You’re waaay over thinking this. No it’s not fooling anyone. You’re just burning a pi.
(gross oversimplification incoming) When tcp packets go inbound thru a router all of the packets need to be rewritten depending on where they need to go. We’re assuming there is a valid internal client that has registered it’s use of an inbounf port If the router sees something come in that is destined for. Internal, it has to determine where, rewrite the packet tk flow properly on the internal network and then rebroadcast. This is called network addresses translation (NAT) or NATting
Good routers do this well. But imagine if this happens again and again as packets traverse routers. (double or triple NAT) Sometimes internal routers don’t properly do the rewrite or sometimes they don’t properly reach out and register upstream. Some can’t…
In most workloads it’s not an issue. But high bandwidth high speed links that are time sensitive or require a lot of dynamically assigned ports like gaming or VoIP are particularly sensitive to this and why the Xbox (and I believe PlayStation) have tools onboard to try to handle this. When it DOES cause issues, the problem is it doesn’t necessarily act consistently which is ridiculously hard to troubleshoot.
Like I said. It’s more than just slamming one router in front of another and calling it DONE. Unless you have a specific reason it’s usually not worth the trouble.
I assume “double NAT issues” refers to cascaded routers and all the “joy” that comes with manual port forwarding and firewall voodoo. Yes?
Most modem/routers these days come with guest networks built in. If someone is dead set on segregating their IoT network, wouldn’t simply repurposing the guest network avoid cascaded router issues?
It would avoid that particular issue, yes. Unless you then cascade a router behind the guest network. You also have to ensure that the guest network on this network is actually isolated from the inside (some devices don’t do this properly) and you need to ensure that you don’t overrun the limits of the device. (available dhcp leases, total bandwidth capabilities, etc.)
No mention of a VPN here, I would of thought they were quite ubiquitous and rather necessary? A good solution would be a primary modem router connected to the ISP, with smart plugs to remotely control a secondary router with a VPN, the ST hub, and everything else connected to that secondary router?
Here’s what I ended up doing. The media devices and smart speakers needed to go on the main “inner” network so that the tablets, phones, etc. could Chromecast to them. Not crazy about that arrangement, but it’ll do for now.
Earlier criticisms aside, given some of the recent hullaballoo regarding security issues with wireless cameras, I’m glad I did this.
Oddly enough, the biggest problem seems to be the QOS on the “inner” router gets confused by the access point of all things. I’m thinking of getting rid of that old secondary (tertiary?) router entirely and replacing it with a hub just so see how that goes.
Originally, the wifi was turned off on the cable modem, and everything was under the “inner” router. All I really did was turn on the wifi on the cable modem, and move various devices over to the cable modem/router.
Note: using the “guest” network for IoT stuff is probably an easier solution for most people, but for me, I already had more than the usual number of routers, so all I really had to do was turn the WiFi back on on one of said routers and move things around a bit.
@Alwas - as w/@Paul_T_Sjordal, I have set up a VPN on my router primarily for remote access from my computer/mobile devices when I’m away from home. Having a VPN allowed me shut down all other external access points on my router.
I very rarely use public Wi-Fi, as I have unlimited data and rarely have an instance when I can’t get a signal. If I have to connect to it to do something urgent, I connect to my VPN through the public Wi-Fi so that I’m secure.
EDIT 3/24/20:
I have recently updated firewall rules and a couple other settings to enable access to IoT devices originating my personal VLAN to the IoT VLAN…initiation is one way only (Personal to IoT) and any new/unrelated access initiated from IoT to any other LAN is blocked. Also enabled MDNS on the router so I can also cast from my Personal VLAN to my IoT VLAN. Best of both worlds.
