Double NAT Question

[ScottinSF]

I just set up an Ooma Telo a couple of days ago. The installation went smoothly and quickly. My setup is a Motorola SB6120 (modem) to Ooma Telo to AirPort Extreme Base Station (AEBS). With this setup I received a message from the router (AEBS) regarding a double NAT situation, which I told it to ignore. Everything is working fine, but from the research I have done a double NAT situation can cause problems and I will lose some functionality so I would like to eliminate it. As I understand it there are two ways to eliminate the double NAT. The first is to place the Telo behind the AEBS. Although I have a fast Comcast connection (16Mbps down and 3 Mbps up) I would prefer not to do this to ensure the best possible voice quality. The AEBS doesn't have QoS features so I have to use the Telo for this. The second option is to add the AEBS IP address assigned by the Telo in the Ooma setup DMZ field. I think I would like to do this, but have read conflicting information on the internet about the implications of this. On the one hand, I read that enabling the DMZ option will allow the Telo to perform QoS while allowing all inbound traffic to pass through to the AEBS - in other words, my router would function the same way it did before I installed the Telo. On the other hand, I read that enabling the DMZ option will make my network less secure by opening it up to the internet somehow.

Can someone with far more networking knowledge than me explain the implications of enabling the DMZ option? Specifically, will this in any way reduce the security of my network?

Thanks, Scott

[ifican]

Double nat is not an issue. I have run network equipment through 4 nats with no problem. There really is no limitation on outbound traffic as far as nat is concerned only inbound that runs on non standard ports or ports you need to let in for specific things. My question to you is what functionality have you lost? Just because the router has logic to figure out its behind a nat device (probably by the ip its wan adapter has, and by the way easy enough to fool). Can you find or are you getting any specific errors or having problems? If not just ignore what its telling you, if you i can help you fix. If you modem is bridging the connection the router is only single nat'd not double. Let me know and we will go from there.

[tommies]

If every thing works as expected, you don't need to put the router ip into the telo DMZ.

Even that if you do, your network is as secure as it is before you put the telo in between the modem and the router. In other words, the telo is virtually not existed as far as the router see it. If you choose not to do the DMZ, your network will be benefit by another NAT that provides by the telo.

Welcome to ooma, if you run into some problem just post it here in the forum, some one will surely offer some helpful hints.

[ScottinSF]

Thanks for the responses. ifican, the specific activities I can’t do with a double NAT setup include using the Back to My Mac feature (which allows me to access my Mac computer from any computer anywhere with internet access) and playing online games if I want to at some point. From other information I have read about double NAT it seems that a lot of people end up having problems with this setup including basic functions such as accessing the internet and sending/receiving email from all their computers. The problems seem to multiply as more computers are added to the network. I currently only have one Mac connected, but need to setup an old Windows XP machine, and will be adding another Mac in a few weeks. Plus many visitors like to access my network wirelessly. So I would rather have the network set up properly from the beginning (to avoid problems now and later on) and know that I have good VoIP quality with the Telo under the optimal network setup.

tommies, I am not sure I followed fully your explanation: are you confirming my assumption that I can use the DMZ field to forward all connections to my router and have it function as before without a reduction in security?

[fastlane01]

I had the exact same problem - AT&T Uverse, their service uses a fiber to ethernet gateway with no QoS(well, except for THEIR VoIP port) and no way to turn off their firewall, but they do have a DMZ option.

I also have a Windows Home Server I remote into to stream music and store photos on. With Ooma behind the Uverse gateway and the WHS behind Ooma nothing was working. So, I put the Ooma in the Uverse DMZ and the rest of the network behind the Ooma except for the IPTV boxes running on hpna coax to the Uverse gateway. Finally, I put the HomeServer in the Ooma DMZ and now I can remotely control the pcs I enable, play my music and even control my zwave devices using mcontrol. Double NAT foiled by double DMZ.

[tommies]

tommies, I am not sure I followed fully your explanation: are you confirming my assumption that I can use the DMZ field to forward all connections to my router and have it function as before without a reduction in security?

Yes, from security view point, it's the same as connecting the router directly to the modem.

[ifican]

So several ways to do what you want, some more complicated than others. You could accomplish what you want in your current configuration with some work but the easiest thing for you to do would be to put the router in the dmz of the telo. If the telo dmz works like a true dmz then all your mac functionality will work. But note that the router will still identify itself as double nat because it will still be receiving a nat address. You will also need to plug your mac into the router not the telo if you wish to use the feature you are talking about. No worry about opening up your network to the world because the router is still acting as a firewall even though its in the dmz of the telo. Lots of options to choose, pick one give it a try and ask if you need help. Thats the only way to learn.

[oldanbo]

okay...I'm dumb. what is NAT again?

[murphy]

okay...I'm dumb. what is NAT again?

Network Address Translation
You have one external routable IP address that services multiple devices that have non-routable IP addresses.
ie. 192.168.x.x and three others that I don't feel like looking up.
It's what allows millions of people to have the same IP address on their computer.