Access network behind a double NAT?

riahc8 · Jun 8, 2023, 9:47 PM

Hello

I have plenty of ports on my pfSense so I wanted to know if its possible to access the devices some way that are in the NAT behind the double NAT setup.

viragomann · Jun 8, 2023, 9:47 PM

@riahc8
Yes, if you have a public IP and forward incoming traffic on both routers.

riahc8 · Jun 10, 2023, 10:51 PM

@viragomann said in Access network behind a double NAT?:

@riahc8
Yes, if you have a public IP and forward incoming traffic on both routers.

Can you be specific?

SteveITS · Jun 10, 2023, 11:04 PM

@riahc8 ISP router forwards the port to pfSense. PfSense forwards the port to your web server.
Many ISP routers can be configured to send all ports to one IP often called its DMZ.

viragomann · Jun 11, 2023, 8:24 AM

@riahc8
Regarding public IP, some ISPs give you only a private IPv4 within their network (CG-NAT). This cannot be reached from the internet. Hence your network would not be accessible from outside in this case.
Maybe you can use an IPv6 to access it, however.

So for IPv4 access, ensure that your ISP router gets a real public IP.

rcoleman-netgate · Jun 11, 2023, 4:55 PM

@viragomann And in those cases a MITM VPN might be the only solution... Using a cloud provider you can do re-routing but for large amounts of data that can be very expensive.

riahc8 · Jun 13, 2023, 2:21 PM

Here is a SIMPLE diagram.

With this double NAT I want PC to access PC2 (and/or visaversa)

Would it be possible to do this?

keyser · Jun 13, 2023, 1:32 PM

@riahc8 Yes, if the ISP router has a public IP and you can configure it to portforward to your pfSense. After that you configure your pfSense to portforward to your PC. But it’s a pretty “dodgy” setup.

This is one of the reasons many of us replace the ISP router with pfSense directly - but that too can be a hassle.

SteveITS · Jun 13, 2023, 1:37 PM

@riahc8 Not seeing PC2 in the diagram?

Connecting inbound from the Internet is as described above. Connecting out to the Internet from PC will “just work” nothing to do.

riahc8 · Jun 13, 2023, 2:22 PM

@SteveITS said in Access network behind a double NAT?:

@riahc8 Not seeing PC2 in the diagram?

Connecting inbound from the Internet is as described above. Connecting out to the Internet from PC will “just work” nothing to do.

I posted the image like 10 times. The forums bugged out. Updated the diagram

Both PC and PC2 have internet access

SteveITS · Jun 13, 2023, 2:27 PM

@riahc8 With PC2 on the LAN side of the ISP router it’s just one port forward.

Source: .22.56 (or .22.0/24 for all devices)
Source port: any
Forward to .9.7

PC can connect to .22.56 directly.

viragomann · Jun 13, 2023, 2:28 PM

@riahc8
So from the internet to PC2 you only a single NAT. Why do you speaking about double?

However, consider that you can forward a single IP + port to only one backend device. So if you have only one public IP you can forward e.g. port 443 on only one internal host.

riahc8 · Jun 25, 2023, 10:36 AM

@SteveITS said in Access network behind a double NAT?:

@riahc8 With PC2 on the LAN side of the ISP router it’s just one port forward.

Source: .22.56 (or .22.0/24 for all devices)
Source port: any
Forward to .9.7

PC can connect to .22.56 directly.

No no, Im not looking for just a port foward.

Anything on the .22/24 and .9/24 should be able to access each other, both ways.

the other · Jun 25, 2023, 11:00 AM

@riahc8 hey there,
shouldn't it be enough to work with rules?
iE
IF WAN allow WAN Net (network between pfsense and ISP router), all port, destination IP PC
IF LAN allow LAN Net (or just IP pc), all port, destination WAN Net (or just IP PC2).

That way, pfsense allows connecting net with pc (LAN) to net with pc2 (WAN) and vice versa. If that works, reconfigure so only the needed ports are allowed (and only needed clients in those nets).

Or did the heat here damage my brain?
:)