Double NAT config issue, help required

xbipin

i think im suffering from double nat issue but the way its configured its supposed to work for browsing etc but i get issues in that too, somethings work fine and some work fine at time and stop at other times

i have a asus router connecting to isp using pppoe and it lacking the option to disable nat im not able to do that so by default nat is on and my pfsense is connected to the lan port on the asus router.
i have configured wan in pfsense as static and set ip as 192.168.1.2 and gateway as 192.168.1.1 which is the ip of asus router.
the lan interface on pfsense has dhcp enabled and lan ip 192.168.30.1 and clients on lan get 192.168.30.x
i have enabled DMZ on asus router so port issue dont come up for pfsense wan ip 192.168.1.2.
port forwards r configured in pfsense and im able to reach pfsense gui as well as local servers behind pfsense, all traffic coming from the internet come just fine to pfsense and lan behind it.
AON is enabled with 192.168.30.0/24 for wan1 and 127.0.0.0/8 for wan1 to handle nat

now problem happens for lan devices on pfsense lan, sometimes web browsing works and at other times it just doesnt work at all, could some1 tell me what am i missing config wise or is it possible to solve this double nat issue, dont ask but i have to use the asus router

hackin8

Perhaps the simplest option would be to select PPPoE passthrough on the Asus router - which would get rid of double NAT - pfSense then logging in and getting external IP directly.

Most Asus routers have that option, depends upon model?

xbipin

the problem is my isp wont allow same mac id on 2 wan account and i have a pfsense full install with one nic so im using a vlan switch and in this setup u cant spoof mac id on vlans and i need to use both wan connections so with this i need to use asus in between on one of the wans, now if i use bridge and make pfsense do pppoe then the mac id will be that of pfsense so that wont work as the other wan conenction the same mac id, i need to send a different mac id for each wan connection and pfsense wont allow when using vlans

the machine doesnt have expansion slots so cant add another nic

xbipin

if i set my asus router to bridge mode and make pfsense do the pppoe connection then will the mac id of pfsense goto isp or the bridged asus router working like a modem?

cyberapache

Can you show a quick diagram of your setup? With only one NIC are you using an external Switch that is VLAN capable to create the two WANs?
If so then I suspect the MAC address the ISP will see will be that of the Switch (not pfsense) since the Switch is the last Ethernet hop.

xbipin

• im using a cisco vlan capable switch
• wan1 connected to port 1 on switch for vlan10
• wan2 connected to prot2 on switch for vlan20
• pfsense conencted to port3 on switch with config as vlan10 for wan1, vlan20 for wan2 and vlan30 for lan
• lan device connected to port4 on switch for vlan30

port1 - untagged
port2 - untagged
port3 - tagged
port4 - untagged

port3 is part of all vlans

pfsense one nic so one mac id which is authorized in isp database and works well on wan1, same mac id isp wont allow in its database for wan2 but in pfsense u cant change mac id for vlans and now i need to change this mac id so isp sees a different mac id

cisco doesnt do any mac id, isp sees the pfsense mac id only for both pppoe conenctions

xbipin

mayb u can show me if i can change mac id in the cisco switch such that isp sees the changed mac id

xbipin

other than create vlans on switch i didnt change any config on it at all and once authorizing pfsense mac id on wan1 it was able to connect to pppoe or else without authorization it wasnt connecting earlier so i guess the isp is seeing the mac id of pfsense as that only connects to pppoe and mayb they bind mac id to pppoe account

cisco switch sg 200-26

cyberapache

port1 is vlan10 but you say it's untagged. Same for ports 2 and 4.
Shouldn't port 3 be configured as trunk port to pass all VLAN traffic?
The switch has a MAC id and that is what is typically used as source address for any Ethernet communication. All VLANs on the switch will use that same MAC address. That  Switch MAC address can't be changed.
It may be that the PPPoE encapsulation passes the original MAC id from the pfsense PPPoE client and that's how the pfsense MAC makes it to ISP. Can you check with wireshark to see what is actually going on.

If nothing else works you may consider using an intermediate gateway like a Linksys between the switch port and ISP so that you can change the MAC address.

xbipin

port 1, 2 and 4 r on different vlans so untagged is fine and port 3 is tagged meaning trunk port.

i tried wireshark and its the pfsense mac only that goes to isp, cisco switch has its own mac in between for Ethernet packets but the isp is detecting the pfsense mac based on pppoe encapsulation

which linksys gateway is this and how is it to be used?