• 4
name Punditsdkoslkdosdkoskdo

Is it a bad idea to use multiple NAT layers or is it?

The computer network of an organization has a NAT with 192.168/16 IP address range. There is a department with a server that has an IP address 192.168.x.y and this server handles hosts of this department with another NAT with the IP address range 172.16/16.

Thus there are 2 layers of NAT. Why don't they have subnetting instead. This would allow easy routing.

I feel multiple layers of NAT can cause performance losses. Could you please help me compare the two design strategies.


@Jon Some more information

In discussion with a friend, we realized that subnetting would cause the following problem. The ARP requests of a computer would flood the entire organization's network. If the router does not forward these requests then PC's in one department will not be able to connect to PC's in other departments which anyway cannot be done if they are behind different NATs. With a packet sniffer we saw that there is a large number of ARP requests as most computers in the department have File Sharing on Windows enabled.

How to solve this problem?

Also if two computers are behind different NATs then is there no way for them to connect to each other.

If something is good, then doubling it usually makes it even better (Double Stuf Oreos are one example that comes to mind). But when it comes to Network Address Translation (NAT), the mainstay of most home networks, double doesn't necessarily equal better.

NAT is definitely a good thing; it allows multiple devices to share a single IP address (without it we would have run out of IP addresses long ago) and it helps limit a network's exposure to the Internet. But depending on the type of Internet access equipment you have or have been given by your ISP, you may encounter a situation known as double NAT, which isn't so good. While double NAT doesn't generally have any ill effects on run-of-the-mill network connectivity -- Web browsing, e-mail, IM, and so forth -- it can be a major impediment when you need remote access to devices on your network (such as a PC, network storage device (NAS), Slingbox, etc.).

  • 2
Reply Report

Anything that automagically open up holes in your firewall (for instance, as BitTorrent client might use uPNP to get a port opened for itself without direct user intervention) is going to fail, because it can't access the 'outer' NAT.

Otherwise, it's a bit of added latency (not likely to be significant) and you're paying to power two devices instead of one.

  • 2
Reply Report

The only real problem with doing multi-layered NATing is that it makes your network topology confusing. If you use multiple layers of NAT then you throw out the symmetric routing between all hosts in the organization and you also run into the potential for overlapping private address spaces inside your network. Imagine if you used an address range in your n+1 NAT layer that was being used in the n NAT layer. Those networks would never be able to route to each other, but hosts in the n+1 layer could have the same address as the n layer, making the identity of the server confusing.

If I were laying out the topology of a large network, I would use only 10.* or 172.16-24.* addresses for hosts on any of our subnets. Then if some department or individual wanted to double NAT, they could (using the 192.168.* network) with the understanding that they are responsibly for the network behind their NAT host. I would also be more inclined to create more subnets than to let any of those double NAT'd networks get too big.

  • 4
Reply Report

Related Questions

Trending Tags