Nested Routers and Port Forwarding

For general computer discussion & help, come here

Moderators: Bakhtosh, EvilHomer3k

Post Reply
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Nested Routers and Port Forwarding

Post by GreenGoo »

Some of us recently were trying to trouble shoot another OO'er's port forwarding problem. He has nested (daisy chained, whatever) routers and was unable to get a piece of software to work from the second network.

Despite several hours of troubleshooting, we were not able to successfully get it working, which is strange since between us all there was a fair amount of networking knowledge being thrown at it.

Here is a youtube video that clearly explains what we are trying to accomplish and how to accomplish it.



To the best of my knowledge, at one point we had tried exactly what the youtube video shows, without success. If anyone with more experience knows of any caveats, gotchas or potential trouble points in doing this, please let me know. The routers are different brands, fyi.

I believe the software works if running on the first subnet (i.e. no nested router) but not on the second (nested router). The port is a single port and only requires tcp although we forwarded both udp and tcp just because.
User avatar
Paingod
Posts: 13132
Joined: Wed Aug 25, 2010 8:58 am

Re: Nested Routers and Port Forwarding

Post by Paingod »

:?:

I haven't watched the video, but for a problem like that I'd try and step through layers if at all possible.

- Connect directly to ISP; does service work? If yes, move to next layer.
- Connect directly to ISP-facing router; does service work? If yes, move to next layer.
- Connect directly to router-facing router; does service work? If yes, move to next layer.
- Try a different computer with the same service, if possible. If yes, problem is on original computer.
- Try turning off firewall(s) on the original computer and see if it works.
- Try disabling any strange rules on both routers (after backing up configs) and see if they work in "default" modes

Just noticed this is a port forwarding thing, which makes it harder/impossible for testing default configs.

Ultimately, this is the sort of thing I'd have to sit down and fiddle with... Not very helpful. :hawk:
Black Lives Matter

2021-01-20: The first good night's sleep I had in 4 years.
User avatar
Kasey Chang
Posts: 20750
Joined: Sat Oct 30, 2004 4:20 pm
Location: San Francisco, CA
Contact:

Re: Nested Routers and Port Forwarding

Post by Kasey Chang »

Testing such config is not impossible if you can connect to each router and test config via direct pings to ports and stuff. But yes, it's a PITA to setup.

I don't play games online any more, so I basically left my router pretty much "as is", even though I'm on a nested router setup. My AT&T DSL modem is also a router, but I setup that as "passthru" mode, and made my NetGear behind the internal router. Had to do a bit of finessing to get Plex working right as it doesn't always like the ports chosen.
My game FAQs | Playing: She Will Punish Them, Sunrider: Mask of Arcadius, The Outer Worlds
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

Paingod wrote: Wed May 23, 2018 11:05 am Ultimately, this is the sort of thing I'd have to sit down and fiddle with... Not very helpful. :hawk:
Agreed. We fiddled with it for a good while, without good result.

Honestly it's not that complicated in theory, so I'm not sure what the problem is/was/will be.
User avatar
Kasey Chang
Posts: 20750
Joined: Sat Oct 30, 2004 4:20 pm
Location: San Francisco, CA
Contact:

Re: Nested Routers and Port Forwarding

Post by Kasey Chang »

Did you disable all the software firewalls to make sure they are not interfering?
My game FAQs | Playing: She Will Punish Them, Sunrider: Mask of Arcadius, The Outer Worlds
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Nested Routers and Port Forwarding

Post by malchior »

Some services just don't work through double NATs. For example, if it relies on uPNP or a VPN it almost certainly won't work. In those cases the applications will typically disambiguate one layer of NAT but won't work with N+1 layers of it. As other suggested I'd try it on a single NAT and see what happens.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

As mentioned in the OP, it works on single nat (otherwise it would be useless in most environments).
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Nested Routers and Port Forwarding

Post by malchior »

GreenGoo wrote: Sat May 26, 2018 1:57 pm As mentioned in the OP, it works on single nat (otherwise it would be useless in most environments).
Right missed that - so without a protocol analysis or knowing the exact protocol I'd guess strongly that N+1 NATs won't work for this protocol.
User avatar
Victoria Raverna
Posts: 5012
Joined: Fri Oct 15, 2004 2:23 am
Location: Jakarta

Re: Nested Routers and Port Forwarding

Post by Victoria Raverna »

I didn't watch the video so maybe you tried these.

Do you need to have two NATs? Is it because you can't set the first router to bridge mode?

If the reason to have two NATs is because of not having bridge mode then you can try to set the second router as DMZ on the first router (DMZ in this case means to forward everything to second router).

If you do that, it'll be almost like using bridge mode on the first router. Then you can set port forwarding, upnp, etc. on the second router and it'll almost work like only having a single NAT.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

Ooohh, DMZ behind the first router. I like it. Will try it when I get a chance.

It's someone else's set up and the routers are different makes which can cause issues for bridge mode, is my understanding.

I advocated for turning the second router into an access point but the 2 different brands makes this problematic, apparently.

Edit:. Ah crap, can't do that because some devices on the first subnet need router protection.
User avatar
Victoria Raverna
Posts: 5012
Joined: Fri Oct 15, 2004 2:23 am
Location: Jakarta

Re: Nested Routers and Port Forwarding

Post by Victoria Raverna »

GreenGoo wrote: Mon May 28, 2018 5:06 am Ooohh, DMZ behind the first router. I like it. Will try it when I get a chance.

It's someone else's set up and the routers are different makes which can cause issues for bridge mode, is my understanding.

I advocated for turning the second router into an access point but the 2 different brands makes this problematic, apparently.

Edit:. Ah crap, can't do that because some devices on the first subnet need router protection.
Why not move the devices to second subnet?

If you can't change the ip addresses of the devices, another option is to change the subnet of the first router if that is possible. Then set the second router to be the old subnet of the first router. So you swap the subnet, then you can move the devices to second router and set the first router to forward everything to the second router.
User avatar
FishPants
Server WhOOre
Posts: 4658
Joined: Fri Oct 15, 2004 1:38 pm
Location: Canada

Re: Nested Routers and Port Forwarding

Post by FishPants »

Double NAT might be messing up due to your TCP window size/block size. Try reducing that on the second router to like 1460 or so; the added overhead might be breaking the protocol.
No.
User avatar
FishPants
Server WhOOre
Posts: 4658
Joined: Fri Oct 15, 2004 1:38 pm
Location: Canada

Re: Nested Routers and Port Forwarding

Post by FishPants »

Also you might want to check out this article -- it could be Windows auto-tuning the TCP window size that is creating a problem as well, maybe try that first on the end point.

What's the protocol and port?
No.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

Thanks for responding Fishpants. I haven't had a chance to look at this again since I posted last, but I haven't given up on it. Well, not completely anyway.

The port is specific to the piece of software (fantasy grounds, in this case). It's 1802 (if I remember correctly) and the protocol is tcp.

I'll take a look at the article, thanks again.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Nested Routers and Port Forwarding

Post by malchior »

Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: Nested Routers and Port Forwarding

Post by Isgrimnur »

And probably should be disabled.
Turning off any remote administration features that may be turned on by default is always a good idea, as is disabling Universal Plug and Play (UPnP), which can easily poke holes in your firewall without you knowing it).
It's almost as if people are the problem.
User avatar
Victoria Raverna
Posts: 5012
Joined: Fri Oct 15, 2004 2:23 am
Location: Jakarta

Re: Nested Routers and Port Forwarding

Post by Victoria Raverna »

malchior wrote: Tue Jun 05, 2018 8:28 pm Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
UPnP can work with double NAT using DMZ (forward everything) setup. Set the second router's ip address as the DMZ ip address on the first router (the one connected directly to internet). Enable UPnP on the second router.

Or another solution is to set second router as an access point. So disable dhcp, upnp, etc. on second router. Use the same subnet as first router. Enable dhcp, upnp on first router and let devices get ip address from first router.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

malchior wrote: Tue Jun 05, 2018 8:28 pm Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
I could have sworn we disabled it, but now I'm doubting myself. Thanks, will try again when I get a chance. There were multiple people working on the problem at the time, and none of us had physical or remote access to the routers. We had to use a voice activated meat puppet manipulator, which added an extra layer of purple monkey dishwasher.

Setting the second router as an access point is my preferred solution, but the routers are different brands and I've been told by people with more experience in networking than me that different brands often don't play nice when bridged/access point/whatever together. We never tested it though, to my recollection.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: Nested Routers and Port Forwarding

Post by malchior »

I don't know about that. I'd say that is more a concern for an enterprise to avoid vendor finger pointing. At home I use mixed access points all the time. In fact, in my house I think I have 3 different vendors for my main router, my basement/backyard AP, and my upstairs AP. And my backbone is some rando MoCA bridge. This stuff is designed to interoperate.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

Beats me, I never even considered it could be a problem until someone stopped me before I could get started so I simply bowed to their greater experience.

Sure would make life simple. The original 2 router/2 subnet configuration was almost certainly a mistake due to lack of networking knowledge in the first place.
User avatar
Victoria Raverna
Posts: 5012
Joined: Fri Oct 15, 2004 2:23 am
Location: Jakarta

Re: Nested Routers and Port Forwarding

Post by Victoria Raverna »

GreenGoo wrote: Thu Jun 07, 2018 3:54 pm Beats me, I never even considered it could be a problem until someone stopped me before I could get started so I simply bowed to their greater experience.

Sure would make life simple. The original 2 router/2 subnet configuration was almost certainly a mistake due to lack of networking knowledge in the first place.
Setting second router as access point that connected to first router using wired ethernet is not going to be a problem. Second router will function as a simple network switch or a dumb network hub that also allow wireless connection so nothing that can cause problem since everything (DHCP, ip address, subnet, gateway, port forwarding, upnp etc) are controlled by first router. The second router just extend the port of first router to devices that connected to second router.

I use double NAT so that when I switch the router or modem router that connected to internet (like when I switch ISP), I don't need to reconfigure the second router. That make it easier to migrate between ISPs and between internet connection types (ADSL, cable, fiber, etc). Also it is normal here (Indonesia) for ISP to provide the router or modem which is less powerful and less flexible compare to higher end router or an openwrt router. It doesn't make sense to set a high end router with powerful processor as a dumb access point.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: Nested Routers and Port Forwarding

Post by GreenGoo »

Thanks for your responses Vic. I'm not sure which solution we'll end up with, but I almost certainly will try the AP first and if that proves untenable for whatever reason, I'll start exploring other things mentioned here in this thread.
Post Reply