Double NAT Apartment Building

The network is the forum.

Moderators: Steel, notfred

Double NAT Apartment Building

Postposted on Wed Jul 03, 2013 9:41 pm

I live in an apartment building that provides "free" internet along with the rent.

Previously I had been using a separate router for my apartment, but this led to a double NAT issue and slower speeds. Recently, I replaced the Router with a switch to avoid the double NAT problem and set the router up as a wireless access point. This, however, means that it is possible (but unlikely) that other tenants will attempt to access my network.

I really like using the switch because I get much faster speeds and the network is more reliable, but I don't like the idea of having my network open to the rest of the building. What can I do to limit access to my network while preserving these speeds?
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 282
Joined: Sun Dec 18, 2011 12:11 am

Re: Double NAT Apartment Building

Postposted on Wed Jul 03, 2013 11:15 pm

You want to use a firewall- but I'm not sure how to do that without adding another layer of NAT.
Canon 6D||[24-105/4L IS USM|100/2.8L Macro IS USM|70-300/4-5.6 IS USM|40/2.8 STM|50/1.4 USM|85/1.8 USM|Samyang/Bower 14/2.8 Full-Manual Rectilinear Wide-angle|
Canon EOS-M|11-22/4-5.6 IS STM|22/2 STM|EF-M 18-55/3.5-5.6 IS STM|
For sale!|24/2.8 IS USM
|
Airmantharp
Gerbil Elder
 
Posts: 5005
Joined: Fri Oct 15, 2004 10:41 pm

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 5:22 am

Are you using Windows?

If I understood the situation correctly, you have a LAN in this apartment building already. Your just plugging your PC into it and it's assigned an IP address and so on? I guess if anyone on the LAN was remotely aware of how networking goes, they could access files, home shares etc...

Either firewall your PC, and turn off network sharing services and make sure your machine has a password. Failing that (or if your connecting various devices), look into buying a more sophisticated managed network switch or access point from someone like Cisco?

You can apply a hardware firewall at the switch level, as well as MAC address filtering on top of that. They should not slow down your actual thruput, and at the very worst just increase latency by a few milliseconds?
Mini Beast - Intel C2QE QX9770 (4.2 Ghz) | Gigabyte X48T-DQ6 | 8GB DDR3 1066 | KFA2 GTX 750 Ti | Seagate 2TB SSHD
Mega Beast - AMD FX-8350 (4.7 Ghz) | Gigabyte 990FXA-UD5 | 16GB DDR3 1600 | XFire R9 290X | Sandisk X300S 512GB
geekl33tgamer
Gerbil Elite
 
Posts: 611
Joined: Tue Aug 25, 2009 7:25 pm
Location: England

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 7:54 am

Double NAT shouldn't slow your speeds, more cause problems with applications trying to work through the NAT and getting addresses wrong or unable to open up external ports. It may just be that you need a faster router to do your part of the NAT.
notfred
Grand Gerbil Poohbah
 
Posts: 3736
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 8:54 am

I've looked a little bit into hardware firewalls, but those seem to be around $200 and I really don't want to pay that much.

I would like file sharing within my network so turning simply turning file sharing off is not an option.
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 282
Joined: Sun Dec 18, 2011 12:11 am

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 9:28 am

kumori wrote:I've looked a little bit into hardware firewalls, but those seem to be around $200 and I really don't want to pay that much.

I would like file sharing within my network so turning simply turning file sharing off is not an option.


As notfred alluded to above, you might be able to make use of more capable router. But if you want to turn sharing on for your own separate network, you need a router, period. Routers are the devices that separate networks, be they of the crappy Wal-mart variety or the four-figure Cisco variety.
Canon 6D||[24-105/4L IS USM|100/2.8L Macro IS USM|70-300/4-5.6 IS USM|40/2.8 STM|50/1.4 USM|85/1.8 USM|Samyang/Bower 14/2.8 Full-Manual Rectilinear Wide-angle|
Canon EOS-M|11-22/4-5.6 IS STM|22/2 STM|EF-M 18-55/3.5-5.6 IS STM|
For sale!|24/2.8 IS USM
|
Airmantharp
Gerbil Elder
 
Posts: 5005
Joined: Fri Oct 15, 2004 10:41 pm

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 12:17 pm

Heh, this thread reminds me to fix the double-NAT on the WiFi at work. I just went on vacation, too.

Double-NAT does have its issues, but I'm not sure that it would have noticeable impact on speeds. If you know what the subnet mask is, you might carve out a slice for yourself at one of the extreme ranges by using static IP's or clever use of DHCP in your router. Most home routers will actually answer to DHCP out the WAN port, so be careful of that.

Anyway, you could strike up a conversation with the super and see how they could accommodate your home network. If their service is sophisticated enough, they might be able to put your router in DMZ, or if really ritzy, put all your machines in DHCP reservations.

My solution would be to put an old machine into service using pfSense with a couple of NICs. You could also hang a WAP off of it, if you wish. This setup would allow you to just route and firewall traffic while still using DHCP from the building. In essence creating a small network using the apartments' IP address range, but keeping out unwanted traffic and killing off the double NAT. Good luck!
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1467
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 5:42 pm

kumori wrote:it is possible (but unlikely) that other tenants will attempt to access my network.

If it is a large apartment building it is probably likely, not unlikely. Furthermore, if you're all on the same LAN it takes just one person in the building with an open (or easily hackable) WiFi access point to expose you to anyone who happens to drive past.

kumori wrote:I've looked a little bit into hardware firewalls, but those seem to be around $200 and I really don't want to pay that much.

Well, if the problem is really the double-NATting that's not going to help anyway, since the firewall is probably going to do NAT too unless you do something more involved like drsauced suggested.

I tend to agree with notfred - probably your existing NAT router is just too slow. If it is more than a few years old it was probably designed back when most people had less than 10 Mbit broadband.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Double NAT Apartment Building

Postposted on Thu Jul 04, 2013 9:47 pm

Since I've gotten rid of the double NAT its been much easier to connect to lobby's for online gaming and streaming video has become more stable. I use a proxy and it seems to have been somehow affected by the double NAT. I'd like to keep this if possible, but (as stated before) I don't like the idea of having a wide open network.

Airmantharp wrote:As notfred alluded to above, you might be able to make use of more capable router. But if you want to turn sharing on for your own separate network, you need a router, period. Routers are the devices that separate networks, be they of the crappy Wal-mart variety or the four-figure Cisco variety.


I have a Linksys E3000 (stock firmware). Would this really be slow enough to cause an issue and would flashing Tomato USB help? I normally get about 40mpbs down and up and sometimes as high as 65mbps.

drsauced wrote:Anyway, you could strike up a conversation with the super and see how they could accommodate your home network. If their service is sophisticated enough, they might be able to put your router in DMZ, or if really ritzy, put all your machines in DHCP reservations.


Also, I live in a 18 story apartment building that is operated/serviced by four or five different companies. I don't think they're going to agree to make changes to their IT equipment to accommodate me so that's not possible. It's more of a question of what I can do on my end.

drsauced wrote:My solution would be to put an old machine into service using pfSense with a couple of NICs. You could also hang a WAP off of it, if you wish. This setup would allow you to just route and firewall traffic while still using DHCP from the building. In essence creating a small network using the apartments' IP address range, but keeping out unwanted traffic and killing off the double NAT. Good luck!


I like the idea of setting up an old machine and operating it as a firewall, but I don't have any old machines (besides a netbook).

EDIT:

I'm looking at something like this to use as an appliance to run pfsense. I'm a little concerned that the LAN ports are Via 10/100 ports while everything else on my network is gigabit.

EDIT:

Benchmarks make it seem like these ALIX units are only good for around 60mbps. That's awful close to what I'm getting which makes me a little nervous.
Last edited by kumori on Fri Jul 05, 2013 2:37 am, edited 2 times in total.
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 282
Joined: Sun Dec 18, 2011 12:11 am

Re: Double NAT Apartment Building

Postposted on Fri Jul 05, 2013 12:01 am

A good proxy (or VPN) would be a decent fix. By necessity that should lock most things out, as a new 'network' is created.

As for the 'bandwidth', that's not really what we're talking about. It's the processing time at that bandwidth, and so forth; there's a lot of things going on in there when you're NAT'ing.
Canon 6D||[24-105/4L IS USM|100/2.8L Macro IS USM|70-300/4-5.6 IS USM|40/2.8 STM|50/1.4 USM|85/1.8 USM|Samyang/Bower 14/2.8 Full-Manual Rectilinear Wide-angle|
Canon EOS-M|11-22/4-5.6 IS STM|22/2 STM|EF-M 18-55/3.5-5.6 IS STM|
For sale!|24/2.8 IS USM
|
Airmantharp
Gerbil Elder
 
Posts: 5005
Joined: Fri Oct 15, 2004 10:41 pm

Re: Double NAT Apartment Building

Postposted on Fri Jul 05, 2013 2:17 pm

Is the switch a 10/100/1000 switch, and is the apartment building running at gigabit speeds behind their firewall?

kumori wrote:I like the idea of setting up an old machine and operating it as a firewall, but I don't have any old machines (besides a netbook).

EDIT:

I'm looking at something like this to use as an appliance to run pfsense. I'm a little concerned that the LAN ports are Via 10/100 ports while everything else on my network is gigabit.

EDIT:

Benchmarks make it seem like these ALIX units are only good for around 60mbps. That's awful close to what I'm getting which makes me a little nervous.


The ALIX is getting old. What about this http://store.netgate.com/Netgate-FW-754 ... 7C84.aspx# instead?

The cheapest way to get into this is to find a old desktop that nobody wants. I'm sure if you ask around someone has one they want to get rid of, or you could find a used PC shop with one for cheap. I'd look for one with 1GB of RAM, a Core 2 Duo or Phenom, and Intel NICs, preferably PCIe NICs.
Flatland_Spider
Gerbil Elite
 
Posts: 851
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Double NAT Apartment Building

Postposted on Fri Jul 05, 2013 6:45 pm

I do like the idea of the ALIX boxen, small, power efficient, and fully featured. Something like Ubiquiti's RouterStation Pro might be a good fit:

http://www.ubnt.com/rspro

It's got gigabit, add the wifi of your choice, and a case (available at Netgate, I might add, though sold out). It's also fairly cheap, too.
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1467
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Double NAT Apartment Building

Postposted on Sat Jul 06, 2013 7:47 pm

Flatland_Spider wrote:Is the switch a 10/100/1000 switch, and is the apartment building running at gigabit speeds behind their firewall?


Yes, my switch is gigabit, but what I'm actually concerned about with the firewall is that the 500mhz chip is not enough form my bandwidth. According to the pfsense site, 500mhz should be good for around 50mpbs assuming decent NICs.
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 282
Joined: Sun Dec 18, 2011 12:11 am

Re: Double NAT Apartment Building

Postposted on Sat Jul 06, 2013 9:42 pm

kumori wrote:
Flatland_Spider wrote:Is the switch a 10/100/1000 switch, and is the apartment building running at gigabit speeds behind their firewall?


Yes, my switch is gigabit, but what I'm actually concerned about with the firewall is that the 500mhz chip is not enough form my bandwidth. According to the pfsense site, 500mhz should be good for around 50mpbs assuming decent NICs.


What is the speed of the building's internet service? By virtue of having a switch, traffic that's in its MAC table will be switched to the right port with little interference from whatever CPU is in the router, thus full speed ahead. It might also be worth noting that CPU's are different than the ASICs inside home routers and switches, so not directly comparable. In my opinion, anyway.

That all said, you just might need to take the performance hit to keep your bit of the network secure and reliable. Jus sayin :)
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1467
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Double NAT Apartment Building

Postposted on Mon Jul 08, 2013 3:51 am

drsauced wrote:That all said, you just might need to take the performance hit to keep your bit of the network secure and reliable. Jus sayin :)


Yeah, this is what I ultimately decided. It seemed like any other options just were not worth the cost.

I loaded TomatoUSB onto my router (since this focuses on Broadcom chips) so hopefully that makes it a little more stable. So far so good.
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 282
Joined: Sun Dec 18, 2011 12:11 am

Re: Double NAT Apartment Building

Postposted on Mon Jul 08, 2013 1:18 pm

Switching to Tomato is only half a fix. You have a few issues conflated here.

You are not having bandwidth problems through the E3000. I have an E3000 and used it briefly to route/control the new 300mbps/100mbps connection here at work, and it was able to provide the entire amount.

What you describe with flaky game lobbies/video services has everything to do with double NAT and nothing at all to do with bandwidth. If you're not 100% clear on what NAT or double NAT is, that's a fine place to start.

Basically, you were not able to open any ports for incoming traffic while double NATted. That was your issue. What you really need to do is convert that Tomato/E3000 machine into a little bitty stateful firewall, don't bother having it do DHCP or routing. Configuring it to allow any traffic to/from the building's router and deny all to all other local IPs that are on the outside of the firewall would be a really good start and provide 99% of what you're describing.
Siglessness is boring.
Image - M4800-Eight1
Image - Vargr-Z97
Forge
Lord High Gerbil
 
Posts: 8031
Joined: Wed Dec 26, 2001 7:00 pm
Location: SouthEast PA


Return to Networking

Who is online

Users browsing this forum: Google Adsense [Bot] and 3 guests