I love the 3 dumb routers idea

[G+_Avi Bar Ilan]

I love the 3 dumb routers idea. This concept brings up another question...is it possible to forward ports through routers? I am using forwarded ports on a daily basis and will hate to lose access to my network assets from outside. Plex for example

[G+_Ben Reese]

Yes. Your edge router will forward to the WAN IP of your internal router. Then port forward on your internal router to the computer actually running the service.

 

I do this currently with Plex. ISP router forwards to my router which forwards to my server.

[G+_Golden Retriever]

I think people think some sort of voodoo is going on here, it's just a router inside a router, you do the same you do with one router just got to do it twice.

[G+_Shawn Ashe]

I'm trying to figure out where to put the nas. The smart tv (which you want to isolate)needs it for video streaming and the computers need it for backup/storage

[G+_Ben Reese]

Shawn Ashe the NAS should probably be on your trusted network because a) you don't want it to get owned; b) you want access from your other trusted devices.

 

But that's where this sorta falls apart. You want your insecure cameras to record to your secure NAS and you want your secure NAS to serve videos to your insecure TV box... Ideally your NAS has 2 ethernet ports and you can connect it to both and hopefully the firmware is good enough that it won't be hacked by insecure devices.

[G+_Golden Retriever]

Shawn Ashe that's a very good question, it's beyond my scope, I get the theory of 3 dumb routers from a security Standpoint, "isolation of devices that may attempt to scan and control your network from the inside using ARP and other networking commands ", but my guess would be the secure side as that's where your going to load your content to serve to the TV.

Now for me, I would buy a cheap USB HDD in a box, you can pick them up for under $100.00 and just load it up from your PC then plug it in to the USB port on your IOT router. But your setup may not be like mine and I'm not so good as a network guy, conceptually I am I actually get how it's doing what it does but the nuts and bolts of actually setting it up to work is a different story for me.

 

I'm a hardware guy since 1987 so my tactics are more physical access oriented.

Give me a Cisco switch with an unknown password and I can change that password out with a known password but I cannot find out what that old password was. " Go Air console!!! "https://www.get-console.com/shop/en/27-airconsole

 

get-console.com - Airconsole - the only Serial Adaptor you'll ever need - Get Console Shop

[G+_Billy Bovill]

I was ready to go full steam ahead with a three dumb router setup (my current main router is a Netgear R7000, but I have two older Apple Airport Extremes in the cupboard).

 

But then a guy at work was telling me I'll have all kinds of "double NAT" issues. Any comments from the gallery?

[G+_Ben Reese]

Billy Bovill here's my 2¢

Double NAT is one of those things that just makes you go, "oh, yuck!" NAT has a small amount of overhead to associate outbound ports with internal IPs, but most routers handle this ok now.

Some issues you may (probably won't) see:

2 routers = extra buffer bloat

Double NAT means 2 NAT lookup tables

Port forwarding has to be done on both routers

Gaming systems will most likely show "closed NAT" and require explicit port forwarding (or port triggering maybe)

 

I use VoIP almost daily with little to no issues added from the extra "buffer bloat"

I see no slowdown from double NAT - just from my 2nd router limiting WAN to 100Mbps (old router)

Port forwarding isn't too difficult to do on one more router since I don't change that very often. All the services still work fine.

I don't have an Xbox or Playstation, so can't give any experience on that.

[G+_Golden Retriever]

Billy Bovill I think as long as you follow the numbering system for your lan side IP addressing or somthing similar all of those potential issues resolve themselves.

 

As I've said before I'm not a sys admin guy but since the two child routers have segregation by IP address ranges in the third octet the path the data flows is directly defined from origin to source and back.

I cannot fathom a problem.