0

Discussion topic: Double NAT Setup Guide.

Reply
This message was authored by TrebleTA This message was authored by: TrebleTA

Double NAT Setup Guide.

So like most I've got the new FTTP and I need to use the sky broadband hub, due to telephone. Yet I like my own router as it's 100x better and support's a lots more features.

Some moden/router knowledge will help.

 

In this guide my Sky hub is a SR203

My router is a Asus AX82U.

 

So to start on the Sky hub, connect to it via cable, then sign in. Once signed in go to wifi and disable wifi.

sky wifi.png

I removed wifi name and access code for security.

 

Then head to advance and under DMZ enter a ip with a start range off 100.64.x.x. I used 100.64.20.5 this will be your routers IP. 

 

 

dmz.png

 

Next lan IP setup, disable all so nothing is ticked then under ip address enter 100.64.20.1 depending on what your picked for your router say I picked 100.64.20.5.

Lan.png

 

Next disable Upnp and disable ALG disable. 

umpn.png

 

alg.png

Next security-firewall rules disable all and under inbound create a new rule allow all and enter your routers ip so for me it was 100.64.20.5.

firewall.png

 

fw2.png

 

Once that's done plug your modem in the the sky hub and then connect to your router for me I'm using a Asus AX82U. 

Once you has signed in head to WAN, then setup.

You want a static ip 

Enable WAN

Enable NAT

Enable Upnp if using.

IP 100.64.20.5

Subnet 255.255.255.0

Gateway 100.64.20.1

 

DNS servers you can use skys or myself I use Cloudflare DNS

Dns 1.1.1.1

Dns 1.0.0.1

Save and now you should be online.

asus.png

 

asus 2.png

I use ip range 100.64.x.x so Upnp on the asus will kick in. I use Upnp for my game consoles for open NAT.

 

 

 

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
Reply

All Replies

This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

The Asus router you have set up is incorrect, you cannot use a public IP address on that interface it must be in the private address space (192.168,x.x, 10.x.x.x, etc..) and the gateway should point to the Sky Hub at 192.168.0.1 (default gateway)...

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

That is not correct, and using 192.168.x.x on the sky hub will then disable miniupnp on the ausus

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

You have used the IP address "100.64.20.5" on Asus which is reserved for carrier-grade NAT and is bogus. This should be changed to an IP address in the private address space see RFC 1918.

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
This message was authored by TimmyBGood This message was authored by: TimmyBGood

Re: Double NAT Setup Guide.

Posted by a Superuser, not a Sky employee. Find out more

@mae-3 wrote:

@TrebleTA 

 

you cannot use a public IP address on that interface it must be in the private address space

 


I don't know about can't, but you definitely shouldn't ; )

* * * * * * *

Sky Glass 55" (on ethernet) & two Stream Pucks (one ethernet / one WiFi)
BT Halo 3+ Ultrafast FTTP (500Mbs), BT Smart Hub 2
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

This is testest and the address used is a CGNAT space, 

There are several other reserved ranges out there that are not "private" but not sure what the daemon will detect as public vs private, so rather than trying a bunch, first try CGNAT as that is the "proper" solution.

 

And this is only needed if you want to use UPNP on the router, like I do for better gaming experence.

 

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

Are you a carrier-grade service provider?

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

why are you tyrying to pick at something that works?

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

It doesn't work 100% because when a site uses the public IP address and session IP (the CGNAT address space on LAN) then paywalls don't work correctly amount other things...

 

CGNAT is designed not to be addressable on the public internet or LAN for technical reasons in the RFC!

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

"There are several reasons why Carrier-Grade NAT (CGNAT) may not be ideal for use on a private LAN:

  1. Complexity: Implementing CGNAT requires additional hardware, software, and configuration, which can add complexity to the network setup and increase the likelihood of errors and downtime.

  2. Limited resources: CGNAT typically involves sharing a limited pool of public IP addresses among many private devices. This can lead to issues such as port exhaustion, limited bandwidth, and reduced network performance.

  3. Security: CGNAT can make it more difficult to identify and track the malicious activity on the network, as multiple private devices share the same public IP address. This can make it harder to detect and block attacks, which can increase the risk of security breaches and data theft.

  4. Compatibility: Some applications and services may not work properly with CGNAT, as they require direct access to a public IP address to function. This can include services such as VoIP, VPNs, and certain gaming applications.

  5. Lack of control: Using CGNAT means relinquishing control of the public IP address space to the service provider. This can limit the ability to customize and optimize network configurations to meet specific business requirements."

Taken from OpenAI.

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

As that says it may not be ideal, Yet every thing runs fine, I even use a VPN and it is only using 100.64.x.x as the BRIDGE, and not on the main lan. Yes there are do and don't, but 192.x.x.x will not enable Upnp when stuff is using a double nat, and then port fwd is needed, also game will use randoms ports so you will end up with a moderated nat type on consoles and get some issues

 

I have not had 1 problem using it this way since the start of the year.

I watch netflix, paramount all streaming services fine, I play games on 4 consoles, also on my gaming pc. with out issue and all reporting open nat.

I been on the gov.co.uk web sites from sorting tax to road tax. bbc downloads all with out a issue. so far, and taken and recived many VOIP call's 🙂

 

If I do Firewall checks on the web all come back stealthed and ip leak test show sky ip and cloudflair dns as it should. if they get more info than that then I have a breach.

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
This message was authored by mae-3 This message was authored by: mae-3

Re: Double NAT Setup Guide.

@TrebleTA 

 

How are you opening port(s) on the edge Sky Hub router, UPnP is disabled and UPnP will not work through two routers it is designed for the edge router. 😎

-------

Zen internet on FTTP (900Mbps down, 100Mbps up). SAT> IP (Apple 4K 2nd gen TV to LG C1 OLED UHD TV/Dolby Atmos Denon AVR, DacMagic Plus for Hi-Res audio), hosting own blog/forum (cluster), OPNsense & Zenarmor L4/L7 NGFW & DPI IDS/IPS, Asus ET12 Pro Tri-Band wifi, Linux, Gamer: Xbox Series X/i7 laptop, round-robin DNS over HTTPS, non-proprietary VoIP HD AMR-WB (G.722.2) and more... Beta tester Apple iOS/watchOS/tvOS/iPadOS/macOS.
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

By disabling Sky's Firewall, creating a rule to counter theirs, and then putting it on a DMZ, this more or less make's the sky hub a bridge, then with the 100.64.x.x ip as the guide explains, this then makes it all work.

So Upnp (everything) works on the Asus under double nat etc. why I have done the guide!

also I'm still able to use the sky hub for VOIP.

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
TrebleTA
Topic Author
This message was authored by TrebleTA This message was authored by: TrebleTA

Re: Double NAT Setup Guide.

Also wanted to add if you use say cloudflare dns and not skys, then on the asus under lan make a rule for the sky q for a static ip and add skys Dns, else you will have problem streaming / Downloading stuff on the sky box. I've added a picture but removed bit of my ip.

 

Screenshot_20230318-104806_Chrome.jpg

Also but not needed on the asus under admin setting I set NTP server to skys.

ntp1.isp.sky.com I got from the sky hub logs.

Also I disabled ipv6 firewall on the asus and enable dos protection.

 

 

Sky FTTP, SR203 hub self bridged to Asus AX82U. Sky Q UHD to Samsung QE55S95BAYXXU , Sky Q Mini.
This message was authored by greendragons This message was authored by: greendragons

Re: Double NAT Setup Guide.

Interesting solution @TrebleTA!

 

Technically that's quite clever - the 'public' IP address used shouldn't affect anything beyond the Sky router because it's NAT-ted, and the internal network (from the Asus) will have a private IP address range as normal.

 

If the 'public' IP address was to leak for any reason, it would likely be filtered out by Sky, and packets certainly couldn't be routed back to that address from the internet.

 

Agreed it may not be a recommended solution per the RFCs - and not something you'd want set up in an organisation - but for home use, it does appear to solve a problem.

 

Reply

Was this discussion not helpful?

No problem. Browse or search to find help, or start a new discussion on Community.

Start a new discussion

On average, new discussions are replied to by our users within 4 hours

New Discussion