ISP locked router and preventing double NAT

RKCJ

Firstly, my pfsense knowledge is pretty basic meaning I'm struggling to know what to "Google" to find a solution to my problem. I've managed to setup an OpenVPN client connection and have specific LAN IP's using the VPN, and I am using a basic pfblockerNG setup for ad blocking; that's all I need for now. The internet connection is currently configured by a PPOE connection on the pfsense WAN port which is connected to an ADSL modem.

Our apartment block has signed an exclusive deal with a fibre provider who make it mandatory to use their own locked modem/router/gateway, and will not provide the PPOE credentials to use in other routers. Whilst the fibre ISP has been quite helpful in offering to configure their router any way I want, they aren't able to offer any help on what configuration I need to perform on my pfsense setup.

What would be the best setup for someone relatively new to pfsense?

Options I've seen so far:

1. Give the ISP router a fixed IP (192.168.0.1), switch off WiFi and DHCP. Setup pfsense WAN port for internet and gateway to be 192.168.0.1, all pfsense LAN setup (DHCP) use the 192.168.2.xxx range. I've tested this with my ADSL setup, and seems to work, but understand double NAT is involved which will make services like VOIP problematic.

2. The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT?? What do I need to do on pfsense to make this work?

3. The ISP's router could be configured to make the pfsense router the DMZ. This is an option I found on the net, but must assume the ISP's router is capable of this; again, what do I need to do on pfsense to make this work?

Any help on which option to take and guidance/links on how to do the setup would be much appreciated.

RKCJ

Anybody with advise to help a newbie out?

NOYB

What about bridged mode?  If the ISP's router/modem supports bridge mode maybe that would be the way to go.

As far as the exclusive deal and ISP requiring use of their router/modem.  Pop over to DSL reports.  People there tend to keep up with legalities, remedies, public shaming, etc. re: this sort of stuff.

Of course any legalities would vary by country, etc.

RKCJ

@NOYB:

What about bridged mode?  If the ISP's router/modem supports bridge mode maybe that would be the way to go.

As far as the exclusive deal and ISP requiring use of their router/modem.  Pop over to DSL reports.  People there tend to keep up with legalities, remedies, public shaming, etc. re: this sort of stuff.

Of course any legalities would vary by country, etc.

Unfortunately, putting their router in bridged mode is not an option, and they will not provide the credentials for my pfsense router to initiate the connection. I had long discussions with them, it's either accept their router, or not use their service.

johnpoz

"2) The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT??"

That is a double nat.. And if you don't have any other options will work..

As long as pfsense sees all all unsolicited inbound traffic to whatever public IP actually is, does not matter if pfsense has a rf1918 address.  There could be some issues with some off the wall protocols, etc.  But in general this will work just fine.  As long as the traffic hits your pfsense, then you can control whatever port forwards you want with pfsense.

You just need to make sure that whatever rfc1918 range they are using on your pfsense wan is not used on your lan side.  So for example if they use 192.168.0/24 then use 192.168.1/24 or any other networks that do not overlap with the 192.168.0/24 network on your wan.

RKCJ

@johnpoz:

"2) The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT??"

That is a double nat.. And if you don't have any other options will work..

As long as pfsense sees all all unsolicited inbound traffic to whatever public IP actually is, does not matter if pfsense has a rf1918 address.  There could be some issues with some off the wall protocols, etc.  But in general this will work just fine.  As long as the traffic hits your pfsense, then you can control whatever port forwards you want with pfsense.

You just need to make sure that whatever rfc1918 range they are using on your pfsense wan is not used on your lan side.  So for example if they use 192.168.0/24 then use 192.168.1/24 or any other networks that do not overlap with the 192.168.0/24 network on your wan.

Thank you for the response.

Just want to make to make sure I understand your response correctly. I don't need to make any additional config's in pfsense for this scenario to work? All I need to make sure is the ISP router is on a different rfc1918 range to pfsense. Is that correct?

johnpoz

Correct!

RKCJ

@johnpoz:

Correct!

Thank you, much appreciated.

mikeisfly

No need to port forward all ports, just have the ISP assign your PfSense box a statically assigned IP address. Then put that IP address in their router's DMZ. That should forward all unsolicited traffic to your PfSense box.

RKCJ

@mikeisfly:

No need to port forward all ports, just have the ISP assign your PfSense box a statically assigned IP address. Then put that IP address in their router's DMZ. That should forward all unsolicited traffic to your PfSense box.

Thanks for an alternative approach, the install is happening today, will present the options to them.