I’ve been trying to work out my network architecture with the pieces i have today:
isp box with 10gig dac downlink, 4 ssd bays
pfsense box with dual 10gig dac card
switch with 10gig dac uplink and multi gig rj45
main proxmox host
other devices (laptops, iot…)
ive ran into a dilemma regarding switching my isp box to bridge mode:
if i do, i lose wlan and nas capabilities
if i dont, i have to contend with double nat
i’m sure that eventually i will get an ap (maybe unifi) and a dedicated nas (either home built or something like synology or asustore), but for the moment, i want to keep cost down and gradually add new pieces
i was wondering if double nat is of huge performance and maintenance implications, or if i would be okay running this setup for a few months until i get to add an ap and nas?
I double NAT. My ISP box gives off WiFi for consoles, guests, some IOT. UPNP is enabled and I generally don’t care what goes on there.
My FW is an OPNSense box and everything I do is behind that. I’ve opened ports, run Tailscale, etc and have had no problems at all. All it is is an extra device to open a NAT rule in if I want to open something up.
Those SIP ALGs are more trouble than they are worth. If you are using SIP devices, use a different outbound port on each device (eg: 5060, 5061, 5062).
If you’re using double NAT, you’re doing something wrong. If you want to do it right, stop using double nat. If that doesn’t matter to you, and you’re comfortable supporting a broken-by-design network, do it.
I’m going to briefly explain why I downvoted… this (I feel) is an unhelpful comment that doesn’t explain anything. You say, “[if] you’re comfortable support a broken-by-design network, do it.”, but you don’t explain why it’s a broken-by-design network.
I’ll say - I agree with you, but the comment doesn’t actually enhance the conversation and comes off as abrasive and unhelpful. If I’m looking for information, I’d rather be given education (Even if it’s just a, “Go here for why you don’t do that!”), not just a, “Don’t do it” with no assistance and help for how to do it right.
If you don’t understand why it’ss broken, I guess that’s on you. If you’re to tbe point op is in terms of their needs, network topology etc and you still don’t understand the fundamentals, what do you expect me to say to resolve that?
If you’re OK with supporting your broken, incorrectly configured network, then by all means. If you are not, then expect the answer from those you’re asking for help from to be “fix your shit”. Do not expect anyone to educate you. It’s like arguing with creationists - you picked this dumbass thing to get behind, I’m not on the hook to explain basic logic to you.
No issues with double NAT. I even had a setup with an internal and external net, and the provision that any network link originating from (not passing through) the outer NAT router would raise an alert on the inner NAT router - which would simply switch the outer NAT router off.
its advertised as 10gbps but other people with the same box managed to get 8gbps during synthetic tests. not too shabby
ill checkout those APs, do you have any specific models or other brands you would recommend?
i’d be interested in 5Ghz (mayybe 6Ghz) and vlans by ssid (802.1 something 😂)
You’ll be fine. In the past stuff like ftp and sip could get confused by double nat, but not so much today. And stuff like opening a port from outside to the inside needs some planning through double nat.
We run it in the office for years now and it is totally fine. We are in a building with multiple companies sharing internet and we wanted our own network within, so we are using double nat (internet modem and our switch).
Using double NAT here because my ISP won’t even support/allow putting their box in bridge mode and I don’t even have root access to it, just some limited functionality via their web GUI.
Exact same situation, but I have had issues with the shitty ISP box resetting itself on an outage and simply not forwarding traffic from the open ports to my router with a static IP. It would just say “no” and I had to change the static IP on the ISP box and reboot everything and then it would work fine. It has been fine for 3-4 months without needing anything, but sometimes it is annoying.
I’m not sure if its applicable for you or if you are aware but duckdns really helps with this problem. I’ve moved three times since and have never worried about ip addresses.
Can you set the ISP box to designate your router as DMZ (de-militarized zone)? Your router needs to get a static IP from the private subnet defined by their router, then you mark that IP as DMZ in their router’s settings.
It’s not technically the same as bridge mode, the ISP box continues to act as a router but also exposes your router fully to the internet so you can mostly ignore theirs afterward.
If it’s double NAT where you have control over both boxes, it’s not that big a deal. First of all, it only matters at all if you’re trying to forward ports for remote access to your services, in which case you just need to add two port forwarding rules for each service, instead of one, one in each firewall. Alternatively if the ISP router allows it, see if it has a 1:1 NAT feature, this way it forwards ALL the ports to your private router, where you can then be selective about which ports to allow.
Alternatively, if you’re not trying to host services on your LAN for public access and consumption (Which would be a bad idea at this point in time anyway given your level of knowledge) don’t worry about the NAT or port forwarding at all and just use a mesh VPN like Tailscale (Optionally with the self hosted control application Headscale) and use that to access your services which outside home securely.
Some routers will call the 1:1 NAT feature, “DMZ” (Short for Demilitarised Zone). The idea is that you just act as a pass-through, in this case, “passing through” the external internal to the internal router.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
4 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #105 for this sub, first seen 4th Sep 2023, 08:55] [FAQ] [Full list] [Contact] [Source code]
I double NAT. My ISP box gives off WiFi for consoles, guests, some IOT. UPNP is enabled and I generally don’t care what goes on there.
My FW is an OPNSense box and everything I do is behind that. I’ve opened ports, run Tailscale, etc and have had no problems at all. All it is is an extra device to open a NAT rule in if I want to open something up.
Double NAT with DMZ.
Those SIP ALGs are more trouble than they are worth. If you are using SIP devices, use a different outbound port on each device (eg: 5060, 5061, 5062).
If you’re using double NAT, you’re doing something wrong. If you want to do it right, stop using double nat. If that doesn’t matter to you, and you’re comfortable supporting a broken-by-design network, do it.
I’m going to briefly explain why I downvoted… this (I feel) is an unhelpful comment that doesn’t explain anything. You say, “[if] you’re comfortable support a broken-by-design network, do it.”, but you don’t explain why it’s a broken-by-design network.
I’ll say - I agree with you, but the comment doesn’t actually enhance the conversation and comes off as abrasive and unhelpful. If I’m looking for information, I’d rather be given education (Even if it’s just a, “Go here for why you don’t do that!”), not just a, “Don’t do it” with no assistance and help for how to do it right.
If you don’t understand why it’ss broken, I guess that’s on you. If you’re to tbe point op is in terms of their needs, network topology etc and you still don’t understand the fundamentals, what do you expect me to say to resolve that? If you’re OK with supporting your broken, incorrectly configured network, then by all means. If you are not, then expect the answer from those you’re asking for help from to be “fix your shit”. Do not expect anyone to educate you. It’s like arguing with creationists - you picked this dumbass thing to get behind, I’m not on the hook to explain basic logic to you.
No issues with double NAT. I even had a setup with an internal and external net, and the provision that any network link originating from (not passing through) the outer NAT router would raise an alert on the inner NAT router - which would simply switch the outer NAT router off.
removed by mod
its advertised as 10gbps but other people with the same box managed to get 8gbps during synthetic tests. not too shabby
ill checkout those APs, do you have any specific models or other brands you would recommend? i’d be interested in 5Ghz (mayybe 6Ghz) and vlans by ssid (802.1 something 😂)
thanks man
Using unifi with that setup, 4 vlans for 4 ssids, I’m fine with it, but I think there’ll be some hate here for anything unifi nowadays.
removed by mod
Worked on some of the chips they used, I like the way they rolled, but agree, they’re moving towards the dark side.
Can you tell us what ISP is, and what’s the router brand and model? Even better add pictures? Seems like some Altice owned ISP.
You’ll be fine. In the past stuff like ftp and sip could get confused by double nat, but not so much today. And stuff like opening a port from outside to the inside needs some planning through double nat.
We run it in the office for years now and it is totally fine. We are in a building with multiple companies sharing internet and we wanted our own network within, so we are using double nat (internet modem and our switch).
great! thanks man
Using double NAT here because my ISP won’t even support/allow putting their box in bridge mode and I don’t even have root access to it, just some limited functionality via their web GUI.
I haven’t had any issues with it.
Exact same situation, but I have had issues with the shitty ISP box resetting itself on an outage and simply not forwarding traffic from the open ports to my router with a static IP. It would just say “no” and I had to change the static IP on the ISP box and reboot everything and then it would work fine. It has been fine for 3-4 months without needing anything, but sometimes it is annoying.
I’m not sure if its applicable for you or if you are aware but duckdns really helps with this problem. I’ve moved three times since and have never worried about ip addresses.
I think you are referring to Public IP? The person above was talking about the static Local IP.
deleted by creator
great, thanks for your input
You’re welcome, cunt
Well that was uncal- …oh
I was like wtf. That was rude for no reason until I saw the are name.
I’m American so that’s a word you don’t use. It’s one of the few unspeakable words
What am I missing?
Check their username
That threw me for a loop!
Can you set the ISP box to designate your router as DMZ (de-militarized zone)? Your router needs to get a static IP from the private subnet defined by their router, then you mark that IP as DMZ in their router’s settings.
It’s not technically the same as bridge mode, the ISP box continues to act as a router but also exposes your router fully to the internet so you can mostly ignore theirs afterward.
Yes, that’s essentially what I did.
Yes.
If it’s double NAT where you have control over both boxes, it’s not that big a deal. First of all, it only matters at all if you’re trying to forward ports for remote access to your services, in which case you just need to add two port forwarding rules for each service, instead of one, one in each firewall. Alternatively if the ISP router allows it, see if it has a 1:1 NAT feature, this way it forwards ALL the ports to your private router, where you can then be selective about which ports to allow.
Alternatively, if you’re not trying to host services on your LAN for public access and consumption (Which would be a bad idea at this point in time anyway given your level of knowledge) don’t worry about the NAT or port forwarding at all and just use a mesh VPN like Tailscale (Optionally with the self hosted control application Headscale) and use that to access your services which outside home securely.
Some routers will call the 1:1 NAT feature, “DMZ” (Short for Demilitarised Zone). The idea is that you just act as a pass-through, in this case, “passing through” the external internal to the internal router.