Double/ Triple NAT setup with Google Wifi

Configuration
1

I know what you are thinking, “A triple NAT setup? What are you thinking!?” and I feel the same way, but some things are out of my control. I am working on a Home Assistant setup in my parent’s house, so some things can’t change. I need your help!

I am going to try to explain the network setup, but it’s much easier to visualize it with the diagram I linked below. You can skip the next paragraph if you understand the image below it.

There are two buildings on my parent’s property. One, the shop, where the wired internet comes in from my ISP. There is a router there in the shop, where a directional Wi-Fi antenna is connected to it that enables a connection to another directional Wi-Fi antenna about 100 yards away. They are in bridge mode, so they essentially behave as a very long ethernet cable with much higher latency. At the house, where the connection comes into the basement, is where most of the internet connectivity occurs. The basement is home to a server running Proxmox which hosts (among other things) hassos and an old mini-PC running a pfsense router. A Google Wi-Fi router is connected by cable to the pfsense box, which serves the main Wi-Fi to the whole house (which includes both IOT devices that Home Assistant needs to see along with phones, laptops, etc).

image
image803×846 71.6 KB

If I had it my way, I would throw out the stupid Google Wi-Fi crap and replace it with a powerful access point, but my parents want to keep those devices. Unfortunately, as far as I know, when the Google Wi-Fi devices are in mesh mode (which they have to be because my parents want the Wi-Fi coverage in certain dead zones around the house), they also HAVE to act as a router. This is very annoying because this makes my home internet setup a triple NAT situation (I am learning this is why you don’t mix professional and consumer gear…).

The problem I am having is that all of the IOT devices sitting behind the Google Wi-Fi are unable to be seen by the Home Assistant box which is sitting on the other side of the NAT. This makes sense from what a router is supposed to do, but makes things very difficult for me.

It is a possibility to remove the pfsense box all together and make the Google Wi-Fi router act as the main router for the whole house, but that would require re-wiring some things between the basement and first floor and I want to see if there is a better solution before going through with that.

Some other solutions I have thought of include the following…

  1. Port forward every service on the Google Wi-Fi console (not preferred but I’m willing to do it if possible). The main problem I have here is that I have no idea which ports many devices use and that would probably make adding new devices very annoying. I also don’t know if this will even work with certain devices (I’m using a lot of MQTT things, so maybe it’s worth a shot trying just those first). If anybody has tried this before I would love to know how it turned out.

  2. Create ANOTHER subnet with a new router and access point and only put the Home Assistant server and all the IOT devices on it. I would still have to port forward to get access to the web interface, but it wouldn’t be as bad in that category. It’s also not a very preferred solution simply because that’s more hardware and I would have to move every existing smart home device over to the new network (which would probably take days).

Those solutions are the only things I could think of for the current network setup. Please let me know if you have any other ones. I’m fairly technically inclined, so don’t feel shy to get very technical!

2

The simple solution would be to run another ethernet cable from the upper house to the basement. Then disconnect the dumb switch in the basement from the PFSense router and use the new cable to connect it to the Google WiFi router… This way all end point devices will be on the Google WiFi subnet.

To sort out your tripple NAT you could run PFSense in bridge mode and then look at the shop router and see if you can place the IP of the PFSense box in a DMZ.

Make sense ?

3

Hello thank you for replying so quickly!
Running the cable is probably the best solution, but I’m a bit confused why the pfsense would be needed at all then. If I did run a new cable I could probably completely eliminate the pfsense box altogether.

I’m not too familiar with a DMZ so I looked up the concept and it seems like something that wouldn’t work too well simply because the Home Assistant server needs to primarily communicate with many devices on the “safe” LAN side way too often. If it was only a few devices I could make a few firewall rules and call it good but that doesn’t seem like a good solution because I have so many different smart home devices on my network.

Man I can’t wait to have my own place with my own network :stuck_out_tongue:

Here’s my new setup. What do you think?

image
image801×832 62.3 KB

4

Yes, the setup you describe here is fine and as you say you don’t really need the PFSense machine (I thought you might have had this in the loop for something specific)

You still however have a double NAT. The firewall in the Google router is not doing anything because it’s behind the firewall in the shop router. so, for example if you want to port forward traffic to your home assistant you would have to setup a port forward rule in the google router AND the shop router. To fix this you can place the Google router in the DMZ of the shop router (bypassing the shop routers firewall). This way you still technically have a double NAT, however you can control the traffic flow in your home network using the google router alone. ( i.e. The WAN port of your google router is on the DMZ LAN port of the shop router, so any traffic that the shop router does not recognise/have a rule/NAT translation for will be forwarded unfiltered to your google router in the DMZ. This allows the firewall in the google router to fully control your traffic)

Make sense ?