Two Route10 devices, double NAT

vtburtonra · March 3, 2026, 4:44pm

I have two Route10 devices.

Route10 device #1 is configured between my ISP and my network, including multiple vlans. Those multiple vlans segregate my core network traffic. The WAN 10gb port goes to my ISP (multigigabit FTTH), LAN 10gb port goes to my switch (multiple 10gb ports) with multiple vlans tagged onto that port. The native vlan is vlan1 and it’s IP address on vlan1 is 192.168.1, and it has x.x.x.1 IP addresses on all the other vlans.

ISP –> Route10 router #1 –> switch –> [multiple vlans]

All this works fine, no issues, all vlans can access the internet, and I have multiple firewall rules in place to limit what can transit between vlans. I really don’t want to have to “mess” with this configuration - works as designed and very critical that the internet stays active and available.

I want to set up the 2nd Route10 in a lab environment with a lab vlan, and use that Route10 to control what can “escape” the lab and what can’t. I also want to be able to air gap the lab any time I want to when I’m doing testing. My thought is to have the WAN interface on this lab Route10 connect to vlan1 (native vlan on Route10 #1 above) and have the LAN interfaces all be isolated to let’s say “vlan20”.

ISP –> Route10 router #1 –> switch –> Route10 router #2 –> vlan20

If I disable the switch port that goes to the WAN port on this Route10, that will air gap the lab - no other way for anything to “escape” the lab. With appropriate firewall rules in place, I can isolate that lab traffic to only access the internet and nothing else. I don’t want vlan20 defined anywhere outside of the lab switches and the lab Route10. (vlan20 has its own DHCP and DNS servers, so DHCP is disabled on the Route10, and when air gapped, DNS and DHCP still work.) I also intend to use the vlan20 Route10 to test firewall rules, and other configurations. (That’s why it’s a lab environment.)

So, my question is what, if anything, special do I need to do with the configuration on the lab Route10 to allow vlan20 (lab) traffic to access the internet via the main network Route10?

Thank you!

Randy

gigcitycloud · March 3, 2026, 7:29pm

Is your lab switch isolated from your “Core” switch? If so, you don’t need VLANs, as R10#2 will NAT the traffic on its LAN interface to its WAN IP address, which you should assign statically to better control with firewall rules on R10#1. If the switches aren’t isolated, if you set your VLAN20 switch ports to access ports and Native VLAN to 20, you still don’t need the VLAN on R10#2. At no point do you need VLAN20 on R10#1, it should have no knowledge or contact with that VLAN or IP subnet.

Cheers,

-Dave

vtburtonra · March 4, 2026, 4:58pm

Hi Dave,

Thanks for the reply. I made the configuration changes this morning, and as far as I can tell (with somewhat limited testing) it is working as designed. I did have to add a couple of additional firewall rules to limit cross-vlan communication, but those all appear to be working at this time.

The core switch is not isolated because of needing to access some common services (DNS, DHCP, NTP for example) that are on vlan20 but on different ports on different switches. Those services all have vlan20 IP addresses, so no need for firewall rules for those. So, vlan20 is on trunk ports on links between switches.

Thanks again,

Randy