How bad is my double-NAT internet configuration ?

[michelangelo]

Hello. I wanted to replace my dying ADSL modem and to use my Airport Extreme in its router mode to create my main and my guest networks (for guests: separate network and separate password). Thus I purchased a new modem-router (a Zyxel AMG1001-T10A), intent on configuring it in bridge mode. I worked but, with shields up on the GRC.com website, I saw that all my ports were visible from the internet, the modem responded to Ping. I wanted stealth. Also, a bridge configuration is painful on a modem: I could no longer access the modem GUI directly from the mac. So, I configured the Zyxel modem in router mode (192.168.0.1 / 255.255.255.0) with its firewall to full strength (all ports are stealthed now and the Zyxel modem-router does not respond to Ping) and configured also the Airport Extreme in router mode (192.168.1.1 / 255.255.255.0). It works perfectly: bandwith is there and it is rock-stable.

However this is double NATting and my Airport Extreme has complained to me as this goes against all pre-conceived ideas. To avoid double NATting, I could also have configured the Airport Extreme in bridge mode, at the cost of living without my guest network.

I have read that double NATting was bad because: some applications required a public IP on the WAN side of the Airport Extreme; because of peer to peer, games, voice over IP, remote access to the printer or to the mac... (I don't do any of these).

How bad, really, is my double NAT internet configuration ? Can anyone explain to me the shortcomings of this configuration ? Should I change it ? TIA

 

[chscag]

Doesn't your new Zyxel setup have a dual channel band (2.5GHz and 5GHz)? If it does, you don't really need the AE. Just put your guest network on the upper band and assign it a separate password. Also, you may not be aware... Apple is no longer updating its routers and time capsule. They are out of the router business as of this coming year.

As far as your question about double NAT, I don't see that as a problem unless there is some difficulty with your ISP, leave it as is.

 

[michelangelo]

Doesn't your new Zyxel setup have a dual channel band (2.5GHz and 5GHz)? If it does, you don't really need the AE. Just put your guest network on the upper band and assign it a separate password.

Thank you chscag. Are you referring to wifi channels ? If that is so, this Zyxel modem is an ethernet modem-router, it does not do wi-fi, so this dual channel option would not apply to it. Nevertheless, would this trick work on my Airport Extreme (biband) ? Looking into it, both channels 2.5 and 5.0 share the same 192.168.1.1 (255.255.255.1) network.

I hope Apple will continue to update its routers for a while, since I have owned and used for a while two Apple devices (Airport Extreme and Time Capsule). With the Zyxel router configuration, may I consider them as "protected" behind the Zyxel modem router (with firewall "on") ?

Thanks, again.

 

[chscag]

Yes, your Airport Extreme dual band should work fine for setting up a guest network on the upper band. Don't worry about the IP addresses as the AE will handle that. It's been like ages since I've had to deal with a PPPoE Network so I'm not familar with your Zyxel ethernet modem.

I hope Apple will continue to update its routers for a while, since I have owned and used for a while two Apple devices (Airport Extreme and Time Capsule). With the Zyxel router configuration, may I consider them as "protected" behind the Zyxel modem router (with firewall "on") ?

Yes, there should be no problem with them being protected. As for Apple.... like I said above, they are out of the AE and TC business. No more upgrades.