CGNAT and pfSense
-
Hi everyone,
I had Metronet fiber installed yesterday (symmetric 1 Gbps CGNAT) and getting ready to install a Netgate 6100 soon. My install will be:
ISP (ONT) -> pfSense -> UniFI switch which will have a CKG2+ controller and access points attached to it. Was wondering if you could assist me with a couple questions:
-
I noticed that Metronet ISP has a 100.xxx.xx.x IP address. I don’t have a static ISP and don’t plan to get one unless I have too. I don’t play games or have any servers. Do I have to be concerned for a double NAT situation once I connect my Netgate 6100 to the ONT (via Ethernet port on the ONT)? What it is the easiest way to check if you are double-NAT’ed?
-
Would be possible to bypass the ONT and connect the fiber directly to pfSense to the 1G SFP WAN port? Was looking on Amazon and couldn’t find an optical transceiver that would accommodate my fiber plug but I could be looking at the wrong products. My ONT is a Nokia G-010G-A
Appreciate your assistance!
Thank you!!
Marin
Netgate 6100 Max pfSense+
—>Unifi Aggregation/24 Pro PoE/24 PoE Enterprise switches
—> UCK2+
—> 3x U6E APs -
-
@marinsnb said in CGNAT and pfSense:
Do I have to be concerned for a double NAT situation
Unless you wanted to serve up something, like plex or be able to get to your network while your remote being behind a double nat should not be an issue.
Or as you mention games, were doing something that would require unsolicited inbound traffic. Double nat would mostly be problematic for something that required a specific source port.
Nat as used today is really NAPT (network address port translation) where the source port of the traffic also changed with the IP..
In some applications it might expected the traffic to be from IP:specificport.. If only a single nat that you control... You can control this with say "static port" in pfsense.
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port
This might be related to some games more often than not.. When your behind a double nat, say some isp gateway device in front of pfsense, or with carrier grade nat, you might not have any control of that. And even if you tell pfsense to do a static port nat, the upstream nat might not honor your source port.. Or say vpn into your work or something - depending on what vpn solution they are using.
But generally speaking you should not really run into any issues. If your not a gamer, or plan on allowing for unsolicited inbound traffic from the internet into something on your network.
As to bypassing your ONT and putting the fiber directly into pfsense - there has been some success in doing that I have seen. Be it your isp would work, sorry not going to be very helpful there. Maybe someone else using the same ISP as you, if you gave the specific ISP you have might be helpful. Metronet could also just be a generic sort of term for your connection - is that your actual ISP name? https://www.metronetinc.com/
-
That’s good to know - thank you so much as always! And yes, the link you included is from my ISP!
Thanks again!
Marin
-
@marinsnb Does the Metronet device allow for "passthrough" (your router gets a public IP) or DMZ (all inbound traffic forwards to your router IP)?
In general though as John said there's not usually anything to worry about if there aren't inbound connections.
-
-
@marinsnb said in CGNAT and pfSense:
but my WAN gets a 100.xxx.xx.x IP according to my pfSense.
Yeah 100.64/10 or 100.64-127.x.x is cgnat range. If that is what your isp is using there not much you can do about that other than contacting to see if they can give you a actual public IP, possible more $$..
Do you also get a IPv6 - that should be a global address and public, I would hope they would do a prefix delegation of /56 or /48 even which would allow for not natting when doing IPv6.
Problem with cgnat, is even getting say a hurricane electric IPv6 tunnel isn't going to work.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
