Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:switch_router_gateway_and_nat [2018/08/30 19:46] – [Router/Gateway and Double NAT problem with IPv4 or mixed IPv4/IPv6] apparaat | docs:guide-user:network:switch_router_gateway_and_nat [2020/12/07 07:05] – [Switch vs Router vs Gateway] update links vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Router vs Switch vs Gateway and why NAT influences this decision ===== | + | ====== Router vs Switch vs Gateway and why NAT influences this decision ====== |
| - | The following is meant as roundup | + | |
| + | The following is meant as roundup | ||
| * such that you can decide if you want to configure your device as either switch, as router or as gateway | * such that you can decide if you want to configure your device as either switch, as router or as gateway | ||
| * such that you can decide how you want to deal with the IPv4 double NAT problem in your individual home network situation. | * such that you can decide how you want to deal with the IPv4 double NAT problem in your individual home network situation. | ||
| - | ===== Switch vs Router vs Gateway ===== | ||
| + | ===== Switch vs Router vs Gateway ===== | ||
| Network devices can operate in 3 different modes: | Network devices can operate in 3 different modes: | ||
| - | **[[docs: | + | **[[docs: |
| If you want to connect your device to an existing network to provide additional functions (for example, you just want to use the Wi-Fi network it provides, the additional ethernet ports, or the device is a NAS serving files over the network, or a mini-server offering some other service). | If you want to connect your device to an existing network to provide additional functions (for example, you just want to use the Wi-Fi network it provides, the additional ethernet ports, or the device is a NAS serving files over the network, or a mini-server offering some other service). | ||
| - | **[[docs: | + | **[[docs: |
| If you want to run OpenWrt in its default router configuration, | If you want to run OpenWrt in its default router configuration, | ||
| - | **as gateway device**\\ | + | **OpenWrt |
| Your device also behaves as router. But in contrast to the 'as router device' | Your device also behaves as router. But in contrast to the 'as router device' | ||
| ===== Router/ | ===== Router/ | ||
| - | |||
| <WRAP center round todo 90%> | <WRAP center round todo 90%> | ||
| - | You are a OpenWrt newcomer? Does this page with lots of technical network information seem scary? Are you worried that you don't know enough to make these decisions now?\\ | + | Are you an OpenWrt newcomer? Does this page with lots of technical network information seem scary? Are you worried that you don't know enough to make these decisions now?\\ |
| - | -> Just stop reading and use the default configuration for now. Your device will act as a router in a cascaded double NAT scenario which will work just fine for normal internet access, so you don't have to do anything. or...\\ | + | -> Just stop reading and use the default configuration for now. Your device will act as a router in a cascaded double NAT scenario which will work just fine for normal internet access, so you don't have to do anything.\\ |
| - | -> Get familiar with OpenWrt first, come back later and decide | + | -> Alternatively, |
| </ | </ | ||
| - | [[docs: | + | [[docs: |
| - | Problem | + | The problem |
| - | This double NAT scenario won't cause problems | + | This double NAT scenario won't cause problems |
| - | But it can cause problems, when you are trying to host servers at home that you want to be reachable from the internet or when doing peer-to-peer online gaming (which often uses UDP protocol and does some funny firewall stuff called "UDP-hole punching" | + | |
| - | To deal with this double NAT problem and use IPv4 as flawlessly as possible, you need to choose | + | To deal with this double NAT problem and use IPv4 as flawlessly as possible, you need to choose how OpenWrt gets connected on its upstream side from several options. Note that in all these examples, the OpenWrt device is assumed to be on the " |
| - | * upstream = the connection from the OpenWrt device to your network infrastructure | + | * **Upstream**: |
| - | * downstream = your home client devices connecting to your OpenWrt device | + | * **Downstream**: |
| - | You basically have the following | + | There is a range of options to connect the upstream side of OpenWrt to your existing home network. Each option tries to work around the double NAT problem with different technical tricks or configuration: |
| - | Each option tries to work around the double NAT problem with different technical tricks or configuration. | + | |
| + | ====== Routers / Gateways ====== | ||
| ^NAT ^ Usage variant ^ Visualization ^ | ^NAT ^ Usage variant ^ Visualization ^ | ||
| - | | double | + | | single | [[# |
| - | | single | + | | single | [[# |
| - | | double | OpenWrt as router in double-NAT configuration with Dualstack Lite on ISP side | clients <-> OpenWrt router with NAT <-> ISP router with DS-Lite NAT <-> Internet | | + | | double | [[# |
| - | | single | OpenWrt as router with disabled NAT, additional routing rules in both routers | clients <-> OpenWrt router (no NAT) <-> routing rules <-> ISP router with NAT <-> Internet | | + | | double |
| - | | single | + | | single |
| - | | 0 | look-out: OpenWrt as router in IPv6 only configuration + ISP router | clients <-> OpenWrt router (no NAT) <-> ISP router (no NAT) <-> Internet | | + | | 0 | [[# |
| - | | single | OpenWrt as gateway using either OpenWrt-device-built-in or external modem | clients <-> OpenWrt as gateway with NAT <-> built-in/ | + | | single |
| - | | single | OpenWrt as switch | + | |
| + | ====== Switches and Client APs ====== | ||
| + | | single | ||
| Note that for all of these upstream connection variants, the following applies: | Note that for all of these upstream connection variants, the following applies: | ||
| - | * all variants | + | * all variants |
| - | * all variants | + | * all variants |
| ==== OpenWrt as cascaded router behind another router (double NAT) ==== | ==== OpenWrt as cascaded router behind another router (double NAT) ==== | ||
| + | This is the default (and easiest) option for your OpenWrt device. For this scenario you simply connect the OpenWrt WAN port to an unused LAN port of your existing ISP router. | ||
| + | * usually the ISP router has its firewall and NAT on, and provides DHCP on the downstream side (which is the upstream side of your OpenWrt) | ||
| + | * OpenWrt also has its firewall and NAT on, and it provides DHCP as well on its downstream (which is the upstream side of your connecting clients) | ||
| - | This is the default (and easiest) option for your OpenWrt device, right after the OpenWrt installation for off-the-shelf devices sold as " | + | So what' |
| - | * usually the ISP router has its firewall on and NAT on and provides DHCP on the downstream side (which is the upstream side of your OpenWrt) | + | |
| - | * OpenWrt also has it's firewall on and NAT on and it provides DHCP aswell on the downstream (which is the upstream side of your connecting clients) | + | |
| - | So whats the problem? | + | The problem isn't so much IPv4 NAT, it's a combination of: |
| - | Some traffic scenarios may not work, line hosting servers for the internet or playing online games. | + | |
| - | + | ||
| - | The problem isn't so much IPv4 NAT (=Network address translation), it's a combination of | + | |
| - NAT usage | - NAT usage | ||
| - | - how homerouter | + | - how firewalls |
| - | - and how mostly | + | - many online games use tricks to get peer-to-peer data traffic of other players through your firewall(s) to your game client |
| - | Unfortunately the firewall details aren't a fully standardized behavior. And unfortunately | + | Unfortunately the firewall details aren't a fully standardized behavior. And the NAT behavior that happens in parallel isn't predictable either |
| - | Most games and game consoles report this as "NAT status" | + | |
| - | So should you use this double NAT scenario and be happy with it? | + | So should you use this double NAT scenario and be happy with it? It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. |
| - | It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. | + | - if you just do browsing and email, you don't have to care (your internet browsing will not even be slowed down by double NAT) |
| - | - if you just do browsing and mailing, you don't have to care (your internet browsing will not even be slowed down by double NAT). | + | |
| - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT | - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT | ||
| - | - check, if your usual online games work flawlessly. | + | - check if your usual online games work flawlessly |
| - | Now most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-lagging | + | Most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-laggy UDP packets to your game client. Usually those tricks can only bypass a single NATed home router, not two as in double NAT. You will find out, if you either cannot connect at all to online sessions or if there is noticeably |
| - | The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabled | + | The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabled. Just keep in mind: don't try to fix problems that you do not have. |
| - | Just keep in mind: don't try to fix problems that you do not have. | + | |
| ==== Device as router, internet ISP device as modem-bridge ==== | ==== Device as router, internet ISP device as modem-bridge ==== | ||
| - | Mostly for Cable internet, you can often choose to reconfigure your ISP cable router into 1 of 2 operation modes: | + | Mostly for cable internet, you can often choose to reconfigure your ISP cable router into either **router mode** or **bridge mode**. Sometimes you have to configure this in nested online portal menus of your ISP (and not on your ISP router web GUI). |
| - | - router mode | + | |
| - | - bridge mode | + | |
| - | Sometimes you have to configure this in in nested online portal menus of your ISP (and not on your ISP router | + | When set to bridge mode, the ISP router starts behaving like a pass through device: it will superficially act as a modem and will authenticate you as a legitimate customer, but will otherwise just pass through the IPv4 traffic unchanged to your OpenWrt |
| - | When set to bridge mode, the ISP router | + | If you require a bridged |
| - | [[docs:guide-user:network: | + | ==== Device as double-NAT router with Dual-Stack Lite ==== |
| + | Often you do not have a choice whether your ISP gives you a real IPv4 address or a discredited // | ||
| - | ==== Device | + | Very often Dual-Stack Lite is offered |
| - | Often you do not have a choice, whether your ISP gives you a real IPv4 address or an often discredited dual stack lite IPv4 address. | + | It is important to mention that Dual-Stack Lite and this carrier-grade NAT isn't really implemented in a standardized way. It can have slightly different implementation behaviour, depending on the actual equipment that the ISP has bought and how this equipment is configured. |
| - | (please research the full story e.g. on wikipedia, if you want to understand what Dualstack Lite is, in contrast to dual stack) | + | |
| - | Very often dual stack lite is offered as default package by TVcable- or fiber-based Internet providers. | + | Sadly this technique won't help you to expose any home services over IPv4 on the internet |
| - | A key feature of DS-Lite is, that it has so called | + | |
| - | Now it is important, to mention that dual stack lite and this carrier-grade NAT isn't really implemented in a standardized way. | + | So if gaming (and game-related UDP peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your online |
| - | It can have slightly different implementation behaviour, depending on the actual equipment that the ISP has bought and depending on how this equipment is configured. | + | |
| - | + | ||
| - | Sadly this won't help you, to expose any home services over IPv4 on the internet - This won't be possible with dual stack lite in any case. | + | |
| - | + | ||
| - | But if online gaming over DS-Lite is your only concern, you might want to check if your double NAT on IPv4 is at all a problem in your favorite online games. | + | |
| - | Nowadays, often the carrier grade NAT of DS Lite is configured very online game-friedly, | + | |
| - | + | ||
| - | So if gaming (and game related UDP-peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your favorite | + | |
| ===== Device as router with disabled NAT, additional routing rules ===== | ===== Device as router with disabled NAT, additional routing rules ===== | ||
| - | Using this scenario depends on, whether your ISP router supports custom routing rules. | + | Using this scenario depends on whether your ISP router supports custom routing rules. This requires that your ISP router allows you to define forward routing rules (often ISP routers are restricted in function and do not allow this). |
| - | This requires that your ISP router allows to define forward routing rules (often ISP routers are functional restricted in function and do not allow this). | + | The idea of this solution is |
| - | + | * to disable NAT on the OpenWrt router, but keep its routing (and firewall) on | |
| - | The idea is of this solution is | + | * routing on the ISP router |
| - | * to disable NAT on the OpenWrt router, but keep it' | + | * you have to define non-overlapping IP ranges and static IP addresses for the two routers |
| - | * so both your OpenWrt and the ISP router | + | |
| - | * you have to define non overlapping | + | |
| * as OpenWrt' | * as OpenWrt' | ||
| - | * you need to add a static | + | * you need to add a static |
| - | * you need to add a static | + | * you need to add a static |
| ===== Device as router as " | ===== Device as router as " | ||
| + | Only some ISP routers have this feature, sometimes called a //DMZ// (demilitarized zone), //DMZ for single server//, //exposed host//, //IP passthrough//, | ||
| - | This is an optional feature of your ISP router (so it could be that your ISP router may not support this). | + | This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: for obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router. |
| - | Sometimes this feature is called "DMZ for single server", | + | |
| - | + | ||
| - | The feature enables your ISP router to define a single one of its downstream ports to be a so called " | + | |
| - | The ISP router will then forward all incoming Internet traffic from its upstream side to this " | + | |
| - | + | ||
| - | This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: For obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router. | + | |
| - | (Remeber | + | Remember |
| Drawbacks of this method are: | Drawbacks of this method are: | ||
| - the feature may not be supported by your ISP router, you'll have to find out if it does | - the feature may not be supported by your ISP router, you'll have to find out if it does | ||
| - | - the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any non-needed | + | - the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any careless |
| - | - one of your ISP router ports is now without firewall protection. So be careful with this one downstream ISP router port now, in case you ever connect something else to this port. | + | - one of your ISP router ports is now without firewall protection, so be careful with this one downstream ISP router port in case you ever connect something else to it |
| - | + | ||
| - | [[docs: | + | |
| - | + | ||
| - | ===== Device as router in an ideal IPv6 only configuration ===== | + | |
| - | Obviously this ideal world does not yet exist. Its just a look-out for much later.\\ | + | |
| - | Once this happens, the previous chapters of this howto can be ignored\\ | + | |
| - | This will then be the default (and easiest) and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases.\\ | + | |
| - | There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed and no more discussion whether a " | + | |
| - | + | ||
| - | * You will be choosing to run OpenWrt as router (without variants), if you want to have an extra firewall active inside your home network (in addition to the firewall of your ISP router) | + | |
| - | * You will be choosing to run OpenWrt as switch instead (see below), if you don't want the extra bit of routing and firewall inside your home network | + | |
| - | * You will be choosing to run OpenWrt as gateway instead (also see below), if you need to connect to Internet via a special modem protocol | + | |
| + | Learn how to set up a "poor man's bridge" | ||
| + | ===== Device as router in an ideal IPv6-only configuration ===== | ||
| + | Obviously this ideal world does not yet exist, it's just a prospect for much later. Once this happens, the previous chapters of this page can be ignored. This will then be the default and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases. There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed, and no more discussion whether an " | ||
| + | * as a router (without variants), if you want to have an extra firewall active inside your home network (in addition to the firewall of your ISP router) | ||
| + | * as a switch instead (see below), if you don't want the extra bit of routing and firewall inside your home network | ||
| + | * as a gateway instead (see below), if you need to connect to Internet via a special modem protocol | ||
| ===== Device as a gateway, with a true modem between it and the Internet ===== | ===== Device as a gateway, with a true modem between it and the Internet ===== | ||
| - | If your OpenWrt device has no WAN port at all out of the box adn has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in " | + | If your OpenWrt device has no WAN port at all out of the box and has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in " |
| - | See [[docs: | + | See [[docs: |
| - | ===== OpenWrt as wireless repeater (wifi<->wifi switch) ===== | + | ===== OpenWrt as wireless repeater (wifi↔wifi switch) ===== |
| If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network. | If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network. | ||
| Line 178: | Line 152: | ||
| * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), | * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), | ||
| | | ||
| - | [[docs: | + | For more information, |
| - | Note: In case you are interested in creating a so called " | + | Note: In case you are interested in creating a so called " |
| - | ===== OpenWrt as wireless access point (wifi< | + | ===== OpenWrt as wireless access point (wifi↔wired |
| As a wireless access point, OpenWrt connects to the existing network by wire. OpenWrt then acts as a networking device that allows your Wi-Fi devices to connect to the wired network over OpenWrt. | As a wireless access point, OpenWrt connects to the existing network by wire. OpenWrt then acts as a networking device that allows your Wi-Fi devices to connect to the wired network over OpenWrt. | ||
| * the wired network provides Internet access | * the wired network provides Internet access | ||
| Line 199: | Line 172: | ||
| - | ===== OpenWrt as a wire-to-wire switch ===== | + | ===== OpenWrt as a wire↔wire switch ===== |
| This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, | This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, | ||
| * so just follow the wireless access point description - just with the difference: if you only need a wire-to-wire-switch, | * so just follow the wireless access point description - just with the difference: if you only need a wire-to-wire-switch, | ||