5
3
I've got a relatively complex home office/small office network -- I use two NAT (Network Address Translation) routers/firewalls to provide a DMZ (DeMilitarized Zone) for a cheap sacrificial web server. Basically, I don't want compromise (a.k.a. pwnage) of the web server to easily allow access to the PCs on the private network. Here's a simple diagram of how I have things set up:
INTERNET --- External NAT Router --- Internal NAT Router --- Private LAN | WWW Server
The external router allows ports 80 and 443 in, forwarded to the web server. The internal router allows nothing in. Theory: if the web server gets compromised, the private LAN PCs are still protected by the internal router.
Forward: I recently purchased an Apple Airport Extreme to replace the existing internal NAT router. When I plugged the new Airport Extreme into the external router, the Airport Utility complained during setup that I was using a "Double NAT" configuration. I was puzzled -- I've never seen such a message from a router before and have never experienced a problem with a double NAT setup. I've been on a double NAT setup for years.
So, why is double NAT bad enough that my Airport Extreme wants to warn me about it and suggest using bridged mode instead? Putting the obvious performance/latency considerations aside, why would NAT on top of NAT be a bad thing? Thanks!
3Why would it be "very difficult" ..? Each router is theoretically ignorant of the other. As far as each is concerned, it is the only router and the WAN interface is the Internet, even though that's only true for one of the routers. So... puzzled still: Why would two NAT routers cause problems? I certainly see how your proposed solution avoids the double NAT, but I'm still not clear on why double NAT would be bad to begin with. – Chris W. Rea – 2009-08-01T23:21:37.283