Network behind a double NAT? - a newbie asks for help with the setup

[kernew]

Hi,

I'm planning to build a homelab, and first and foremost, my own network (within another network).

My internet comes from a TP-Link Deco S7, so unfortunately, I think that's a double NAT?

Since I'm a complete beginner I ask for your advice and patience ;)
The entire network/homelab should be as mobile as possible - which is why I thought about all-in-one solution.
Will something like this work:

Deco7 > via WiFi > GMKtec NucBox M7 Ultra PRO 6850U (WiFi + 2x 2.5G LAN)

GMKtec: Proxmox (OPNsense + NAS + HA + ... ) and LAN1 > AP (which one do you recommend for a few phones/tablets), LAN2 > main desktop

Do I need a switch for this setup?
Will OPNsense in Proxmox handle the double NAT?
What will be needed to have access to the network from the outside?

Or maybe you recommend some other solutions?

Can you recommend any websites about networks?

[meyergru]

The GMKtec has 2x I226, so that is better than Realtek NICs (although you will want to use the NICs as virtio interfaces).

I see a problem with the WiFi uplink, though. You want that to be the WAN of your OpnSense, yet WiFi chipsets are badly supported under FreeBSD and OpnSense. You cannot set it up under Proxmox, either, because that should be connected only to your OpnSense's LAN side.

That was less of a problem if the WAN uplink were through one of the RJ45 interfaces and the other one was used for the LAN - but that would mean you need a switch to conenct both your main desktop and an AP.

Do not underestimate the setup, because OpnSense on Proxmox is special.

I personally do not like Router-behind-Router scenarios, because they tend to give all kinds of problems, see https://forum.opnsense.org/index.php?topic=42985.0, point 4. For one, you will have to do port forwards on both OpnSense and your outer router in order to give access from outside.
Also, if you need IPv6, this might get difficult to set up (if it works at all).

I do not really understand why you would want to keep the TP-Link in the loop, because that is a standard router without any ONT/modem inside, so OpnSense can do its jobs all on its own, so it is not needed (unless you must extend the reach via WiFi, which is problematic anyway).

[Maurice]

It would make way more sense to connect the wired WAN directly to OPNsense and the TP-Link device (in AP mode) to the OPNsense LAN port. You then could also use the TP-Link's additional Ethernet ports as a switch for your LAN.

If this is purely experimental and you can't get a wired WAN connection, I'd explore setting up the WiFi connection in Proxmox. WiFi support in FreeBSD / OPNsense is very limited.

For IPv4, you would indeed end up with (at least) double NAT.
For IPv6, it depends on whether the TP-Link device supports prefix delegation.

That's quite a challenge for a complete beginner. I'd recommend a simpler setup for your first steps with OPNsense.

Cheers
Maurice

[kernew]

@meyergru, @Maurice - thanks for the answers.

Unfortunately, I don't have access to the Deco S7, so there's nothing I can do (it's a dormitory and I'm an end user).

If the WiFi (on PCIE) doesn't work with Proxmox+OPNsense - will it work on a separate miniPC with only OPNsense (Intel N100/N150 and 4x 2.5G)?

What are some other solutions for building my own network with internet 'from WiFi' (Deco S7)?

How do people solve the problem of having 'their own' network in hotels or on vacation?
-----------------------
Deco has 3x LAN ports and there's a chance I'll be able to connect via cable - so in that case: Deco > cable > GMKtec LAN1 and LAN2 > switch. And then from the switch to the AP, desktop, and the rest - will this improve the situation?