I'm trying to sanity check my lack of understanding of a colleague's network planning exercise. It doesn't make sense to me, but maybe I'm missing something. My general networking knowledge isn't bad, but I don't have vendor-specific knowledge.
We currently have a consumer-grade Draytek router, which provides DHCP and NAT, just the same as any home broadband connection. Our WAN connection is delivered over an Ethernet circuit as a small /30 "meet me" network, with a single private /24 inside containing all the hosts.
He intends to keep the Draytek router, but place a Checkpoint firewall behind it.
The Checkpoint firewall will perform NAT for several VLANs which will allow different groups of users to be separated from each other, via a managed switch with VLAN de-tagging on the ports.
There will be a bridging LAN between the "outside" of the Checkpoint and the "inside" of the Draytek.
The setup will be like so (pink box is an IP packet, explained later):
So, my first question: Why keep the Draytek and double-NAT the outbound traffic?
There's also a requirement for the inbound NAT from the public IP (ie: port mapping) to a couple of internal hosts.
Currently, the Draytek handles the inbound NAT and will have the public IP on the external interface, but he intends that the Checkpoint should handle the inbound NAT.
He claims that the Draytek can be configured to selectively forward, depending on destination port, incoming packets (pink packet on diagram) without modification of the source/dest IP or hardware address to the Checkpoint, which will then perform inbound NAT to the internal device.
This doesn't make any sense to me. As I understand it, the Checkpoint will then receive packets with the Draytek's external interface MAC address and IP, which it will NAT to the internal device.
I can't work out the reverse path for NAT traffic either, or how/what's tracking the translation.
Second question: How can this even work?
He claims it's "standard practice" but can't explain it in detail. If the Draytek can't do it, he says he will buy a Cisco to replace it. I have a sneaking suspicion he doesn't know what he's on about, or am I missing something?
Can anyone help explain what he's trying to achieve here? Many thanks in advance.
Best Answer
He's mostly right, even if his explanation isn't as clear as it could be.
This makes sense. The firewall is a better place to do the NAT functions, as it has more features and is is more flexible than a consumer grade router. I assume he intends to turn off NAT on the router (if he can). If not, double NAT is an unnecessary complication, but it will work anyway.
Note that just because the "bridging LAN" has a private address, that does not mean the router has to do NAT.
I think you're confused about where the /24 public network "lives." It doesn't "live" on the router.
The router will be configured to forward traffic destined for the public network to the firewall (i.e., the firewall is the next hop.). So the router is just being a router. It will change the DMAC address to that of the firewall. The firewall will receive the packet, change the DestIP to an internal IP and forward it on. On the outbound path, the firewall will translate the source address to the external network and forward it to the router, which in turn will forward it to the ISP.