I live in a rural community and have a rural ISP where I know the owner. I have two family members in my neighborhood and the ISP was nice enough to offer a custom service.
- All 3 houses are on a private network together with 1gb private network (backups, Plex, etc)
- Shared (~tripled) internet speed
- Enterprise level router/firewall (Juniper I believe) with DHCP enabled
Previous to this setup, I was running the FWG in router mode and it was flawless. I used a Netgear Orbi RBK20 setup in AP mode with little issue.
Since the new virtual LAN setup, we are supposed to turn off router mode on our routers and switch to bridge/AP mode to prevent a Double NAT environment. However, for over a month, I’ve left the Double NAT and I’ve primarily only seen issues with my corporate VPN client (Sonicwall Global VPN) - it slowly becomes slow to nearly zero bandwidth. I assume it is the Double NAT. Resetting the VPN client restarts the VPN speed for a while. This VPN issue is probably enough for me to finally do away with the Double NAT.
One other issue, which just materialized in last 7 days, the Orbi RBS20 satellite APs will lose internet connectivity but keep wifi. Everything wired on my network is fine. I assume this is a double-nat issue but I’ve seen Orbis really act up on other networks while the Orbi Router/APs are in AP mode instead of Router.
MY TOPOGRAPHY:
- ISP Juniper Router with DHCP on for my home network (290mbit / 290mbit)
- FWG in Router mode (with DHCP on)
- 24 Port managed switch set to all defaults
- -- Home ethernet network (Synology NAS, cameras, doorbell, PCs, TV stream boxes, PS5, Switch, Onkyo AVR, etc)
- Netgear Orbi RBR20 wifi router in AP mode
- -- all wifi devices
SOLUTIONS
- FWG in Simple mode. However, I’d lose some of the features I currently use.
- Adblock
- Smart Queue (Not as important now since I share bandwidth with 2 other houses - I am working with ISP to add policies for QoS)
- Add a switch before the FWG. Move the one affected PC to the switch to bypass the FWG’s double NAT. But, then I’d probably lose access to the other devices on my network from that PC, which is my primary daily use PC (cameras, NAS, Orbi web portal, etc.)
- Leave the Double-NAT and enjoy most/all of the FWG features (maybe FWG-specific VPN stuff is out?) And, be prepared to deal with nearly impossible to diagnose network issues
Ultimately, it seems I need to try SIMPLE MODE on the FWG and see how I like it. I’m sure it will be okay and I probably won’t miss Adblock too much. I’ve thought about asking my ISP if there was a way for my vlan to not have DHCP on somehow but I don’t think that is possible. My ISP offered to create a “profile” for me to be able to login to the ISP router which would provide me access to unknown functionality.
Am I missing something with my FWG? Is SIMPLE MODE the only good option?
Since they are your friend, see if they’ll DMZ your connection, and that I think will give you full access to all firewalla features and not be double NATd.
You can also change your IP just to be double sure (make it out of the scope of your ‘ISP’ WAN address when you plug it in.
Also also…just do it, and see what happens? I was double NATd for years and never really had any problems.
First, you really don’t need simple mode.
The orbi problem is likely just WiFi problem. (since you said wired connection work) What you will need to check is if you are doing wireless or wired backhaul correctly. (meaning, do you need to wire child AP unit to parent’s LAN)
Double NAT in general is not that bad. For your VPN usage, have you looked at NAT Passthrough? (Network button->NAT settings->NAT Passthrough)
Having a router/firewall with your upstream is actually more beneficial to you, then either simple or bridge modes. (I assume your neighbors sharing the same network space)
But, in case you can’t use router mode, bridge mode is probably the next best; simple mode may be a bit more intrusive, if you load it up on a shared router.
I’ll discuss your suggestion with him. Issue may come up as we have 3 homes interconnected through the ISP router with 1gbit between homes. If he DMZ’s us, we’d each need a Firewalla. (Not a terrible idea). If DMZ’d just my IP range - maybe that could work.
I’ve been double NAT’d for a month and mostly all is good. Even PlayStation 5 and GeforceNow streaming games.
My Sonicwall corp VPN client now seems to slow my internet download speeds to a crawl after some amount of time while vpn is active. Odd. I can restart vpn client and it works okay for a bit. I ran a TCP optimizer windows app and it magically fixed my vpn speed issues. Before, my general non-vpn routed traffic would slow but now it works much better. We’ll see how it goes.
Thank you for the quick response!
My neighbors are on the same subnet but different VLAN.
Subnet: 255.255.254.0
MY HOME10.120.0.1-254 (static IPs)10.120.1.1-254 (dynamic IPs)
NEIGHBOR #110.130.0.1-25510.130.1.1-255
NEIGHBOR #210.131.0.1-25510.131.1.1-255
NAT Passthrough - I will try that! Excellent.
Orbis are all connected via wireless backhaul right now. Earlier today, I did have one hardwired but I have disconnected it as it always seemed to be a problem. I was also using an unofficially supported 4 APs connected to my RBR20 which has an official max of 3 APs. However, many on the internet claim to be able to run 4 to 6 just fine but maybe they were ethernet backhauled. As of today, I only have 3 APs connected. I can look into hard-wiring but I didn’t put ethernet in very opportunistic locations for spreading out the APs properly. Doh!
The 10.130.x.x house VLAN is where Plex is and they are single NAT using the 10.130.x.x IPs. Plex works great at all our homes now even though the other two are Double-NAT. There is no current reason for the 10.130.x.x VLAN to access the Double-NAT networks - I’m not sure if that is possible.
I’d go back to what’s recommended by orbi and make sure that’s running stable first. I know when things are meshed, it may be tricky to backhaul more than what’s intended.
Also, if you can access each other’s resources, you should think about firewall off others using firewalla. (or tell your ISP to do something)
