+ Post New Thread
Results 1 to 15 of 15
Wireless Networks Thread, Double Nating in Sefton in Technical; ...
  1. #1

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15

    Double Nating in Sefton

    Can anyone explain if there is a problem with double nating if set up correctly, I support a large primary school’s network in Sefton, and it has 3 Server and 150 PCs & Laptops. It is setup behind a Linux gateway\proxy box which acts as a gateway for the network, this box has two network cards and the second network card is attached directly to the local authority’s switch, where their responsibility ends.

    From my experience this is a normal setup for most school networks and I do support schools in other local authorities and there have been no issues with this type of setup.

    The local authority has put out it ICT support to a company called Arvato, whose technicians seem to go around the schools telling them that they should not have a proxy server on-site as it slows down the Internet and that they should be on the local authorities IP range, as double nating causes problems.

    The problem I have with this is that Sefton's network is like one large network, you can see any other machine on Sefton network and when it first launched there were lots of viruses spreading between sites if they were not protected by some firewall. I could understand it if they wanted to provide a managed service to the desktops, but they repeatedly insist that their responsibility ends at the switch.

    I understand the NAT adds legacy to a network, and a proxy server will slow down the first client to access a web page, but will speed up the subsequent request to the same page. But can anyone else see any good reasons not to have a proxy\gateway server at the point where your responsibility ends for your network, as from my perspective the benefits seem to outweigh the disadvantages.

    Thanks

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,698
    Thank Post
    352
    Thanked 803 Times in 718 Posts
    Rep Power
    348
    If the network is completely open beyond the LA switch outwards I'm glad you put a device in on your end to stop the spreading of bad stuff etc.

    We were fortunately very lucky with my previous RBC as they had tight controls on the network (yay) which meant that schools did not see other schools so we felt somewhat safer.

    Other RBCs like yours it seems don't quite share this view of security and if I were you I'd stick as you are until they at least prove commitment to improving security.

    Not using LA assigned numbering can become a problem if they employ any simplified sign on systems or resources which are only open to 'ip ranges' with limits on how many hits from the proxy etc.

    Sitting down and talking to them like adults is probably going to help rather than this company going around telling people to bin their working solutions. (They bought them for a reason!)

  3. Thanks to kmount from:

    sfoord (19th February 2010)

  4. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Hmm, with you talking about double-natting and the LA about a proxy server, I think you are at cross-purposes.

    Do you have an allocated range from them? If so (and I really hope it is so) I'd get a proper hardware firewall solution connecting your perimeter to theirs and configure it appropriately, so only your own range can pass it (plus anything else you actually trust, like their central servers. I'd lock it right down though )

  5. Thanks to powdarrmonkey from:

    sfoord (19th February 2010)

  6. #4

    Join Date
    May 2007
    Location
    Brighton
    Posts
    11
    Thank Post
    3
    Thanked 6 Times in 4 Posts
    Rep Power
    17
    From a personal point of view- I don't like NAT let alone double NAT (IPv6 all the way). I suspect there are benefits to being on the LA range of IP addresses.

    Then again I wouldn't want to be exposed to a WAN where I didn't have some element of control. I would have a bridging firewall- funnily enough that's what I run at home, based on OpenBSD.

  7. Thanks to brougham from:

    sfoord (19th February 2010)

  8. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    The method is usually to put in place a firewall device (personal preference is for Watchguard kit) in routed mode and continue to use the LA provided ranges for your workstations, but teh gateway for teh workstations / servers is the firewall and the firewall's gateway is the LA switch. No changes to DNS are needed (ie use you internal AD and then forward them to your LA DNS.

    You can then configure your firewall rules to be more selective, eg http/https can only go to your LA proxy and no traffic is allowed in except for specific rules you want.

    It will take a chunk of time to plan and I would recommend you spend some time looking at your existing traffic to see where it goes. You can test things by having the firewall in place in a side-by-side setup whilst testing ... have a few test clients on there ... but the rest of the school still works the normal way. Also be prepared to lose some functionality that the LA provide (eg VidConf might not work properly until you have tweaked the ports your filter) and be prepared to get challenged by your LA too. It is their right to challenge you and it is better to work with them. It might also help them identify areas to improve.

    HTH

  9. Thanks to GrumbleDook from:

    sfoord (19th February 2010)

  10. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,241
    Thank Post
    882
    Thanked 2,743 Times in 2,317 Posts
    Blog Entries
    11
    Rep Power
    784
    From a technical standpoint double NATting can cause issues with certain protocols, most of which you should not be using in a school anyway like Bittorrent and online gameing. These types of services would likely be locked out by the parent network anyway. These protocols generally need full ip route information to work and due to NAT break, more info here Network address translation - Wikipedia, the free encyclopedia It does make certain things more complex like offering services externally but if there is no other security I would definatly not be changing.

    NAT works by using a single external IP and shareing it between all internal users. It does this by keeping a record of requests from the internal network and mapping them to different tcp ports on the external IP. This map gets stored as a big table and any replies returning to the external IP are mapped back via the port number to the original requester.

    The issue with this system is that if you have lots of requests the table gets very large and the redirection lookups take longer. On smaller home grade modem/routers the table can also use up all the system memory causing them to crash. You can also only fit so many translations in before you run out of port numbers (standard fully supported ones).

    In the OPs situation the upstream NAT may be running into some of these problems along with some more specific ones. NAT can be shared over multiple external IPs in a round robin type setup allowing for more ports and shorter lookup lists for each port. The problem here is that these round robin assignments are most often picked by IP address. If several schools are NATing to a single IP and are assigned to the same parent external IP in NAT the sum of all the connections generated can overwhelm the avalible mapping on that IP. This means that because of the much higher than usual usage of ports per IP and the fact that these can not be split out further because they are all under the same IP can lead to strife. To combat this the parent network would need to use more external IPs to NAT between or more harsh pruning metrics for the lists leading to disconnections as mappings are deleted before the sessions are finnished.

    If this is the case there is an easier solution which they may not have considered, you too can use multiple external (parent) ips for your NAT. This way your traffic is split up into multiple IP addresses leading to more moderate usage of port space, shorter lookup tables and making it much easier for the upstream NAT to divide the traffic evenly in its NAT setup.

    EDIT: As above a bridging firewall would be better, my post just goes into the modification of your existing system to avoid issues that they may be concerned about.
    Last edited by SYNACK; 19th February 2010 at 10:52 AM.

  11. Thanks to SYNACK from:

    sfoord (19th February 2010)

  12. #7

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    I explain what the setup is in more detail all the school’s PCs are on 192.168.1.0 IP range pointing to the Linux box which is acting as a gateway and proxy. This box is then set to be on the local authorities IP range of 10.151.158.0 and is set to use the local authority's proxy server as a forward. Normally there is no problem with this type of setup, and it can access everything which is allowed on the local authorities curriculum network range as in effect all the PCs in the school seen externally on the same IP address due to the gateway.

    The gateway can be configured to allow access through as was done when Sefton allowed access from the curriculum network to the admin Network for Sims in the classrooms.

    I have tried to have sensible conversations with the Arvato’s technicians but they won't sit down and explain any problems, the last conversation I had with them in front of the head was that anybody with any networking experience understand that double Natting should never be used.

    They don't try to diagnose the problem from the cisco switch to determine if it's a local authority problem of school problem. Their initial responses to logon to a machine do IP config and instantly blame it on the fact that the IP address is a 192.168.1.0

    I have seen a few problems accessing sites within Sefton which were working the day before, you report the fault the engineers will come out instantly blame it on the school set up and walk away, couple of days later the site will be accessible again without changing anything at the school.

    One of these type of problems I noticed at three different Sefton schools and only after reporting its three separate times and been told each time it was down to the school’s setup I finally was able to spoke to someone higher up the technical chain who after five minutes agreed with me rebooted one of LA’s DNS server which fixed the problem.

    Unfortunately it seems that the people going out to the schools have little or no understanding of networking and cannot cope with anything that looks slightly different than what they're expected, and instantly will blame it on that rather than trying to diagnose the problem.

  13. #8

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    Each school in the local authority does have its own IP range, the main protocols which are being used are http and https and basic file sharing to the admin network which had to be specifically allowed through the local authorities cisco route as by default the local authority admin network are separate to the curriculum networks. You can access any other school’s curriculum network range from the school's address, and it's the same on the admin network.

    As has been said on here by a few people it is normal to put some type the gateway/firewall at the point where your responsibility ends in your network and with proper modification to the firewall tables you can allow any traffic through.

  14. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    One of the problems is that typically the engineers that come out to schools will be told only to work within the remit of the contract ... IE if anyone has done something different to the proscribed build process then they are to only offer limited help as it is not their job to deal with things *inside* of the school network (eg building your VLANs, etc).

    It is a tough one to deal with but there are a few things that could help.

    1 - Where you are doing double NATing then try to have a test workstation on the LA setup that you can drop in to see how non-double NATed devices are working.

    2 - See if you can go over to routed mode with your firewalls to remove double NATing. As with all things that require configuration, each layers that adds complexity also adds confusion and risk of misconfiguration. When they say that Double NATing is prone to problems they are talking about configuration issues, not that you sufer packet-loss, etc. This is the thing that you need to get them to state.

    3 - Not *all* traffic should go to the LA proxies. DNS shouldn't, that should go to the LA DNS boxen. Likewise some other protocols might be needed to go to other places. How about setting up a box in each school with one-to-one NAT in place for trying things. This would mean that the internal IP of the device might be 192.168.0.50 and the NAT makes it 10.151.158.50 ... if you have an issue you can test on this device as host-specific NAT just works ... This would be needed anyway for any internally hosted services too (eg webservers, etc).

    If you continue to have issues then yes, getting your schools to take it to your LA is the way to go. Also speak to other local schools to try and form a close group who can double check faults with one another if you get blown off by the helpdesk. I know they do around here and some poor blighter ends up ringing me to nag.

  15. Thanks to GrumbleDook from:

    sfoord (19th February 2010)

  16. #10

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by sfoord View Post
    I have tried to have sensible conversations with the Arvato’s technicians but they won't sit down and explain any problems, the last conversation I had with them in front of the head was that anybody with any networking experience understand that double Natting should never be used.

    They don't try to diagnose the problem from the cisco switch to determine if it's a local authority problem of school problem. Their initial responses to logon to a machine do IP config and instantly blame it on the fact that the IP address is a 192.168.1.0
    There's nothing technically wrong with double NATting, it just takes some careful planning.

    Sounds like you need to talk money with them. It can work wonders if they think you might start being more independent.

  17. Thanks to powdarrmonkey from:

    sfoord (19th February 2010)

  18. #11

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    At GrumbleDook

    I agree with you, this is why I would expect most LA engineers to go to the point at which their responsibility ends and test it at that point if it works at that point it's the school's problem if it doesn't it's the local authorities problem and in every of the local authority I never worked in this is what happens.

    Sorry you are right the DNS does get forward to Sefton on the gateway, but this in itself confuses the engineer's as it doesn't appear in IP config.

    I honestly don't know what they think the problem is with double NATing, as everything is working fine the majority. This time the reason is because the local authorities put a CCTV server on the admin network which the head wishes to access on the curriculum network. We asked them to allow access from this machine’s IP address to the curriculum network. They come in and instantly blame it on NAT saying that you will never get to see the admin network when the curriculum network is NATed, little bit surprising since every machine curriculum network can see the admin server if needed already.

    Anyway to cut a long story short I was ill on that day full of a cold and did not feel like getting into a massive argument with someone who was been arrogant. So the next time I was within the school I tested accessing the CCTV server from a laptop on the other side of the gateway (on local authority IP range) guess what it doesn't work.

    This is the reason I want to find out if there is any technical issues in using NAT and a proxy server to segment responsibility. As it seems to be a major issue with Sefton as it hasn't been with any other local authority therefore before I speak to them again I just wanted to put out to the general community see if anyone could come up with any reasonable explanation to what they issues were.

  19. #12
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Edit: Pay no attention, I re-read the previous as I thought it was about accessing the cctv from curriculum network and it wasn't working. As you said, you can already access ither devices/servers on your admin network so I doubt the NATing issue would be at fault, My first guess might be some weird/stupid subnetting setup or that it might have static IPs setup for the outside network.

    ***
    As for the other stuff in this thread, It's my personal view (and I'm fine with people disagreeing) that if they keep saying if their contract ends at the LEA {switch/modem/whatever} than that is where it does and that they shouldn't be commenting on other matters unless requested to* and should only be working and connecting straight onto that device (that they claim their requirements end) or a switch between it and the rest of the network. Example:
    Code:
    [Modem/Router/Outside Device] >--> [Switch] >--> [Local Proxy]          >--> Rest of the network
                                                >--> [Other Network Device] >--> rest of the network
                                                >--> Spare Ports (Where they could consider connecting)
                                                >--> Spare Ports
    * I'm fine with certain criticisms, but there is a difference me walking into a school and saying something like "you're crap because you use ghost compared to fog" to the school IT dept and offering constructive critcism such as "Have you consider using Fog over Ghost, because <List points to be pro/con against your statement>".
    Last edited by p858snake; 19th February 2010 at 12:09 PM.

  20. Thanks to p858snake from:

    sfoord (19th February 2010)

  21. #13

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    P858snake I agree with you, their responsibility ends at the switch which coincidently is setup exactly as you said in your diagram 1 port attached to the proxy/gateway the other three parts unused for them to connect to test.

    I personally feel that this is more to do with the company wanting to provide a managed desktop support to the schools themselves as a lot of local authorities are going down this route hence would make it much more sensible to be all on one big network for ease of central management, but since they do not want to at the moment to manage individual schools the security risk and the management problems for the people who are currently managing the schools increased tenfold.

    I could even understand it if you're offering services that required the machines to have the local authority IP range, but they not the only services that are offering our basic websites inside the local authorities’ network.

    I am more than willing to admit that I don't know everything about networking, but they will not giving any real justification as to what the issues are all they say is it is a completely wrong setup. The interesting fact in this is that when the local authority supplied the NGFL kit to the schools in the late 90s ICT Education setup every school network in exactly this way using a NT4 box with two network cards to segment the local authority and local school networks. The local authority network has got faster but the IP address structure has not changed.

  22. #14

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    @sfoord

    I know where you are coming from, having setup double NATing at my last school (originally just NATed as we were not with the local RBC but later joined and I was not going to rejig my whole IP addressing setup at the same time so ended up double NATing) and I am now on the other side of the fence.

    By setting up a small test box that is on the LA provided range (ie not inside your LAN and affected by your firewall) it helps to prove when things are not working. It also allows the local support team to connect into a device to test too. It will save a heck of a lot of grief.

  23. Thanks to GrumbleDook from:

    sfoord (19th February 2010)

  24. #15

    Join Date
    Jul 2007
    Posts
    33
    Thank Post
    16
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    @grumbledook

    In a high school that will be possible, but in a primary it's not practical, as there are no spare machines, and like most primary schools they run the machines to they physically collapse. The other problem is I am not in the school all the time I'm only in half a day every week therefore all that happens is that the engineers walking rather than tested at the switch they walk to the nearest machine you can find and instantly blame it on that rather than checking to see if it works on the local authority side and as I'm not there to get him a laptop out plug into the LA switch and prove to him beyond a doubt that it is local authority problem. But again this does come back to the point that the local authority engineer should be checking it at the end of his responsibility himself before blaming the school setup.

    I only ever report stuff to an LA when I'm 100% sure it is not a problem within the school network, what frustrates me about Sefton however is the fact that they don't even give the indication of attempting check if it is a local authority problem they will blame it instantly on the school setup.

SHARE:
+ Post New Thread

Similar Threads

  1. [Video] How to double your income.....
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 14th January 2010, 10:45 AM
  2. Double bullets
    By drtech in forum EduGeek Joomla 1.5 Package
    Replies: 0
    Last Post: 12th November 2008, 04:55 PM
  3. Double-entendres
    By mattx in forum Jokes/Interweb Things
    Replies: 3
    Last Post: 18th January 2008, 08:57 AM
  4. Double Entendres
    By marco84 in forum General Chat
    Replies: 1
    Last Post: 26th March 2007, 06:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •