double NAT (TAP) network visibility

This forum is for general conversation and user-user networking.
Post Reply
alamat7
OpenVpn Newbie
Posts: 2
Joined: Fri May 08, 2020 6:48 am

double NAT (TAP) network visibility

Post by alamat7 » Fri May 08, 2020 7:02 am

I am a newbie to this openvpn.
I have a home network (main router at 192.168.1.1, 2nd router at 192.168.1.67).
2nd router has its WAN port connected to the main router network, so it's a double NAT setup. It's also an ASUS router, and I am using its openvpn server, configured as TAP server. 2nd router network is 192.168.15.x. To make the 2nd router server accessible, I have enabled port forwarding in 1st router to 2nd router. (So all external clients connect to 1st router via an assigned port and gets forwarded to 2nd router).
Actually everything works as I wanted, except for one thing.
Why is it that devices in 2nd router network (192.168.15.x) can see devices in the 1st router network (192.168.1.x), but not vice versa? I would rather they not able to see 192.168.1.x as this is my home network, and 192.168.15.x is used for testing. Is it question of incorrect mask?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: double NAT (TAP) network visibility

Post by TinCanTech » Fri May 08, 2020 12:21 pm

Not that this has anything to do with openvpn but that is exactly what you get when you plug one NAT router WAN port into another NAT router LAN port.

alamat7
OpenVpn Newbie
Posts: 2
Joined: Fri May 08, 2020 6:48 am

Re: double NAT (TAP) network visibility

Post by alamat7 » Mon May 11, 2020 12:14 am

Yes you are right. It has nothing to do with openvpn, sorry I realized that some time after I posted. The 2nd router sees the LAN of the 1st router as part of the WAN, and unless you block off a range of IP addresses at the 2nd router, this will happen.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7579
Joined: Fri Jun 03, 2016 1:17 pm

Re: double NAT (TAP) network visibility

Post by TinCanTech » Mon May 11, 2020 12:30 am

You know what is ironic ?

There is nothing to stop your ISP routing RFC1918 where-ever they see fit :twisted:

Post Reply