Double NAT and other networking question

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
I have a very hard time understanding the different network devices and how they communicate, so please forgive me in advance if I say stupid things.

I would like to add an extra router/AP to my ISP’s modem only to add an extra firewall, so my ISP or guests connected to the main modem cannot see which other devices are on my network. I know I can avoid the guest part by simply creating a guest network, but I still don’t like the fact that I can see all my devices when I login to my ISP’s website. I like to think of the firewall as an extra layer of privacy, something I crave very much.

Right now my setup is my ISP’s modem, extended with a powerline for ethernet cable access upstairs and an Airport Extreme 5th gen connected to that. The Airport Extreme is set to bridge mode because I can’t turn off DHCP and NAT settings in my ISP’s modem and else I end up with double NAT. Unfortunately the AE’s firewall does not work in bridge mode, so it’s not really giving me any advantage over the wifi powerline except for the extra WAN ports.

What I need is some device that can still give me an extra firewall without the double NAT issue. It should have at least 2 WAN ports for wired devices. I also want to SSH into my Raspberry Pi, I've been doing that from my local network for a while, but I want to be able to do it from anywhere in the world, so I think I need to be able to set static ip’s. What device do you think will suit me best?
 

556fmjoe

macrumors 68000
Apr 19, 2014
1,659
969
Are you sure you can't turn off NAT and DHCP on the modem? What model is it?

If it's really that locked down, I would look into replacing the ISP modem with your own, then get a quality router/firewall of your choice to run behind it.
 

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
Are you sure you can't turn off NAT and DHCP on the modem? What model is it?

If it's really that locked down, I would look into replacing the ISP modem with your own, then get a quality router/firewall of your choice to run behind it.
I looked it up and it's not possible to do that. It's a combined device and I would have to trade it for a modem only, but then I would also lose hotspot access over the whole country because I don't run one myself.

So maybe I should rephrase my question, is there a way to add an extra firewall if you cant turn off DHCP and NAT in your first modem?

BTW the device is a Compal CH6643, but it runs custom firware for my ISP (Telenet Belgium).
 

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
Someone advised me to use my ISP's modem DMZ, but I'm not sure if I understand this correctly. If I get it right, that demilitarized zone can be compared to opening up all ports to a internal ip, correct? There would be no firewall working on the first modem at all?

This brings some questions to mind:

- will this solve my double NAT issue or will I still have double NAT while using this DMZ?
- would the firewall of my 5th geen AE be more secure than the one of my own ISP?

What I wanted was 2 firewalls, don't ask me why, I thought that 2 would be better/more secure than 1. I'm starting to see that I'm probably better off with one good firewall.
 

Howard2k

macrumors 68030
Mar 10, 2016
2,852
2,082
I still don’t like the fact that I can see all my devices when I login to my ISP’s website. I like to think of the firewall as an extra layer of privacy, something I crave very much.

Please can you explain this part.

I don't think a firewall is what you need. And I'm not sure at all how double NAT would help you. We might be putting the cart before the horse.

I think your objective is to have a guest network.
I think you're also concerned about having the guests be able to see you despite the alleged logical separation of traffic.

Fundamentally, you need to consider whether you want people on your network who you don't trust.
But let's say that you do want people who you completely distrust to use your network for some reason, you could do it pretty easily. It sounds like a regular router/AP (which will act as a firewall) between you and the ISP router would do the trick. It would be almost plug and play. But again, without more details it's difficult to provide specifics. But again, if you absolutely distrust them, why have them on your network?


Perhaps a better idea is to use a VPN session for sensitive traffic? Or just don't let them on your network, keep it closed.
 

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
Please can you explain this part.
Well I don't even want my ISP to see what is going on on my LAN, how many and which devices are connected. It's easy to hide it for guests, as you stated, with a guest network, but I don't see any other way to hide them from my provider than using a separate firewall?
 

Howard2k

macrumors 68030
Mar 10, 2016
2,852
2,082
Well I don't even want my ISP to see what is going on on my LAN, how many and which devices are connected. It's easy to hide it for guests, as you stated, with a guest network, but I don't see any other way to hide them from my provider than using a separate firewall?
I don't mean to insult your networking knowledge, but do you know if this is this at layer 2 or layer 3? IP or MAC address?
Please can you describe your setup a little more.
 

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
No worries, I know my networking knowlegde is zero and I'm probably wording it in a bad way. I have no clue if it is layer 2 or 3.

What I can say is that I can't configure their modem 'the usual way' by navigating to 192.168.0.1 in a browser and entering credentials, I have to do all of it on their website. There I can see all the devices connected on my network:



I really don't like that. I only want them to see their Digicorder which is a DVR and my router, not all the devices connecting to my router. I understand that this is happening because my router is in bridge mode, but if put it in DHCP and NAT (to hide all other devices from my ISP) I end up with double NAT, since there's really no way to turn off that option in my ISP's modem. I guess that's why someone else came up with the solution to use DMZ for it. It might be a viable solution. My other devices would be hidden from my ISP's prying eyes and also secure, since the AE is still getting updates.
 

Howard2k

macrumors 68030
Mar 10, 2016
2,852
2,082
Thanks. In your list of devices are they all the same in the third number of the IP address? So all 192.168.1.x or all 192.168.0.x, but you don't have a mix of 192.168.1.x and 192.168.0.x. Is that right?
 

Howard2k

macrumors 68030
Mar 10, 2016
2,852
2,082
Ok cool, so what you're seeing is just the way that networks work.

If security is your key concern you're looking in the wrong place. But all the same, to continue down this path you would purchase a router/ap/firewall device (your routine Dlink, NetGear etc at your local electronics store) and then run a cable from the WAN port of the new router to the LAN port of the ISP provided device. I assume the ISP device has multiple LAN ports and spare capacity, but if not you can purchase a switch.

This does nothing basically nothing for security. It does provide some security against your guests accessing your data, but I have to think that's low risk.

If you're concerned about your guests, don't give them a password to even your guest network.

If you're concerned about your ISP, run a client side VPN like NordVPN. That will make your traffic unidentifiable to your ISP while the VPN connection is active. There may be a slight performance hit.
 

Pagelift

macrumors newbie
Original poster
Sep 14, 2019
7
0
I already have NordVPN, but I’m not worried about unencrypted traffic, I really don’t want my ISP to see how many devices are on my network, all their MAC addresses etc. It’s none of their business, that’s what I mean.

The only way I was able to achieve that is by putting the AE in DHCP and NAT mode and connect all devices to the AE
 
Last edited:

Howard2k

macrumors 68030
Mar 10, 2016
2,852
2,082
I already have NordVPN, but I’m not worried about unencrypted traffic, I really don’t want my ISP to see how many devices are on my network, all their MAC addresses etc. It’s none of their business, that’s what I mean.

The only way I was able to achieve that is by putting the AE in DHCP and NAT mode and connect all devices to the AE

It's a non-issue. Your ISP seeing your devices in this configuration is the way the network works. You can still prevent them from doing so by placing an additional router in between. You can go and buy a router/AP device and connect the WAN port on that to a LAN port on your ISP router. Then you use that new device as your wireless and wired Internet access point.

Nothing to gain by doing that as far as I can tell. You're just adding cost and complexity, and degrading performance at the same time. But certainly it's possible to do.

If you want to ensure your ISP cannot see your guest network then buy a second router/AP to keep your guest network physically separate from your home network. So both router/APs would have their WAN ports connected to LAN ports on the ISP router.

Again, I recommend you don't. :)

And you can do all of this one your AE of course. It's this unnecessary complexity that it causing your issues I believe.
 
Last edited:

satcomer

macrumors 603
Feb 19, 2008
6,437
982
The Finger Lakes Region
The General NAT rule is the router closet to modem should be the one router to run NAT (Network Address Translation) in a Network! All routers behind that NAT router should have NAT turned OFF (In old Airport/Time Capsule routers call it “Bridged Mode” to turn NAT off).
 

DoFoT9

macrumors P6
Jun 11, 2007
17,530
32
Singapore
With the right hardware, you will be able to do this with 1 device. I personally make use of UniFi USG products (Firewall + Switch) with selected VLANs in place to segregate the network.

For example, I have a VLAN + WiFi network that has an ExpressVPN ‘always on’ connection for certain streaming sites that I use. The same premise can be extrapolated to your case for example with the private WiFi networks and whatnot.