[colug-432] modems routers switches Oh my!

Chris Anderson canderson at foxtwo.net
Sun Aug 7 15:21:57 EDT 2011

Double-NAT is especially bad when you are using 2-way connectionless
protocols like IPSEC, GRE, UDP etc. Most applications use TCP and, as a
result, don't have a problem with it. I regularly see double-NAT situations
these days, as many ISPs distribute their modems in routed mode. Many cable
modems aren't configurable by the end user, so to have it "bridged" you have
to call in to the ISP and have them do it.

One real-life example of issues with double NAT is -- as I mentioned above
-- IPSEC. In deploying IPSEC VPN routers for remote employees, I've found
that double-NAT causes problems with the ISAKMP key re-negotiation process,
which ends up making the routers need restarted to re-establish after a key
change (every six hours, for example). This results in a need to power cycle
equipment every 6hrs.

A lot of software these days take advantage of SSDP support in routers to
open up ports. This will happen for the router closest to the application,
but not the one that is actually out in front. When forced to use 2 NATs I
usually end up putting the second router in the "DMZ" of the one out "in

On Sun, Aug 7, 2011 at 1:04 PM, Vince Herried <vince at planetvince.info>wrote:

> *I"m not a networking expert.*
> Every now  and then I get consulted about a home network and lately it
> seems that there are two routers involved.
> In the latest example a person has a cable modem ( Motorola SB5100 ) /
> router connected to a vonage box
> then connected to another router.  She wants to dump her router and buy one
> with more ports.  At present
> no WIFI is involved.  I suggested a switch or even a hub rather than
> another router.
> I sent them following image.
> https://docs.google.com/drawings/d/1mw66Z8FzkwC8O8AGVmRmRBJ3mpUt_uqqoBhE7yyliBQ/edit
> Modem -> Vonage -> Router ( assuming connected to WAN port) -> devices....
> So what is going on here,  I have always thought that having two routers in
> series was bad!
> The manual for  the SB5100 shows a simple graphic showing the output
> plugged into a switch or hub with  up to 32 devices so
> obviously it is a router ( with a single RJ45 output ).  Apparently there
> is no web interface to this SB5100.
> What kind of real life issues are there when you have two NATs going on at
> the same time.
> Obviously it can't be as bad as I thought, because it has been running that
> way for years.
> BTW:  My system topology is modem/router -> LAN port of a WIFI router (
> DHCP disabled ) -> switch ( I ran out of ports )
> approximately like this graphic.
> https://docs.google.com/drawings/d/1--ib9LAZ-yvVw8BXlv2tHhp8COXM5aE5dwC-mPoUskU/edit?authkey=CKOCot4D&hl=en_US
> Do manufacturers continue to make modem/routers with a single port which
> seems to encourage this misuse?
> We can't expect the home user to, gasp, read the owners manual can we.
> Any one have any real life explanations of problems caused by two NATS?
> ----
> I just ordered a new fancy WIFI box with a bunch of goodies ( router of
> course,  bit torrent, uPnP, FTP, ... )
> I guess I'm just going to have to bite the bullet and see what I can break
> by
> miss configuring it.  ( router -> another router -> devices )
> If I'm all wet, let the flames arise.
> --
> Vince Herried
> Vince at planetvince.info
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20110807/3eed9370/attachment.html 

More information about the colug-432 mailing list