Double NAT not providing any protection


  • I have a Amplifi HD set up in a double NAT configuration, but I'm still able to ping, and access any of the IPs from the first network.

    The first NAT has a DHCP range of 192.168.X.X and I've configured the second NAT to have a range of 10.10.X.X.

    Any devices connected to the second AMPLIFI network (10.10.X.X) can access the network fine, but despite being on a completely different subnet (10.10.X.X), I can still ping, and access any device in the 192.168.X.X range.

    This is not the behaviour I want since I'm trying to create a separate and protected "guest" / IoT network with the second NAT. It doesn't take much investigation to realize that the entire network above that one is still accessible (traceroute, ping, etc).

    Why is this happening? Anything behind the NAT should be directly inaccessible.


  • Hi @therealcanadian - wouldn't you want the networks reversed, with your Guest/IoT network on the first network just behind the gateway (192.168) and then your more protected main network on the secondary NAT (10.10)?

    You should not be able to ping or access 10.10 from 192.168, but the other way around I would think would be open, just like a home network can ping and access the internet from behind a NAT router in a typical setup


  • Hi @Derek-Saville, that would work but I'm worried about performance issues in that configuration. 99% of the traffic will be on the main network, and I really don't want the hassle/latency of having jumping up various levels to get to my main gigabit network.

    192.168.X.X networks are not publicly routable.

    AMPLFI has no reason / business exposing the entire 192.168.X.X subnet to the lower network. Packets should simply be routed up through the 10.10.X.X gateway, and then out to the public network through its gateway.


Log in to reply