Nested Routers and Port Forwarding
Moderators: Bakhtosh, EvilHomer3k
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Nested Routers and Port Forwarding
Some of us recently were trying to trouble shoot another OO'er's port forwarding problem. He has nested (daisy chained, whatever) routers and was unable to get a piece of software to work from the second network.
Despite several hours of troubleshooting, we were not able to successfully get it working, which is strange since between us all there was a fair amount of networking knowledge being thrown at it.
Here is a youtube video that clearly explains what we are trying to accomplish and how to accomplish it.
To the best of my knowledge, at one point we had tried exactly what the youtube video shows, without success. If anyone with more experience knows of any caveats, gotchas or potential trouble points in doing this, please let me know. The routers are different brands, fyi.
I believe the software works if running on the first subnet (i.e. no nested router) but not on the second (nested router). The port is a single port and only requires tcp although we forwarded both udp and tcp just because.
Despite several hours of troubleshooting, we were not able to successfully get it working, which is strange since between us all there was a fair amount of networking knowledge being thrown at it.
Here is a youtube video that clearly explains what we are trying to accomplish and how to accomplish it.
To the best of my knowledge, at one point we had tried exactly what the youtube video shows, without success. If anyone with more experience knows of any caveats, gotchas or potential trouble points in doing this, please let me know. The routers are different brands, fyi.
I believe the software works if running on the first subnet (i.e. no nested router) but not on the second (nested router). The port is a single port and only requires tcp although we forwarded both udp and tcp just because.
- Paingod
- Posts: 13135
- Joined: Wed Aug 25, 2010 8:58 am
Re: Nested Routers and Port Forwarding
I haven't watched the video, but for a problem like that I'd try and step through layers if at all possible.
- Connect directly to ISP; does service work? If yes, move to next layer.
- Connect directly to ISP-facing router; does service work? If yes, move to next layer.
- Connect directly to router-facing router; does service work? If yes, move to next layer.
- Try a different computer with the same service, if possible. If yes, problem is on original computer.
- Try turning off firewall(s) on the original computer and see if it works.
- Try disabling any strange rules on both routers (after backing up configs) and see if they work in "default" modes
Just noticed this is a port forwarding thing, which makes it harder/impossible for testing default configs.
Ultimately, this is the sort of thing I'd have to sit down and fiddle with... Not very helpful.
Black Lives Matter
2021-01-20: The first good night's sleep I had in 4 years.
2021-01-20: The first good night's sleep I had in 4 years.
- Kasey Chang
- Posts: 20751
- Joined: Sat Oct 30, 2004 4:20 pm
- Location: San Francisco, CA
- Contact:
Re: Nested Routers and Port Forwarding
Testing such config is not impossible if you can connect to each router and test config via direct pings to ports and stuff. But yes, it's a PITA to setup.
I don't play games online any more, so I basically left my router pretty much "as is", even though I'm on a nested router setup. My AT&T DSL modem is also a router, but I setup that as "passthru" mode, and made my NetGear behind the internal router. Had to do a bit of finessing to get Plex working right as it doesn't always like the ports chosen.
I don't play games online any more, so I basically left my router pretty much "as is", even though I'm on a nested router setup. My AT&T DSL modem is also a router, but I setup that as "passthru" mode, and made my NetGear behind the internal router. Had to do a bit of finessing to get Plex working right as it doesn't always like the ports chosen.
My game FAQs | Playing: She Will Punish Them, Sunrider: Mask of Arcadius, The Outer Worlds
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
- Kasey Chang
- Posts: 20751
- Joined: Sat Oct 30, 2004 4:20 pm
- Location: San Francisco, CA
- Contact:
Re: Nested Routers and Port Forwarding
Did you disable all the software firewalls to make sure they are not interfering?
My game FAQs | Playing: She Will Punish Them, Sunrider: Mask of Arcadius, The Outer Worlds
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: Nested Routers and Port Forwarding
Some services just don't work through double NATs. For example, if it relies on uPNP or a VPN it almost certainly won't work. In those cases the applications will typically disambiguate one layer of NAT but won't work with N+1 layers of it. As other suggested I'd try it on a single NAT and see what happens.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
As mentioned in the OP, it works on single nat (otherwise it would be useless in most environments).
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
- Victoria Raverna
- Posts: 5114
- Joined: Fri Oct 15, 2004 2:23 am
- Location: Jakarta
Re: Nested Routers and Port Forwarding
I didn't watch the video so maybe you tried these.
Do you need to have two NATs? Is it because you can't set the first router to bridge mode?
If the reason to have two NATs is because of not having bridge mode then you can try to set the second router as DMZ on the first router (DMZ in this case means to forward everything to second router).
If you do that, it'll be almost like using bridge mode on the first router. Then you can set port forwarding, upnp, etc. on the second router and it'll almost work like only having a single NAT.
Do you need to have two NATs? Is it because you can't set the first router to bridge mode?
If the reason to have two NATs is because of not having bridge mode then you can try to set the second router as DMZ on the first router (DMZ in this case means to forward everything to second router).
If you do that, it'll be almost like using bridge mode on the first router. Then you can set port forwarding, upnp, etc. on the second router and it'll almost work like only having a single NAT.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
Ooohh, DMZ behind the first router. I like it. Will try it when I get a chance.
It's someone else's set up and the routers are different makes which can cause issues for bridge mode, is my understanding.
I advocated for turning the second router into an access point but the 2 different brands makes this problematic, apparently.
Edit:. Ah crap, can't do that because some devices on the first subnet need router protection.
It's someone else's set up and the routers are different makes which can cause issues for bridge mode, is my understanding.
I advocated for turning the second router into an access point but the 2 different brands makes this problematic, apparently.
Edit:. Ah crap, can't do that because some devices on the first subnet need router protection.
- Victoria Raverna
- Posts: 5114
- Joined: Fri Oct 15, 2004 2:23 am
- Location: Jakarta
Re: Nested Routers and Port Forwarding
Why not move the devices to second subnet?GreenGoo wrote: ↑Mon May 28, 2018 5:06 am Ooohh, DMZ behind the first router. I like it. Will try it when I get a chance.
It's someone else's set up and the routers are different makes which can cause issues for bridge mode, is my understanding.
I advocated for turning the second router into an access point but the 2 different brands makes this problematic, apparently.
Edit:. Ah crap, can't do that because some devices on the first subnet need router protection.
If you can't change the ip addresses of the devices, another option is to change the subnet of the first router if that is possible. Then set the second router to be the old subnet of the first router. So you swap the subnet, then you can move the devices to second router and set the first router to forward everything to the second router.
- FishPants
- Server WhOOre
- Posts: 4661
- Joined: Fri Oct 15, 2004 1:38 pm
- Location: Canada
Re: Nested Routers and Port Forwarding
Double NAT might be messing up due to your TCP window size/block size. Try reducing that on the second router to like 1460 or so; the added overhead might be breaking the protocol.
No.
- FishPants
- Server WhOOre
- Posts: 4661
- Joined: Fri Oct 15, 2004 1:38 pm
- Location: Canada
Re: Nested Routers and Port Forwarding
Also you might want to check out this article -- it could be Windows auto-tuning the TCP window size that is creating a problem as well, maybe try that first on the end point.
What's the protocol and port?
What's the protocol and port?
No.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
Thanks for responding Fishpants. I haven't had a chance to look at this again since I posted last, but I haven't given up on it. Well, not completely anyway.
The port is specific to the piece of software (fantasy grounds, in this case). It's 1802 (if I remember correctly) and the protocol is tcp.
I'll take a look at the article, thanks again.
The port is specific to the piece of software (fantasy grounds, in this case). It's 1802 (if I remember correctly) and the protocol is tcp.
I'll take a look at the article, thanks again.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: Nested Routers and Port Forwarding
Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
- Isgrimnur
- Posts: 82327
- Joined: Sun Oct 15, 2006 12:29 am
- Location: Chookity pok
- Contact:
Re: Nested Routers and Port Forwarding
And probably should be disabled.
Turning off any remote administration features that may be turned on by default is always a good idea, as is disabling Universal Plug and Play (UPnP), which can easily poke holes in your firewall without you knowing it).
It's almost as if people are the problem.
- Victoria Raverna
- Posts: 5114
- Joined: Fri Oct 15, 2004 2:23 am
- Location: Jakarta
Re: Nested Routers and Port Forwarding
UPnP can work with double NAT using DMZ (forward everything) setup. Set the second router's ip address as the DMZ ip address on the first router (the one connected directly to internet). Enable UPnP on the second router.malchior wrote: ↑Tue Jun 05, 2018 8:28 pm Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
Or another solution is to set second router as an access point. So disable dhcp, upnp, etc. on second router. Use the same subnet as first router. Enable dhcp, upnp on first router and let devices get ip address from first router.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
I could have sworn we disabled it, but now I'm doubting myself. Thanks, will try again when I get a chance. There were multiple people working on the problem at the time, and none of us had physical or remote access to the routers. We had to use a voice activated meat puppet manipulator, which added an extra layer of purple monkey dishwasher.malchior wrote: ↑Tue Jun 05, 2018 8:28 pm Fantasy Grounds uses UPnP which 100% will not work through a double NAT. You can see if you can disable UPnP in Fantasy Grounds (a post from their forum with relevant section quoted below indicates you can) or go nuclear and try disabling it on both routers however that'll break anything that depends on UPnP.
Fantasy Grounds will attempt to automatically set up your router to send port 1802 traffic to the machine you are hosting on, using the UPnP protocol. However, UPnP is not supported by all routers, and can be disabled.
Setting the second router as an access point is my preferred solution, but the routers are different brands and I've been told by people with more experience in networking than me that different brands often don't play nice when bridged/access point/whatever together. We never tested it though, to my recollection.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: Nested Routers and Port Forwarding
I don't know about that. I'd say that is more a concern for an enterprise to avoid vendor finger pointing. At home I use mixed access points all the time. In fact, in my house I think I have 3 different vendors for my main router, my basement/backyard AP, and my upstairs AP. And my backbone is some rando MoCA bridge. This stuff is designed to interoperate.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
Beats me, I never even considered it could be a problem until someone stopped me before I could get started so I simply bowed to their greater experience.
Sure would make life simple. The original 2 router/2 subnet configuration was almost certainly a mistake due to lack of networking knowledge in the first place.
Sure would make life simple. The original 2 router/2 subnet configuration was almost certainly a mistake due to lack of networking knowledge in the first place.
- Victoria Raverna
- Posts: 5114
- Joined: Fri Oct 15, 2004 2:23 am
- Location: Jakarta
Re: Nested Routers and Port Forwarding
Setting second router as access point that connected to first router using wired ethernet is not going to be a problem. Second router will function as a simple network switch or a dumb network hub that also allow wireless connection so nothing that can cause problem since everything (DHCP, ip address, subnet, gateway, port forwarding, upnp etc) are controlled by first router. The second router just extend the port of first router to devices that connected to second router.GreenGoo wrote: ↑Thu Jun 07, 2018 3:54 pm Beats me, I never even considered it could be a problem until someone stopped me before I could get started so I simply bowed to their greater experience.
Sure would make life simple. The original 2 router/2 subnet configuration was almost certainly a mistake due to lack of networking knowledge in the first place.
I use double NAT so that when I switch the router or modem router that connected to internet (like when I switch ISP), I don't need to reconfigure the second router. That make it easier to migrate between ISPs and between internet connection types (ADSL, cable, fiber, etc). Also it is normal here (Indonesia) for ISP to provide the router or modem which is less powerful and less flexible compare to higher end router or an openwrt router. It doesn't make sense to set a high end router with powerful processor as a dumb access point.
- GreenGoo
- Posts: 42347
- Joined: Thu Oct 14, 2004 10:46 pm
- Location: Ottawa, ON
Re: Nested Routers and Port Forwarding
Thanks for your responses Vic. I'm not sure which solution we'll end up with, but I almost certainly will try the AP first and if that proves untenable for whatever reason, I'll start exploring other things mentioned here in this thread.