Office sublet, "Double NAT" issues

[sippy]

Hey all,

First time post, long time Anandtech reader.

I have a friend who started a small business and rents a space in an office sublet - the way this works is there are many offices spaces rented out by various businesses. She has a few PC's, and the office folks provide both wifi (slow, unreliable) and wired connections.

I can only assume there is a switch or router behind the wall cat5 connections, because I got internet upon connecting a PC. However, we could see many, many PC's, when we connect directly, we are all on the same subnet (I assume). Not great from a security standpoint.

Naturally, I hooked up a residential wireless router to the cat5 connection, and got it working. I believe I kept WAN port DHCP enabled.

Fast forward 6 months. The landlord tells my friend that his computer guy is telling him that her setup is screwing up the network for other tenants, due to double NAT. He says they need to switch to a "smart switch" with VLAN capability.

Oops. I don't understand how this could be messing with the network but I guess I'm not a network engineer.

What would you guys recommend in this situation to (1) not double NAT and (2) provide security for my friend's PC's and (3) perhaps not cost an arm and a leg?

Thank you in advance!
Eric

 

[dave_the_nerd]

Hey all,

First time post, long time Anandtech reader.

I have a friend who started a small business and rents a space in an office sublet - the way this works is there are many offices spaces rented out by various businesses. She has a few PC's, and the office folks provide both wifi (slow, unreliable) and wired connections.

I can only assume there is a switch or router behind the wall cat5 connections, because I got internet upon connecting a PC.

Safe assumption.

However, we could see many, many PC's, when we connect directly, we are all on the same subnet (I assume).

You are correct. We will call this The Problem™.

Not great from a security standpoint.

I would agree.

Naturally, I hooked up a residential wireless router to the cat5 connection, and got it working. I believe I kept WAN port DHCP enabled.

Yup. That's how that works.

Fast forward 6 months. The landlord tells my friend that his computer guy is telling him that her setup is screwing up the network for other tenants, due to double NAT. He says they need to switch to a "smart switch" with VLAN capability.

That doesn't work that way. Landlord's "computer guy" has no idea what he's talking about. And if he did have any clue, The Problem™ would not exist, because he's have already vlanned and routed all the offices into separate subnets so there were fewer potential security issues and better traffic management.

Oops. I don't understand how this could be messing with the network but I guess I'm not a network engineer.

What would you guys recommend in this situation to (1) not double NAT and (2) provide security for my friend's PC's and (3) perhaps not cost an arm and a leg?

Thank you in advance!
Eric

Your little WAP router doodad, if it's installed and configured properly, is basically unable to cause problems like this - most of the issues with double NAT (and they are legion) effect the computers downstream from the NAT point - your friends' computers. (Well, that, and other computers in the parent network that can't get to them. Which is maybe why the problem? Are your friends trying to share files with people in the parent network or something?

My recommendation would be to make sure your wifi is locked, and only your friend's computers are accessing it, also to make sure you're not plugging the router into two switch ports on the parent network (this can cause switching loops) and finally, tell them you turned the NAT off. For the most part, all the network "admin" will be able to see is your one single IP address (the one from the upstream connection of your WAP.) So they won't really know any better.

Then get your own damn internet. You'll be glad you did. Remember the first rule of IT: hands off other peoples' stuff. Shared networks are evil.

 

[sippy]

Dave,

Thanks so much for your response, it has confirmed much of what I suspected!

I'm concerned that the management of the office space might side with their "technical consultant" which we have established is likely mistaken.

In this case, they would probably push for the NAT device to disappear in lieu of a smart switch type deal.

If they came to pass and we had no other choice, is there any particular setup that you think we could use to get the same functionality? Also, would a hardware firewall be required for this setup?

What I'm thinking now is a managed switch with one port on VLAN "A" connected to the wall, then VLAN "B" consisting of the ports used for our little internal LAN. I think I might have to share A with B somehow, but I'm not sure on the specifics?

Again, I'm going to try to fight the good fight here and defend what seems to be a perfectly fine way of doing things with the NAT router, but unfortunately we can't always get our way...

Thank you again!
Eric

 

[dave_the_nerd]

A smart switch with a different VLAN on each side (A and B) is going to have to route between the two LANs.

IOW, if you want the B side to have Internet access, it will need to do NAT, and it will be basically the same as the WAP setup you have now. (The 'smart' in smart switch usually refers to a switch with some router capabilities.)

Your issue may be that the WAP you are using is set to assign IPs from the same address pool as the building's network? That could confuse things.

Get a network diagram of what they want you to do and post it here.

 

[QuietDad]

Seems to me if you plug the router's lan port into the wall allow your router to get an IP from the building (for arguments, lets say 192.168.1.123) and set up you router's WAN to 192.168.2.xxx and point all the PC's to your router as the gateway, the building management would have no idea what you had

 

[dave_the_nerd]

Seems to me if you plug the router's lan port into the wall allow your router to get an IP from the building (for arguments, lets say 192.168.1.123) and set up you router's WAN to 192.168.2.xxx and point all the PC's to your router as the gateway, the building management would have no idea what you had

Exactly. :thumbsup:

 

[mv2devnull]

Seems to me if you plug the router's lan port into the wall allow your router to get an IP from the building (for arguments, lets say 192.168.1.123) and set up you router's WAN to 192.168.2.xxx and point all the PC's to your router as the gateway, the building management would have no idea what you had

Oh no. You propose to connect a DHCP to somebody else's subnet that already has a DHCP. that is a disaster.


If the current setup indeed has the WAN-port connected to the "external" net, the subnet in the "LAN"-side different from the "external" and NAT on, then the building could not tell whether you have one "PC" or many.

The claim of "double NAT" implies that the subnet in the building is a private address block. Can you tell the network of the building (as given to your router) and the network of your "own" subnet so that we can see that they are not conflicting?

 

[sippy]

Can you tell the network of the building (as given to your router) and the network of your "own" subnet so that we can see that they are not conflicting?

Are you asking for subnets on each side or something else? Not sure how much I will be able to find out about the building topology, although I guess I could use something like Fing which might give that.

 

[sippy]

The claim of "double NAT" implies that the subnet in the building is a private address block.

And yes, I definitely think this is the case, since when you plug a PC into the wall then you get to see every other PC in the Windows networking universe. It's just one giant LAN probably supported by a XY (24 maybe) port switch plugged into a router. All the drops probably just plug into that XY port switch.

 

[Red Squirrel]

What range is your internal network? A double NAT, while ugly, should not cause a problem outside the network. The network will only see it as a single IP device.

I would just make sure the range is different. So if your router is getting a 192.168.0.x address from the network, then set your internal network to something else like 192.168.1.x. But I'd play it safe and do something like 192.168.59.x or something. Something arbitrary that is not too likely to be used.

Though even if it matches I can't see how it would cause an issue to their network, what's behind your NAT should be irrelevant. If anything it would cause issues for you.

VLANs wont do much in this case, unless their router can do vlan routing. You want to route the traffic to/from internet but not from the other vlans. So basically there would be firewall rules to restrict traffic between vlans. From a security standpoint though, it's always better to have and manage your own router/firewall so I would not get rid of the double NAT in this case. Though is there any way you can just get your own connection? That would be much better.

 

[mv2devnull]

Not sure how much I will be able to find out

Easy:

1. Plug a PC to the wall. Record from the Network Connection Details:
* IPv4 Address
* IPv4 Subnet Mask
* IPv4 Default Gateway

That is your "building LAN".


2. Plug a PC to your "router". Record from the Network Connection Details:
* IPv4 Address
* IPv4 Subnet Mask
* IPv4 Default Gateway

That is your "company LAN".


3. Record the IP address that your "router" has got on its WAN-port.

 

[kevnich2]

Fast forward 6 months. The landlord tells my friend that his computer guy is telling him that her setup is screwing up the network for other tenants, due to double NAT. He says they need to switch to a "smart switch" with VLAN capability.

Oops. I don't understand how this could be messing with the network but I guess I'm not a network engineer.

What would you guys recommend in this situation to (1) not double NAT and (2) provide security for my friend's PC's and (3) perhaps not cost an arm and a leg?

Thank you in advance!
Eric

This depends on how the small router was hooked up. If you connected a wall jack to the WAN/Internet port of the router and all computers to the LAN port, you should be fine. If you connected any of the LAN ports to a wall jack, yes this will cause problems.

 

[Mushkins]

I have a similar setup in one of our offices, except I'm on the side of the big bad landlord

If you *have* to share an internet connection, the proper way to do this is to get multiple static IPs from the ISP, and a nicer modem than the one they probably give you for free. The Cablevision modem we have in that office has multiple ports on it. I plug my router into one, Company B plugs their router into another, we each use a different static IP for the WAN, and our networks are absolutely, 100% segregated.

But yeah, one more vote for simply getting your own service because it's a thousand times easier than dealing with a landlord acting as a middle man. If you have an issue and the landlord is out of town, you *can't* call support or have them roll a truck to come fix it because it's not your account. I wouldn't want my business to be beholden to the landlord acting as an advocate on our behalf for that kind of thing.