F5F Stay Refreshed Power Users Networks Using EdgeRouter with two ISPs and removing redundant NAT settings on your network

Using EdgeRouter with two ISPs and removing redundant NAT settings on your network

Using EdgeRouter with two ISPs and removing redundant NAT settings on your network

L
LilStege
Member
Find
205
01-18-2022, 05:05 PM
#1
I recently acquired a 5G mobile modem/router from my mobile phone provider, since my primary ISP has unreliable connectivity, wired both modems to an Ubiquiti Edgerouter-X 5, configured failover from primary to 5G, and wired that to my existing network. It works fine right now, but I wanted to know is it feasible to pair down the amount of NATing on my network? I know that mutli-NATed network *may* be susceptible to some connectivity issues when there is more than one router at play. So let me break down the different configured subnets: Primary Modem: 98.XXX.XXX.XXX/22 (modem only) 5G Modem/Router: 192.168.XXX.XXX/24 (different from below subnets) EdgeRouter-X: 192.168.100.1/24 (switch0 interface) Gryphon Router/AP: 192.168.1.1 (/24?), with device DHCP range: 192.168.1.100-249 I think this results in routes to/from the Primary modem being double NAT: Primary Modem (No NAT) -> ER-X (NAT) -> Gryphon (NAT) Is it advisable to remove the ER-X's Source NAT rule to Masquerade for the Primary Modem if my ER-X is only connected to the one Gryphon Router? Would this interfere with when a failover occurs that changes routes from Primary Modem to 5G? Then there's the routes to/from 5G modem/router that might be a triple NAT: 5G modem/router (NAT) -> ER-X (NAT) -> Gryphon (NAT) I know that there is no way to remove NAT from the 5G modem/router, but what about removing it from the ER-X? Would that work alright in a failover scenario? As for the Gryphon Router: It seems NAT is built-in and cannot be disabled. All I can configure is LAN IP, static & DHCP Ranges for devices, and configure WAN for DHCP, Static IP, or PPPoE. I know that the ideal solution would be to ditch Gryphon router+mesh alltogether, but I can't afford to replace it with an AP-only hardware, like a Ubiquiti AP. I would also like to avoid setting any additional manual IP addresses if possible, aside from switch0 interface. Lastly, is it possible for my ER-X to do traffic analysis of my Gryphon's subnet by changing ER-X or Gryphon config such as changing & broadening the ER-X's "switch0" interface's subnet, or does each router need to continue to have separate subnets? I think my ER-X config is relatively simple, but here it is sanitized below, and also my network diagram below that if you are curious what's downstream from the routers: Spoiler firewall { all-ping enable broadcast-ping disable group { network-group PRIVATE_NETS { description "Excludes subnets of modems" network 192.168.0.0/21 network 172.16.0.0/12 network 10.0.0.0/8 network 192.168.8.0/22 network 192.168.13.0/24 network 192.168.14.0/24 network 192.168.15.0/24 network 192.168.16.0/20 network 192.168.32.0/19 network 192.168.64.0/18 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable modify balance { rule 10 { action modify description "do NOT load balance lan to lan" destination { group { network-group PRIVATE_NETS } } modify { table main } } rule 20 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth0 } } modify { table main } } rule 30 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth1 } } modify { table main } } rule 70 { action modify modify { lb-group G } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 21 { action drop description "Drop 5G to NAS" destination { address 192.168.1.*** } log disable protocol all source { group { address-group ADDRv4_eth1 } } state { established disable invalid disable new enable related disable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Cable duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { address dhcp description 5G duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth2 { description LAN duplex auto speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.100.1/24 description Local firewall { in { modify balance } } mtu 1500 switch-port { interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } } load-balance { group G { exclude-local-dns enable flush-on-active enable gateway-update-interval 60 interface eth0 { route-test { count { failure 2 success 4 } initial-delay 30 interval 7 type { default } } } interface eth1 { failover-only route-test { count { failure 2 success 6 } initial-delay 60 interval 15 type { default } } } lb-local disable lb-local-metric-change disable sticky { dest-addr enable dest-port enable source-addr enable } } } protocols { static { interface-route 192.168.1.***/32 { next-hop-interface eth0 { description "NAS to Cable Modem" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN { authoritative enable subnet 192.168.100.0/24 { default-router 192.168.100.1 dns-server 192.168.100.1 lease 86400 start 192.168.100.38 { stop 192.168.100.243 } static-mapping Gryphonb*** { ip-address 192.168.100.38 mac-address 1c:49:7b:d8:b0:40 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 300 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers disable } nat { rule 5000 { description "masquerade for WAN" outbound-interface eth0 type masquerade } rule 5002 { description "masquerade for WAN 2" outbound-interface eth1 type masquerade } } ssh { port 22 protocol-version v2 } ubnt-discover { disable } unms { disable } } system { analytics-handler { send-analytics-report true } conntrack { expect-table-size 4096 hash-size 4096 table-size 32768 tcp { half-open-connections 512 loose enable max-retrans 3 } } crash-handler { send-crash-report true } host-name EdgeRouter-X5 login { user *** { authentication { encrypted-password *** plaintext-password "" } level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat enable ipsec enable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York traffic-analysis { dpi enable export enable } } traffic-control { smart-queue 5G { upload { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 20mbit } wan-interface eth1 } smart-queue Cable { upload { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 30mbit } wan-interface eth0 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2Confuseduspend@1Confusedystem@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v2.0.9-hotfix.4.5521907.220630.0657 */ Spoiler Thanks for reading.
Reply
Reply
L
LilStege
01-18-2022, 05:05 PM #1

I recently acquired a 5G mobile modem/router from my mobile phone provider, since my primary ISP has unreliable connectivity, wired both modems to an Ubiquiti Edgerouter-X 5, configured failover from primary to 5G, and wired that to my existing network. It works fine right now, but I wanted to know is it feasible to pair down the amount of NATing on my network? I know that mutli-NATed network *may* be susceptible to some connectivity issues when there is more than one router at play. So let me break down the different configured subnets: Primary Modem: 98.XXX.XXX.XXX/22 (modem only) 5G Modem/Router: 192.168.XXX.XXX/24 (different from below subnets) EdgeRouter-X: 192.168.100.1/24 (switch0 interface) Gryphon Router/AP: 192.168.1.1 (/24?), with device DHCP range: 192.168.1.100-249 I think this results in routes to/from the Primary modem being double NAT: Primary Modem (No NAT) -> ER-X (NAT) -> Gryphon (NAT) Is it advisable to remove the ER-X's Source NAT rule to Masquerade for the Primary Modem if my ER-X is only connected to the one Gryphon Router? Would this interfere with when a failover occurs that changes routes from Primary Modem to 5G? Then there's the routes to/from 5G modem/router that might be a triple NAT: 5G modem/router (NAT) -> ER-X (NAT) -> Gryphon (NAT) I know that there is no way to remove NAT from the 5G modem/router, but what about removing it from the ER-X? Would that work alright in a failover scenario? As for the Gryphon Router: It seems NAT is built-in and cannot be disabled. All I can configure is LAN IP, static & DHCP Ranges for devices, and configure WAN for DHCP, Static IP, or PPPoE. I know that the ideal solution would be to ditch Gryphon router+mesh alltogether, but I can't afford to replace it with an AP-only hardware, like a Ubiquiti AP. I would also like to avoid setting any additional manual IP addresses if possible, aside from switch0 interface. Lastly, is it possible for my ER-X to do traffic analysis of my Gryphon's subnet by changing ER-X or Gryphon config such as changing & broadening the ER-X's "switch0" interface's subnet, or does each router need to continue to have separate subnets? I think my ER-X config is relatively simple, but here it is sanitized below, and also my network diagram below that if you are curious what's downstream from the routers: Spoiler firewall { all-ping enable broadcast-ping disable group { network-group PRIVATE_NETS { description "Excludes subnets of modems" network 192.168.0.0/21 network 172.16.0.0/12 network 10.0.0.0/8 network 192.168.8.0/22 network 192.168.13.0/24 network 192.168.14.0/24 network 192.168.15.0/24 network 192.168.16.0/20 network 192.168.32.0/19 network 192.168.64.0/18 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable modify balance { rule 10 { action modify description "do NOT load balance lan to lan" destination { group { network-group PRIVATE_NETS } } modify { table main } } rule 20 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth0 } } modify { table main } } rule 30 { action modify description "do NOT load balance destination public address" destination { group { address-group ADDRv4_eth1 } } modify { table main } } rule 70 { action modify modify { lb-group G } } } name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 21 { action drop description "Drop 5G to NAS" destination { address 192.168.1.*** } log disable protocol all source { group { address-group ADDRv4_eth1 } } state { established disable invalid disable new enable related disable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Cable duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { address dhcp description 5G duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth2 { description LAN duplex auto speed auto } ethernet eth3 { duplex auto speed auto } ethernet eth4 { duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address 192.168.100.1/24 description Local firewall { in { modify balance } } mtu 1500 switch-port { interface eth2 { } interface eth3 { } interface eth4 { } vlan-aware disable } } } load-balance { group G { exclude-local-dns enable flush-on-active enable gateway-update-interval 60 interface eth0 { route-test { count { failure 2 success 4 } initial-delay 30 interval 7 type { default } } } interface eth1 { failover-only route-test { count { failure 2 success 6 } initial-delay 60 interval 15 type { default } } } lb-local disable lb-local-metric-change disable sticky { dest-addr enable dest-port enable source-addr enable } } } protocols { static { interface-route 192.168.1.***/32 { next-hop-interface eth0 { description "NAS to Cable Modem" } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN { authoritative enable subnet 192.168.100.0/24 { default-router 192.168.100.1 dns-server 192.168.100.1 lease 86400 start 192.168.100.38 { stop 192.168.100.243 } static-mapping Gryphonb*** { ip-address 192.168.100.38 mac-address 1c:49:7b:d8:b0:40 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 300 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers disable } nat { rule 5000 { description "masquerade for WAN" outbound-interface eth0 type masquerade } rule 5002 { description "masquerade for WAN 2" outbound-interface eth1 type masquerade } } ssh { port 22 protocol-version v2 } ubnt-discover { disable } unms { disable } } system { analytics-handler { send-analytics-report true } conntrack { expect-table-size 4096 hash-size 4096 table-size 32768 tcp { half-open-connections 512 loose enable max-retrans 3 } } crash-handler { send-crash-report true } host-name EdgeRouter-X5 login { user *** { authentication { encrypted-password *** plaintext-password "" } level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat enable ipsec enable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone America/New_York traffic-analysis { dpi enable export enable } } traffic-control { smart-queue 5G { upload { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 20mbit } wan-interface eth1 } smart-queue Cable { upload { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 30mbit } wan-interface eth0 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2Confuseduspend@1Confusedystem@5:ubnt-l2tp@1:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@2:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v2.0.9-hotfix.4.5521907.220630.0657 */ Spoiler Thanks for reading.

Reply
Reply
S
shizzle54
Member
Find
210
01-26-2022, 06:31 AM
#2
Configure the Gryphon router to function solely as a switch and access point.
Reply
Reply
S
shizzle54
01-26-2022, 06:31 AM #2

Configure the Gryphon router to function solely as a switch and access point.

Reply
Reply
W
WildFlow
Member
Find
187
02-02-2022, 08:30 PM
#3
SNAT is required but masking/overload isn't necessary. The main concern will be latency. Unless the connection tracking affects it, it shouldn't matter much. If you skip the WAN port, the device appears disabled—it's essentially a switch with an AP and unused routing rules. Your masquerade/overload should run on the Ubiquity router, and the gateway offering DHCP leases must point to the real gateway (LAN IP of ER-X). It depends on whether both need routing; mismatched networks could cause issues. If the 5G modem needs routing, it must use NAT, but a static SNAT rule works if everything routes through ER-X on one IP. The bridge mode modem isn't needed in this configuration.
Reply
Reply
W
WildFlow
02-02-2022, 08:30 PM #3

SNAT is required but masking/overload isn't necessary. The main concern will be latency. Unless the connection tracking affects it, it shouldn't matter much. If you skip the WAN port, the device appears disabled—it's essentially a switch with an AP and unused routing rules. Your masquerade/overload should run on the Ubiquity router, and the gateway offering DHCP leases must point to the real gateway (LAN IP of ER-X). It depends on whether both need routing; mismatched networks could cause issues. If the 5G modem needs routing, it must use NAT, but a static SNAT rule works if everything routes through ER-X on one IP. The bridge mode modem isn't needed in this configuration.

Reply
Reply
N
Nashiko57
Senior Member
Find
485
02-02-2022, 08:36 PM
#4
I might have handled it differently if possible, but there’s no setting that disables the router features. Gryphon is aimed at users without technical expertise, offering much less configuration than complex routers like ASUS Wi-Fi models. During failover setup, the ER-X config wizard automatically set up SNAT masquerade for each WAN. Reviewing EdgeRouter documentation, it wasn’t obvious whether a SNAT "masquerade" or a source-type SNAT produced different results—especially since both used only one physical port. Could using a source SNAT with this setup reduce translations or latency compared to masquerade? The outbound interface would point to the ISP port, use the source protocol, and route outside addresses to the Gryphon subnet. I’m thinking about testing that approach to bypass Gryphon’s NAT.
Reply
Reply
N
Nashiko57
02-02-2022, 08:36 PM #4

I might have handled it differently if possible, but there’s no setting that disables the router features. Gryphon is aimed at users without technical expertise, offering much less configuration than complex routers like ASUS Wi-Fi models. During failover setup, the ER-X config wizard automatically set up SNAT masquerade for each WAN. Reviewing EdgeRouter documentation, it wasn’t obvious whether a SNAT "masquerade" or a source-type SNAT produced different results—especially since both used only one physical port. Could using a source SNAT with this setup reduce translations or latency compared to masquerade? The outbound interface would point to the ISP port, use the source protocol, and route outside addresses to the Gryphon subnet. I’m thinking about testing that approach to bypass Gryphon’s NAT.

Reply
Reply
S
SXLkiannB
Junior Member
Find
19
02-02-2022, 10:53 PM
#5
ER-X SNAT provides two translation options: "Use Masquerade" and "Specify address and/or port". I need to remember the latter since it doesn't let me define the subnet for any ISP, which causes this error: Translation subnet isn't on a network boundary. It's pointless to set a single IP per ISP when an ISP could assign new IPs from their subnets anytime. That means I'm stuck with the Masquerade translation type.
Reply
Reply
S
SXLkiannB
02-02-2022, 10:53 PM #5

ER-X SNAT provides two translation options: "Use Masquerade" and "Specify address and/or port". I need to remember the latter since it doesn't let me define the subnet for any ISP, which causes this error: Translation subnet isn't on a network boundary. It's pointless to set a single IP per ISP when an ISP could assign new IPs from their subnets anytime. That means I'm stuck with the Masquerade translation type.

Reply
Reply
M
Maj_Yolo
Member
Find
66
02-16-2022, 07:59 AM
#6
As discussed earlier, it might not matter much. The main change would occur when you disguise or overload the connection—then the router automatically generates DNAT/SNAT entries and keeps track of their destinations. For instance, in a typical setup your device sends an HTTP request to google.com from IP 10.0.0.2:port, which goes through your router’s LAN port and is then routed via its WAN port using the SNAT rule. This happens when the request reaches the correct device. When it comes back, the DNAT rule intervenes, checking the incoming address in its “masking list” and redirecting the response to your device. This process must be flexible because if your computer sends a request at the same time, we don’t want packets sent to the wrong endpoint. With a single set of DNAT/SNAT rules, you can handle many dynamic configurations without constantly searching for the right rule. In your scenario, the ER-X device doesn’t send packets to the wrong machine—it always forwards them to the correct router handling the LAN address. So with just a few well-placed rules, you could avoid extra delays. However, this relies heavily on how the routing software displays and manages those rules (I’d trust Ubiquity to handle it correctly, especially for the ER-X). If the UI made it hard to enter or remember the SNAT rule, I’d likely ignore it and keep masking, or explore its DMZ features. The same logic applies to the 5G modem, which always sends packets to the same LAN address, so latency stays minimal once the routing is set up properly.
Reply
Reply
M
Maj_Yolo
02-16-2022, 07:59 AM #6

As discussed earlier, it might not matter much. The main change would occur when you disguise or overload the connection—then the router automatically generates DNAT/SNAT entries and keeps track of their destinations. For instance, in a typical setup your device sends an HTTP request to google.com from IP 10.0.0.2:port, which goes through your router’s LAN port and is then routed via its WAN port using the SNAT rule. This happens when the request reaches the correct device. When it comes back, the DNAT rule intervenes, checking the incoming address in its “masking list” and redirecting the response to your device. This process must be flexible because if your computer sends a request at the same time, we don’t want packets sent to the wrong endpoint. With a single set of DNAT/SNAT rules, you can handle many dynamic configurations without constantly searching for the right rule. In your scenario, the ER-X device doesn’t send packets to the wrong machine—it always forwards them to the correct router handling the LAN address. So with just a few well-placed rules, you could avoid extra delays. However, this relies heavily on how the routing software displays and manages those rules (I’d trust Ubiquity to handle it correctly, especially for the ER-X). If the UI made it hard to enter or remember the SNAT rule, I’d likely ignore it and keep masking, or explore its DMZ features. The same logic applies to the 5G modem, which always sends packets to the same LAN address, so latency stays minimal once the routing is set up properly.

Reply
Reply
F
FlamingSteak
Junior Member
Find
10
02-17-2022, 04:18 PM
#7
When linking two devices in a setup where no other devices will ever be added, I rely on /30 network addresses. For your case, assign 192.168.AAA.0 as the network, 192.168.AAA.1 for the modem, 192.168.AAA.2 for ER-X, and 192.168.AAA.3 as the broadcast. If you need to reach the opposite end of a /24 range, 192.168.AAA.252 becomes the network, 192.168.AAA.253 the modem, 192.168.AAA.254 the ER-X, and 192.168.AAA.255 the broadcast.
Reply
Reply
F
FlamingSteak
02-17-2022, 04:18 PM #7

When linking two devices in a setup where no other devices will ever be added, I rely on /30 network addresses. For your case, assign 192.168.AAA.0 as the network, 192.168.AAA.1 for the modem, 192.168.AAA.2 for ER-X, and 192.168.AAA.3 as the broadcast. If you need to reach the opposite end of a /24 range, 192.168.AAA.252 becomes the network, 192.168.AAA.253 the modem, 192.168.AAA.254 the ER-X, and 192.168.AAA.255 the broadcast.

Reply
Reply
S
StaTICGamERXD
Member
Find
51
02-17-2022, 11:27 PM
#8
Reply
Reply
S
StaTICGamERXD
02-17-2022, 11:27 PM #8

Reply
Reply