Access network behind a double NAT?

SteveITS

@riahc8 ISP router forwards the port to pfSense. PfSense forwards the port to your web server.
Many ISP routers can be configured to send all ports to one IP often called its DMZ.

viragomann

@riahc8
Regarding public IP, some ISPs give you only a private IPv4 within their network (CG-NAT). This cannot be reached from the internet. Hence your network would not be accessible from outside in this case.
Maybe you can use an IPv6 to access it, however.

So for IPv4 access, ensure that your ISP router gets a real public IP.

rcoleman-netgate

@viragomann And in those cases a MITM VPN might be the only solution... Using a cloud provider you can do re-routing but for large amounts of data that can be very expensive.

riahc8

Here is a SIMPLE diagram.

With this double NAT I want PC to access PC2 (and/or visaversa)

Would it be possible to do this?

keyser

@riahc8 Yes, if the ISP router has a public IP and you can configure it to portforward to your pfSense. After that you configure your pfSense to portforward to your PC. But it’s a pretty “dodgy” setup.

This is one of the reasons many of us replace the ISP router with pfSense directly - but that too can be a hassle.

SteveITS

@riahc8 Not seeing PC2 in the diagram?

Connecting inbound from the Internet is as described above. Connecting out to the Internet from PC will “just work” nothing to do.

riahc8

@SteveITS said in Access network behind a double NAT?:

@riahc8 Not seeing PC2 in the diagram?

Connecting inbound from the Internet is as described above. Connecting out to the Internet from PC will “just work” nothing to do.

I posted the image like 10 times. The forums bugged out. Updated the diagram

Both PC and PC2 have internet access

SteveITS

@riahc8 With PC2 on the LAN side of the ISP router it’s just one port forward.

Source: .22.56 (or .22.0/24 for all devices)
Source port: any
Forward to .9.7

PC can connect to .22.56 directly.

viragomann

@riahc8
So from the internet to PC2 you only a single NAT. Why do you speaking about double?

However, consider that you can forward a single IP + port to only one backend device. So if you have only one public IP you can forward e.g. port 443 on only one internal host.

riahc8

@SteveITS said in Access network behind a double NAT?:

@riahc8 With PC2 on the LAN side of the ISP router it’s just one port forward.

Source: .22.56 (or .22.0/24 for all devices)
Source port: any
Forward to .9.7

PC can connect to .22.56 directly.

No no, Im not looking for just a port foward.

Anything on the .22/24 and .9/24 should be able to access each other, both ways.

the other

@riahc8 hey there,
shouldn't it be enough to work with rules?
iE
IF WAN allow WAN Net (network between pfsense and ISP router), all port, destination IP PC
IF LAN allow LAN Net (or just IP pc), all port, destination WAN Net (or just IP PC2).

That way, pfsense allows connecting net with pc (LAN) to net with pc2 (WAN) and vice versa. If that works, reconfigure so only the needed ports are allowed (and only needed clients in those nets).

Or did the heat here damage my brain?
:)