alternative to this 'double-NAT' config

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Regular Contributor
Outer router with LAN and DMZ at DHCP enabled
second inner router with WAN port connected to a LAN port of outer router. WAN IP of inner router LAN Range DHCP disabled.

Should I replace inner router with a firewall box which then connects to a switch for the LAN?
Should I replace inner router with an opnsense box?

Reason for this config-prevent clients connected to outer router from interacting/seeing any clients from inner LAN, prevent any possible malware from outer LAN reaching inner LAN, as well as network segmentation(LANs have different functions)

From what I have read, this 'dual router config' adds about a second of latency to the inner LAN. I assume using a firewall instead of a router will add the same amount of latency?


Very Senior Member
Ultimately YOU have to decide whether any shortcomings in the current config matter or are worthy of correction. For example, being double NAT'd is going to add some latency, but does it matter? For gamers, it probably does, but for general purpose web browsing and email? Probably NOT. OTOH, some devices don't work well (if at all) when double NAT'd (e.g., VOIP).

As far as the general strategy of network isolation, what you have presently is only *partially* effective. While clients of the primary network are blocked from accessing clients of the secondary router, the clients of the secondary router still have to traverse the primary router's network to reach the internet, and at least technically, are subject to eavesdropping and/or MITM (man in the middle) attacks (e.g., ARP poisoning). Again, does it matter? Depends on YOUR assessment of the risk level, since only you know what's being supported on each network. It might be wise to configure an OpenVPN client on the secondary router to mitigate these specific threats. Or perhaps treat the secondary router as the untrusted network and add firewalls rules to it to prevent access to the primary router's resources (i.e., internet only). Or better yet, use three routers and have the private (trusted) and untrusted routers share a common third router.

Ideally you'd support multiple networks using a managed switch w/ VLANs and network-specific APs. The primary router is then simply a conduit to the internet that's otherwise oblivious to all the configuration details behind it. But that can get expensive, and I have no idea of your budget.

Many, many ways to deal w/ these types of issues, but very hard to make specific recommendations w/ so few details about your needs, concerns, usage, budget, etc. Best I can do is provide information about what to look out for and things to take into consideration (at least the obvious stuff), then hopefully you can apply it to your situation and make some good/better decisions.


Part of the Furniture
To do what you say you want you need to have the least secure clients you don't want to see interact with the clients on the first Internet facing router. The way you have it setup the clients on the second router can see devices on the first router as they are connected to a LAN port on the first router.

As for the latency impact I don't think you would be able to measure it at least on a connection of less than 1 gig and even then I don't know as I don't have a connection of that speed to test with. I tested it the impact of double NATing a couple of years ago and based on the raw data the latency was lower double NATed but at the 99% confidence level the data would not sustain this conclusion.

AS for the possibility that someone with access to the first router could snoop on data passing through the router, that could be done by port mirroring but if you are concerned about that have the second router encrypt all its WAN traffic using a VPN.


  • DoubleNatTests.pdf
    419.7 KB · Views: 17


Regular Contributor
Thank you for your thoughtful replies. I think I will get the edge switch and set up VLANs. Security through obscurity may be best .

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!