I accomplish this with one router and multi zone. But Iām not running consumer grade gear. All enterprise class, so I can do much more with a single device. I can even break it apart to multiple virtual devices that donāt talk to each other and therefore the interfaces donāt know about each other and then either link the virtual devices with a virtual wire or a physical wires.
But your idea of natāing HE so that the phone app works is interesting. Never thought about doing that.
These are basically the two reasons why I'm considering this as a solution. Could you elaborate on why you believe neither of those statements is accurate? Thanks.
Double-NAT issues with gaming consoles tend to be solely because the user didn't correctly set up port forwarding on the outer NAT. I would expect that any issues with multiple gaming consoles on the same segment should occur regardless of single vs double NAT. What are you seeing that's different?
Setting up an inner NAT is really simple. @JasonJoel, perhaps it would help if you could walk us through the steps of setting up, with a contemporary ASUS router (e.g. the RT-AC68U, a super popular commodity one), a VLAN and configure (taking a few common devices) your Hubitat, Roku and Amazon Echo to use the VLAN rather than the main LAN, and then ensure that the Roku cannot reach your PC on the main LAN but the PC can reach the Hubitat inside the VLAN?
(Or reverse the VLAN and main LAN if appropriate, but still, show how to specify and segregate the VLAN.)
No. When there are multiple of the same brand console in the house, which is what I mentioned, you can't simply port forward.
It sure is simple to setup. So is assigning a vlan to a port, and a simple FW rule in the router if it happens to route vlan by default (some do, some don't). Certainly no harder then implementing port forwarding rules.
I wouldn't have a clue on how to setup vlans on an Asus router, as I would never choose to use one of those. But Asus routers aren't the only consumer level routers out there either, now are they?
Yes, if you are choosing to use a router without vlan support, then double natting can be a very effective solution (although not usable in all situations - specifically ones where port forwarding isn't an elegant solution).
My Asus router is great, particularly the OpenVPN server and dynamic DNS it supports.
But I think that to get VLAN support, iād have to flash the firmware, and it would be a pain to reconfigure other settings on my router.
Also, from what I have tried to read up on VLANs, it doesnāt seem that simple to me as someone thatās not a professional in the networking industry.
Particularly when creating multiple groups of devices, some WiFi, and some Ethernet connected.
Simple is relative and subjective. Making multiple groups with natting isn't simple for many either.
The more group types you want/need the more the advantage shifts to vlans. If you only need 2 groups, Nat is pretty straight forward though.
In the end, if doing it with multiple Nat works better for you, go for it. There isn't only one way to do this stuff.
Do you have your home LAN segmented into VLANs?
Iāve heard a lot of good things about ubiquiti devices in various contexts but havenāt tried any yet.
Thatās one thing thatās held me up in terms of trying out VLANs, many how-to guides that Iāve read are specific to one brand like ubiquiti, and so I feel like Iām missing steps when trying to translate it to my own setup.
Vlans themselves and the concepts on how to use them are vendor agnostic.
How to actually implement them is, obviously, vendor specific.
In the end, go with the simplest solution that your hardware supports. If it doesn't support vlan, and you aren't looking to wholesale replace hardware, Nat is about your only segregation option.
Double Nat, or a simple use of multiple subnets (aka multiple single nats), can work very well if you can live within it's few caveats/limitations.
My earlier comments weren't to detract from the usefulness of multiple nats, I just argue that it is not simpler or easier versus vlan - if your hardware supports vlans, of course. But that is my opinion, it doesn't make the opposite opinion any less valid, as "easier" is 100% subjective.
No. When there are multiple of the same brand console in the house, which is what I mentioned, you can't simply port forward.
That seems disingenuous; this isn't a double-NAT issue. Even with one router/NAT, port-forwarding the same port to multiple systems won't work.
The biggest challenges with VLANs are that historically few (consumer-grade, i.e. available at Best Buy) routers provide set-up for them in the GUI (although that's slowly changing), and you need to understand and assign your tags, bridges and ports. And use VLAN-capable switches and configure them, unless you have all equipment going on, e.g., 10 in a different place than equipment going on 20. At which point you have the same essential solution as the two-router double-NAT approach, just in a single router, less easy to configure in most devices. It's not like a Roku understands VLANs... if you're plugging it in, you have to provide a port already tagged.
If you do have a high-end brand-new (i.e. within the last year or so) consumer router that does provide VLAN support in the GUI and your usage is physically segmented... and that's a lot of "if's"... a VLAN can provide about the same functionality from one router as double-NAT with two, without the second device.
But if you're relying on the WiFi router from your ISP, it almost certainly doesn't support VLANs on the inside. If you want the equivalent functionality at that point, adding another NAT via a (even low-end) router is faster, easier and cheaper.
You are much smarter than me so there won't be much of an issue with Ubiquiti gears. Took me plenty of reading but I got everything the way I wanted and it was one of the best investment for me on tech.
I'm also a fan of Ubiquiti devices. I have an EdgeRouter Lite 3 as a dedicated firewall to the world. It's very powerful, but for the higher ends of the power, you do need to drop down to a shell. (Command-line.)
The ERL3 does have GUI support of VLANs, but since it doesn't have a wireless module and only has two ports, unbridged, it alone can't really get you VLAN support. You still need external VLAN-capable switches and/or APs. So the other devices mentioned are probably better for the typical user.
Not really. Most consoles are smart enough to check if the port is open/openable via upnp and shift to another port if needed. Thus allowing multiple consoles of the same brand to all host games at the same time. But in the same vein, most consoles aren't configurable enough to let you manually change the hosting port - thus requiring upnp and single nat if hosting games.
But you are right, if not using upnp, then single nat or multiple nat - you're screwed with hosting games using multiple consoles.
Obviously that isn't an issue for games that use cloud based servers, though.
Not really. Most consoles are smart enough to check if the port is open/openable via upnp and shift to another port if needed.
Ouch!!! You're right, I completely forgot about UPnP. Disabling UPnP is just about the first thing I do on any router; I consider it insecure and undisciplined, and I vastly prefer to control open ports/forwarding. But yeah, if you're relying on UPnP for that, and if your toys are in the secured zone, double-NAT will hose you.
upnp certainly isn't my favorite either, but is a requirement in some scenarios.
At least more implementations of upnp can limit its use to specific IPs/devices these days, making it quite a bit more palatable.
But I'm off in the weeds here, as that is a very specific scenario - although I do know a lot of people with multiple xbox/PS4s (one for the grown-up kid, and one for the real kid.... lol).
I thought that the built in support was only for a "site to site" VPN solution.
Is there a built in approach for some other type of VPN?
There are a few options for VPN. You have L2PT, OpenVPN and OpenVPN site to site.
The L2PT server setup is very simple to setup but a pain to config with Client on phone/tablet.
OpenVPN site to site is simple too but not for home. Not my home anyway.
OpenVPN server is very painful to config. Took me a week reading and playing around and I couldn't get it to work correctly. Ended up with PIvpn instead.
@jtmpush18 I have it setup with L2TP. Setup was fairly easy in the Unifi controller software. I use it both with my laptop or my phone when I'm outside the house. Not sure what Client @Navat604 is talking about being a pain unless he means the Unifi app for the phone in which case I'd agree. I don't really use that for much except to monitor things as it's much easier to use the web interface on a desktop.
Download the Hubitat app
