Insecure
WAN
(Internet)
Secure
LAN
(Intranet)
Semi-Secure
Middle Network


Multi-NAT Router Networks
Configuration Details

NAT router default settings are designed to allow a router (one router) to be dropped into an existing network — inserted between a cable or DSL modem and the computer it was previously connected to — without requiring any configuration changes of any equipment — modem, router, or computer. But when multiple NAT routers will be used to create more complex network topologies, some customization is usually needed.

A bit more understanding of NAT router operation will clarify what's going on and guide you toward making the required router configuration changes needed to create more complex networks.

What is a Router ?
Stated as clearly as possible: A router is a device used to interconnect separate networks of computers. The individual destination addresses of packets of data arriving at the router are examined and compared to the address ranges of the networks to which the router is connected. If a packet of data is addressed to a machine on another network, the router will briefly assume responsibility for that packet by "routing it" (re-transmitting it) out of the appropriate network connection interface.

In the case of small "two-interface" personal and small office routers, the router is responsible for "routing" traffic between the machines that are NOT in our network and the machines that ARE in our network:

Computers communicating with each other on the same Ethernet network, address and send their data packets directly to each other through an Ethernet switch or hub. But as we saw above, packets addressed to computers that are NOT located on the same local network need to be "routed" to a foreign network.

Packets addressed to machines outside of our local network are sent to the local network's "Gateway". Each local network has a "Gateway IP" which is an IP address within the local network's address range. The Ethernet interface with this IP receives any packets that are addressed to any IP outside of our local network. Since our local NAT router serves as the "gateway" for our LAN, the IP address of its LAN interface is known to every computer on the LAN, and it is to that gateway interface that all non-local packets are sent.

There are two key facts to focus on here:

 Computers on a LAN determine whether the destination IP of packets they are sending lies within their LAN's address range. If so, the packet is sent directly to the Ethernet interface of the machine having that IP. But if the destination address of the packet falls outside of the LAN's address range, the packet is sent to the network's gateway Ethernet interface for "routing" toward its destination network.

 Packets arriving at the router's LAN interface with a destination IP falling outside of the LAN's address range are "routed" out of the router's WAN interface.

What is DHCP ?
D.H.C.P. stands for Dynamic Host Configuration Protocol. It is a very slick means by which any computer wanting to participate on a local area network can be automatically assigned an available (not currently in use) IP address and provided with all other important local area network information, such as the IP address of the LAN's gateway interface.

When a computer's network interface has been configured to "obtain its IP address automatically", it sends a "broadcast" throughout the local LAN using a special Ethernet broadcast address which it can use without knowing anything else about the local network's configuration. A listening DHCP server — in this case running and waiting patiently in our NAT router — answers these crys for help by replying with all the specific LAN settings each computer needs to communicate locally and globally. In this fashion, the configuration of individual machines is handled automatically.

NAT Routers are usually also DHCP clients too.
As we've seen, NAT routers contain a DHCP server that is used to automatically configure their client computers on the LAN. But many NAT routers are also DHCP clients of the public Internet ISP.

When the NAT router is powered up, it broadcasts its own DHCP query out of its WAN-side network interface asking the Internet ISP to assign it an available public Internet IP address and to provide it with any other information it will need for communicating over the ISP's network.

This comes into play in "multi-router networks" since the "internal" NAT router will be a DHCP server to the client machines on its LAN, and it will simultaneously be a DHCP client to the external NAT router which serves as its DHCP server.

Public and Private IPs
The scientists and engineers who designed Internet predicted that non-public private networks of machines might want to use the same "IP" Internet Protocol as was used by the global public Internetwork. They realized that "address collision" problems would quickly arise if machines on private "intranets" were using the same IP addresses as machines on the public Internet. If the public and private networks were ever interconnected address ambiguities would arise for the private machines.

To prevent the possibility of public and private IP address collisions, three large ranges of Internet addresses were reserved and set aside in advance for use by private networks:

Network DesignationFirst AddressLast AddressNumber of Addresses
192.168.0.0/16192.168.0.0192.168.255.25565,536
172.16.0.0/12172.16.0.0172.31.255.2551,048,576
10.0.0.0/810.0.0.010.255.255.25516,777,216

The IP addresses within these three ranges are forbidden for use on the public Internet. They can, therefore, be freely used, and re-used, within any private network without fear that any machine on the public Internet might be using the same IP as one on a private network.

In terms of your own NAT router configuration, this means that whatever you do, you will want to be certain that your NAT router(s) translate their public WAN-side IP into LAN sub-networks that fall completely within these private IP ranges. This also means that you are free to use any of the IP address ranges shown above which your NAT router's configuration options will allow.




Putting it all together . . .
We can distill all of the information above into three simple rules:

 Unless your ISP requires non-DHCP configuration for your primary external NAT router, or you have special needs for establishing fixed addresses for specific machines within your network, you may use your NAT router's built-in DHCP server and client to automatically assign and establish all IP addresses within your network.

 Every NAT router must be configured to use blocks of non-public, private IP addresses shown in the table above.

 Routers decide whether to route local data packets "upstream", out of their WAN port based upon whether or not the packet's destination IP address falls within the local LAN address range. Therefore, the IP address assigned to a router's WAN port must lie outside the address range the router is using for its LAN-side addresses.

Following these two simple rules, a typical two-router configuration could be setup with the external NAT router configured to issue LAN addresses in the 192.168.1.* range and the internal router configured to issue its LAN addresses from the non-overlapping range 192.168.2.*.

Since the internal router's DHCP client would receive an address for its WAN port from the external router's LAN range (192.168.1.*), no address it receives — where the third address byte is "1" — could possibly conflict with any of the 192.168.2.* addresses it will be assigning to its own machines. Therefore the internal router will always be able to determine whether data packets are bound for other machines within its LAN, or need to be "routed" out of its WAN port.

If your routers allow the third number of their LAN networks to be user-specified and configured (as all routers we've seen do), while assigning the final address byte automatically as needed, you can sequentially and uniquely number every NAT router within your network (of any complexity), and use that number as the third address byte assigned to machines within that router's LAN network. In this way, EVERY computer will have a unique private address, none of the private LAN networks will be overlapping, and there will never be any collision with the Internet's public IP space.

Making the electrical connection
Standard Ethernet network cables with standard "RJ-45" Male connectors are wired "straight through". This means that pin 1 at one end is wired to pin 1 at the other end, pin 2 connects to pin 2, and so on for all eight pins. This means that pins which connect to signal outputs at one end of the cable need to connect to signal inputs at the other. This is handled automatically for users by having their RJ-45 Female counterparts available in two different signal arrangements:

PC Ethernet adapters uniformly use one set of pins for inputs and outputs (we'll call it "A-style"), and Ethernet switches and hubs deliberately use the reverse arrangement ("B-style"). This allows PC adapters (A) to be plugged directly into switches and hubs (B) with "straight through" cables.

Since a NAT router's LAN ports are meant to be plugged directly into PCs (A), the router's LAN-side connections have the arrangement of switches and hubs (B). But since a NAT router's WAN port is meant to emulate and take the place of a single PC, its WAN-side connection is that of a PC (A!). This conveniently means that the WAN connection from internal NAT routers, which appear to be PCs, can be plugged directly into the LAN ports of another (external) NAT router using a standard "straight through" Ethernet cable.

So long as you have configured each NAT router on your network to have different and "non-overlapping" WAN-side and LAN-side networks, all of the DHCP clients and servers should interact correctly, and packets should all be routed exactly the way you want.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 12, 2005 at 10:17 (3,883.30 days ago)Viewed 36 times per day