Double NAT not providing any protection
therealcanadian last edited by therealcanadian
I have a Amplifi HD set up in a double NAT configuration, but I'm still able to ping, and access any of the IPs from the first network.
The first NAT has a DHCP range of 192.168.X.X and I've configured the second NAT to have a range of 10.10.X.X.
Any devices connected to the second AMPLIFI network (10.10.X.X) can access the network fine, but despite being on a completely different subnet (10.10.X.X), I can still ping, and access any device in the 192.168.X.X range.
This is not the behaviour I want since I'm trying to create a separate and protected "guest" / IoT network with the second NAT. It doesn't take much investigation to realize that the entire network above that one is still accessible (traceroute, ping, etc).
Why is this happening? Anything behind the NAT should be directly inaccessible.
Derek Saville last edited by
Hi @therealcanadian - wouldn't you want the networks reversed, with your Guest/IoT network on the first network just behind the gateway (192.168) and then your more protected main network on the secondary NAT (10.10)?
You should not be able to ping or access 10.10 from 192.168, but the other way around I would think would be open, just like a home network can ping and access the internet from behind a NAT router in a typical setup
therealcanadian last edited by
Hi @Derek-Saville, that would work but I'm worried about performance issues in that configuration. 99% of the traffic will be on the main network, and I really don't want the hassle/latency of having jumping up various levels to get to my main gigabit network.
192.168.X.X networks are not publicly routable.
AMPLFI has no reason / business exposing the entire 192.168.X.X subnet to the lower network. Packets should simply be routed up through the 10.10.X.X gateway, and then out to the public network through its gateway.