Double NAT issue with upstream firewall

[shobhit_bhardwaj]

Hi,

I am running a mesh with 2 Asus Zen XT8 and 1Asus RT-AX86U.
1st XT8 is primary, 2nd XT8 and 86U are nodes.

Here is my current network setup:

ISP modem (in bridge) -> Sonicwall Firewall -> Asus XT8 primary - Clients

Sonicwall LAN interface (X0) - 192.168.1.1
Asus WAN - 192.168.1.2
Asus LAN - 192.168.0.1
Clients on 192.168.0.1/24

I have created static route on Sonicwall to send 192.168.0.0/24 to X0 interface.

I am able to ping both of the Asus interfaces from Sonicwall, but I can't reach any client on 192.168.0.0/24 network from Sonicwall.

Clients are able to go out right now with NAT enabled at Asus.

Another issue is now I am running with NAT enabled on Asus and my traffic is getting double NAT before hitting ISP modem. I want to disable NAT at Asus and want Sonicwall to see all client IPs.

I have disabled firewall on Asus. The fact that Sonicwall is able to ping Asus's LAN interface confirms that the route is working. But anything behind the router is not reachable. Which makes me wonder that router is somehow dropping the Packers generated from WAN which makes sense from security standpoint. And traffic generated from inside LAN is getting returned perfectly fine since my clients are able to connect to internet.

Since it is a Mesh, I can't move the router to bridge mode or disable DHCP.

What am I missing? Any thoughts?

 

[drinkingbird]

Hi,

I am running a mesh with 2 Asus Zen XT8 and 1Asus RT-AX86U.
1st XT8 is primary, 2nd XT8 and 86U are nodes.

Here is my current network setup:

ISP modem (in bridge) -> Sonicwall Firewall -> Asus XT8 primary - Clients

Sonicwall LAN interface (X0) - 192.168.1.1
Asus WAN - 192.168.1.2
Asus LAN - 192.168.0.1
Clients on 192.168.0.1/24

I have created static route on Sonicwall to send 192.168.0.0/24 to X0 interface.

I am able to ping both of the Asus interfaces from Sonicwall, but I can't reach any client on 192.168.0.0/24 network from Sonicwall.

Clients are able to go out right now with NAT enabled at Asus.

Another issue is now I am running with NAT enabled on Asus and my traffic is getting double NAT before hitting ISP modem. I want to disable NAT at Asus and want Sonicwall to see all client IPs.

I have disabled firewall on Asus. The fact that Sonicwall is able to ping Asus's LAN interface confirms that the route is working. But anything behind the router is not reachable. Which makes me wonder that router is somehow dropping the Packers generated from WAN which makes sense from security standpoint. And traffic generated from inside LAN is getting returned perfectly fine since my clients are able to connect to internet.

Since it is a Mesh, I can't move the router to bridge mode or disable DHCP.

What am I missing? Any thoughts?

You need to disable NAT on the asus to have it run as just a router. Right now 192.168.0.0/24 is hidden behind 192.168.1.2 and will not allow inbound connections unless you do port mapping. Disabling NAT on the Asus and running as pure router will solve both your issues, no double NAT and the LAN is now reachable. I'm surprised you can ping 192.168.0.1 right now, that is hidden behind the NAT, maybe Asus just default forwards ping traffic to the LAN interface IP when the FW is disabled, not sure. If you aren't using any features that require router mode, then you can even just convert it to an AP and have the sonicwall handle DHCP, according to Asus documentation you can have Aimesh running in AP mode (never tried it though).

 

[shobhit_bhardwaj]

I lose connectivity to 192.168.1.0/24 or any outbound connection once I disable NAT. Trying to troubleshoot what exactly is going wrong with that.

You need to disable NAT on the asus to have it run as just a router. Right now 192.168.0.0/24 is hidden behind 192.168.1.2 and will not allow inbound connections unless you do port mapping. Disabling NAT on the Asus and running as pure router will solve both your issues, no double NAT and the LAN is now reachable. I'm surprised you can ping 192.168.0.1 right now, that is hidden behind the NAT, maybe Asus just default forwards ping traffic to the LAN interface IP when the FW is disabled, not sure. If you aren't using any features that require router mode, then you can even just convert it to an AP and have the sonicwall handle DHCP, according to Asus documentation you can have Aimesh running in AP mode (never tried it though).

 

[drinkingbird]

I lose connectivity to 192.168.1.0/24 or any outbound connection once I disable NAT. Trying to troubleshoot what exactly is going wrong with that.

You may need to do a full reboot after disabling it.