN for that that even, since the main router will know which port the traffic is coming from. You should just be able to tell that anything on that interface gets DHCP addresses from a different pool (and potentially has some separation between the networks / separate NAT and so on).
Alternatively, it might even be possible to turn your 192.168.1.0/24 into 192.168.0.0/23 (assuming that /23 is a thing). That should give you the range from 192.168.0.0 -> 192.168.1.255. Tell your outside router to use 192.168.0.X for the inside router (based on MAC or so). That way it'll get an address that isn't in its inner 192.168.1.x network.
I can't remember if /23 or /25 would be the right option here for the inner net, but you want outer and inner addresses to be different when the mask is applied so that the routing hardware doesn't get confused. Fancy routers have big CAMs to take complex decisions with, but consumer-grade stuff will have just simple masking.
-
@cvi said in Double NAT, but I have no need to access the inner NAT:
Alternatively, it might even be possible to turn your 192.168.1.0/24 into 192.168.0.0/23 (assuming that /23 is a thing). That should give you the range from 192.168.0.0 -> 192.168.1.255. Tell your outside router to use 192.168.0.X for the inside router (based on MAC or so). That way it'll get an address that isn't in its inner 192.168.1.x network.
That would mean the inner router still sees broadcast traffic on its outer interface which belongs to its inner subnet.
-
@PleegWat said in Double NAT, but I have no need to access the inner NAT:
That would mean the inner router still sees broadcast traffic on its outer interface which belongs to its inner subnet.
Yeah, I guess that might cause some confusion, since that broadcast traffic might be for stuff that isn't actually on the inner network. Didn't think of that.
-
@Tsaukpaetra , why are you not using 172.16.x.x ? That has space for all your previous local nets and is still a local net.
-
@PleegWat said in Double NAT, but I have no need to access the inner NAT:
@Tsaukpaetra If you're assigning the vlan to the port, is the traffic even still vlan-tagged on that cable? If there's no dumb switches between the two routers, there probably doesn't need to be.
Yeah that's a big problem as the office router is technically behind (counts....) three dumb switches?
And I'm not going to move half a rack's worth of Shit into the front room just for this project...
@cvi said in Double NAT, but I have no need to access the inner NAT:
@Tsaukpaetra I don't think you technically need a VLAN for that that even, since the main router will know which port the traffic is coming from. You should just be able to tell that anything on that interface gets DHCP addresses from a different pool (and potentially has some separation between the networks / separate NAT and so on).
Yeah, I think I'm too far seperated for that to work. Even though I do have an unused port on the home router, I'm not running another 60 meters of Ethernet for this.
Alternatively, it might even be possible to turn your 192.168.1.0/24 into 192.168.0.0/23 (assuming that /23 is a thing). That should give you the range from 192.168.0.0 -> 192.168.1.255. Tell your outside router to use 192.168.0.X for the inside router (based on MAC or so). That way it'll get an address that isn't in its inner 192.168.1.x network.
Eww. Sorry, that seems worse.
@Gribnit said in Double NAT, but I have no need to access the inner NAT:
@Tsaukpaetra , why are you not using 172.16.x.x ? That has space for all your previous local nets and is still a local net.
Precedence. Both of these networks started out two decades and a decade ago on consumer hardware.
-
status: well, I guess it's time to just fuck the office network and see who complains when Shit breaks.
Oh wait, that will be me.
I suppose having the entire office be mad at me isn't so bad when all parties are one and I can just pile on a week's worth of self hatred, right?
-
@Tsaukpaetra said in Double NAT, but I have no need to access the inner NAT:
status: well, I guess it's time to just fuck the office network and see who complains when Shit breaks.
Oh wait, that will be me.
I suppose having the entire office be mad at me isn't so bad when all parties are one and I can just pile on a week's worth of self hatred, right?
Status: network fuckery finished. The office network is mostly happily running in 10.0.10?0/23, and the office router has been officially welcomed into the home network.
I'm rather surprised how smoothly moving the domain controllers went. Most everything else was a save configuration and reboot everything at once.
Now to figure out why the build VMs aren't pinging Jenkins (probably DNS fuckery hasn't updated yet) and in theory I have a
-
I misread your original post. For some reason when you wrote "office network" I thought that meant you separated the network for your gaming and phone wifi from your WFH/personal project network.
After rereading it looks like you're hosting your workplace's network within your home network? Why...?
-
@ObjectMike said in Double NAT, but I have no need to access the inner NAT:
you're hosting your workplace's network within your home network? Why...?
Because the office space no longer exists and I currently hold what little equipment we managed to recover.
The rest of the shit is being held by the place's owner because "show me the contract for this stuff and I'll let you have it" or someshit like that.
