Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Double Nat How bad ?

    NAT
    3
    5
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oytunsan
      last edited by

      Hi everyone,

      I have a wireless ADSL modem/router/wireless AP  all in the same device. I am planning to put a pfsense box after the modem: Modem Lan Port > Pfsense Wan Port
      Next I will define a static IP to the WAN interface of pfsense. My modem has a DMZ functionality (not a real DMZ just a "DMZ host" that all ports will be forwarded to) I will define pfsenses WAN IP as the DMZ host in the modem configuration.  I will also keep the modems Wireless AP active. So that it would be a "guest network". All seem logical to me except the double Natting. I read that it causes problems with VPN software. Did someone experience any double natting problems ?

      Also if you have any further commets about my configuration I will love to hear.

      Thanks in advance…
      -oytun

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        The problem with this is that the pfSense doesn't see it's real IP adress at WAN which will cause issues with dyndns (you can't use pfSense's built in dyndns feature therefore) and as you already mentioned VPNs might cause issues as well as it won't detect an IP-change on wan for example (if on dynamic WAN) which might cause blackouts of tunnels for some time.

        1 Reply Last reply Reply Quote 0
        • O
          oytunsan
          last edited by

          thanks for the answer. My modems WAN ip is static. So if all VPN problems raise from IP changes it won't affect me I guess. Right ?  By the way what about packet size? A second Nat will increase it I guess. Is it neglagable ?

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Some VPN implementations will have issues behind NATs under certain circumstances. Packetsize has nothing to do with it.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              The main issue with NAT'ing twice is protocols that are NAT-unfriendly. That includes some VPN client software, some VoIP protocols, FTP, amongst others. These protocols are a pain to deal with when doing NAT once, adding a second NAT into the mix makes it twice as difficult to make these things work right and troubleshoot when things aren't working.

              It should be avoided if possible, because it's usually adding a layer of complexity that's unnecessary. In your case, I would see if you could use the modem as strictly a bridge and put the static IP on pfsense.

              It doesn't affect packet size because NAT changes the source IP and possibly port (depending on the NAT implementation) on packets, it doesn't add anything to them.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.