Suggestion for double nat

robertog

hello to everyone!
I'm not sure if I'm right so I would like to have your suggestion about this my doubt:

my configuration:

INTERNET (dynamic ip public)

modem-router 192.168.0.1(wan)
NAT ENABLE

pfsense 192.168.0.2(wan)
NAT ENABLE.

interface lan
192.168.1.1 (firewall)
dhcp 192.168.1.2-254

So I have to keep  nat for both  or better I cancel nat on modem or pfsense?

Thanks for reply
roberto

Wolf666

Normally you should avoid double NAT. My advise is to disable NAT on modem-Router, connect WAN port of modem to WAN port of pfSense.
Set up pfSense WAN in order to get public IP (it depends on your ISP connection, PPPoE, PPPoA?).

So I should setup as follow:
pfSense WAN –-> DHCP or PPPoE or whatever is supported by your ISP and router.
pfSense LAN ---> 192.168.1.1 or other private IP
Modem ---> 192.168.0.1 or other private IP (different subnet of pfSense LAN).

Basically you will use your modem as a pure modem letting pfSense act as firewall/router.

This is exactly as my network is.

johnpoz

"Modem LAN –-> 192.168.1.x or other private IP (same subnet of pfSense LAN)."

What.. This makes NO sense..  I agree with this
"Basically you will use your modem as a pure modem letting pfSense act as firewall/router."

But then you go to say connect his modem/router device to LAN of pfsense??  "connect LAN port of modem to LAN port of pfSense. "

I would suggest you ignore anything stated in his post, not sure how anyone would make any sense of it..

Yes you should turn off nat on your device from your isp and just use it as "modem"

This should connect to WAN interface of pfsense.

isp device --- wan (pfsense) lan -- your network.

Pfsense should get a public IP on its wan interface. What device do you have from your isp, are you using that for wireless?  Or do you have other wireless APs?

Wolf666

@johnpoz:

"Modem LAN –-> 192.168.1.x or other private IP (same subnet of pfSense LAN)."

What.. This makes NO sense..  I agree with this
"Basically you will use your modem as a pure modem letting pfSense act as firewall/router."

But then you go to say connect his modem/router device to LAN of pfsense??  "connect LAN port of modem to LAN port of pfSense. "

I would suggest you ignore anything stated in his post, not sure how anyone would make any sense of it..

Yes you should turn off nat on your device from your isp and just use it as "modem"

This should connect to WAN interface of pfsense.

isp device --- wan (pfsense) lan -- your network.

Pfsense should get a public IP on its wan interface. What device do you have from your isp, are you using that for wireless?  Or do you have other wireless APs?

I messed with copy and paste of a different setup with an AP in the middle, you right I amended my previous post.

Sorry for my confusion

robertog

Thanks a lot!
I will do how u suggest, so my new setup will be like this:

modem-router will be modem
          NAT DISABLE

PFSENSE
          NAT ENABLE
          connect (PORT WAN) to modem

PORT LAN
          DHCP ENABLE
          CONNECT TO SWITCH

WIRELESS: I created vlan and interface on parent interface (LAN)
                            DHCP ENABLE

SWITCH:
          2 VLAN
          VLAN FOR WIRELESS
          VLAN FOR LAN

ACCESS POINT
          NO DHCP
          CONNECT TO SWITCH (WIRELESS VLAN)

That's all.

bye bye
roberto

phil.davis

That all looks good.
When you choose private subnets for LAN and WiFi nets, I suggest you move away from 192.168.0.0/24 and 192.168.1.0/24 - those are used by so many other cafes etc. One day you will want to have OpenVPN Road Warrior so you can VPN back to home while sipping coffee at your favourite cafe… It is a hassle if the Cafe and your home are using the same private IP address space.

robertog

THANKS A LOT!!!!

really I'm very happy to have always answers from someone, so this is one reason more to install pfsense and to know any problems
u can ask in forum and someone is ready to help u.

bye and again thanks.

roberto