Is there any way of overcoming double NAT with pfSense in front of Edge Gateway?
-
Hi,
I am having intermittent one way audio issues with VoIP, and I am not sure if double NAT is the cause of this. I am basically running a PBX in a VMware vCloud environment. I have an Edge Gateway on the perminiter, a pfSense VM in the DMZ and then a PBX behind this. My setup is as follows.
Edge Gateway > pfSense > PBX
Edge Gateway IP Addresses:
WAN: 88.x.x.x
LAN: 192.168.1.254pfSense IP Addresses:
WAN: 192.168.1.1
LAN: 172.16.1.254PBX IP Addresses:
LAN: 172.16.1.10
As you can see with this setup I am double NATing. I posted another topic related to the one way audio issue here https://forum.pfsense.org/index.php?topic=107413.0. Now although I do not think this is the issue, I cannot rule anything out at this stage.
Is there anything I can do so that the pfSense does not NAT, and leave the Edge Gateway to handle all the NATing? I need to rule out everything I can here before I look to change VoIP providers. Every time I take this up with my VoIP provider they simply say this is a firewall issue. The issue is very intermittent but I understand double NAT causes intermittent issues and I am not sure if this is the cause of my problems!
Any advice or suggestions would be welcome.
Thank you in advance.
Jonathan.
-
But your edge device in bridge mode.. So it does not nat!
Or turn your pfsense into just a router/firewall so it does not nat. But now you need to put in downstream routes on your edge and it will have to nat the downstream networks and you will connect pfsense to your edge with a transit network.
Other option is to turn pfsense into a bridge/transparent firewall.
-
Hi,
Thanks for your response. Please see comments below.
But your edge device in bridge mode.. So it does not nat!
This would be the best possible solution, but unfortunately it isn't possible. I'm using VMware vCloud Director so I am stuck with their "Edge Gateway" which offers very limited functionality - hence the requirement for pfSense in the first place. Also if I want to add a IPSec VPN tunnel to the Edge Gateway, there's a cost for each tunnel I add which I don't really want to be paying for.
Or turn your pfsense into just a router/firewall so it does not nat. But now you need to put in downstream routes on your edge and it will have to nat the downstream networks and you will connect pfsense to your edge with a transit network.
This sounds good, although possible a little complicated! Maybe I am not understanding properly. Can I just check what you mean when you say "put downstream routes on your edge and it will have to nat the downstream networks and you will connect pfsense to your edge with a transit network". Sorry to be a paint but are you able to expand on this please?
Other option is to turn pfsense into a bridge/transparent firewall.
Very possible solution, would pfSense still handle the inbound NAT translations and firewall rules? Whatever solution I go with I need to make sure it allows for the use of IPSec VPN tunnels to the pfSense, as they are a requirement for what I am doing.
Thank you in advance.
-
Also, maybe as another idea. Could I use the following to overcome double NAT?
To completely disable NAT to have a routing-only firewall, do the following.
Go to the Firewall -> NAT page, and click the Outbound tab.
Select the option "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save.
Remove all automatically generated NAT rules at the bottom of the screen.
Apply changesMy question here is how would the edge gateway see the traffic, would it have a source IP of a device from the 172.16.1.0 /24 network even though it leaves the 192.168.1.1 WAN interface? That way I could leave the outbound rules in place for ISAKMP negotiations.
Would this be a feasible solution?
Thank you in advance.
Jonathan.
-
"still handle the inbound NAT translations and firewall rules?"
Dude I thought you wanted to disable double nat??
I think you missing what nat does… If you turn off pfsense nat.. Then you have to adjust the routing on your edge... He would have to know to send traffic to 172.16 he needs to send it to pfsense wan IP in his 192.168 network..
-
"still handle the inbound NAT translations and firewall rules?"
Dude I thought you wanted to disable double nat??
I think you missing what nat does… If you turn off pfsense nat.. Then you have to adjust the routing on your edge... He would have to know to send traffic to 172.16 he needs to send it to pfsense wan IP in his 192.168 network..
I want to disable outbound NAT only. Forgive me if I am misunderstanding, but can I not disable outbound NAT on the pfSense and still forward everything to the WAN interface of the pfSense from the edge gateway?
I am ok with adding a static route on the edge to point the 172.16.1.0 network to the next hop - this bit I have tried and works fine. It is purely the outbound NAT I am not too sure on.
-
If you can edit the routes on your edge router, then sure you can turn off nat on pfsense and turn it into just a firewall/router.. You now just turned this 192.168 network into a transit network. Do you have any device on this network you will want to talk to from devices behind pfsense?
-
If you can edit the routes on your edge router, then sure you can turn off nat on pfsense and turn it into just a firewall/router.. You now just turned this 192.168 network into a transit network. Do you have any device on this network you will want to talk to from devices behind pfsense?
This sounds to be like what I am after - I think! I don't have any devices on the 192.168.1.0 network at all, it is purely used connecting the edge gateway LAN to the pfSense WAN…
Is this what you meant by "Or turn your pfsense into just a router/firewall so it does not nat. But now you need to put in downstream routes on your edge and it will have to nat the downstream networks and you will connect pfsense to your edge with a transit network." I take it?
-
Exactly ;) once you turn off nat, you just have to allow the traffic in your wan rules.
-
Thanks for your help, I'll give this a go…!
