Deploying pfsense behind ISP router with double nat
-
Without NAT it doesn't work.
-
Again, what does double NAT have to do with static routes. They are completely unrelated. If the first router works with a static route, then you should be able to replace it with a similarly configured pfSense.
-
Ok I've been trying to figure this out, but mostly just got myself confused. I was pretty convinced double NAT was required, as nothing worked on my previous setup without it.
Now I am currently not so sure about it.
-
@JKnott I'm sorry I don't understand your point about static route.
My ISP router does not support static routes. I thought this was why double NATting was required - but having written some stuff down on paper I'm now not so sure.
-
Perhaps it is helpful to start from a simpler point.
I disabled NAT on the pfSense box.
I am trying to ping 192.168.0.1 from my PC. I cannot get a response. However I can ping the pfSense box.
So I cannot ping something on the other side of the pfSense box. Why is this is so, or what should I do to diagnose this issue?
-
As another test, if I use a laptop connected to the 192.168.0.X network to ping 192.168.0.1, it works. However I also cannot ping 192.168.100.254.
This is because my ISP router does not know where 192.168.100.X is.
NAT does not help in this case of course, but this is why I concluded NAT was required on the pfSense box. So that the network address range 192.168.100.X would be translated via nat into a 192.168.0.200:<port> address, which my ISP router does understand, because 192.168.0.200 is on the 192.168.0.X network...
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
I'm sorry I don't understand your point about static route.
You were the one that first mentioned static routes. Those are not normally used for consumer level connections. I have absolutely no idea why you even mentioned that in the first place.
-
@JKnott I mentioned it, as I explained above, because I thought NAT was required due to the fact that my ISP does not support static routes.
I am not sure if I am mistaken about that. I've spent hours trying to get the pfsense box to work - or at least do something.
So far I've not had any success with it. I have no idea what diagnostics should be done.
If you have any suggestions about what I should do next I will be glad to hear them.
Essentially allow me to ask the most basic question.
I have an ISP router. I attach a pfsense box to it. How should I configure the pfsense box to get internet access to devices on the other side of the pfsense box.
-
Do you even know there's something with that 192.168.100.254 address? While any address within the local address block, other than .0 or .255, can be used for the router, typically .1 is used.
Since you want to use pfSense as a router, you should set your modem to be in bridge mode, not gateway. This will get rid of double NAT. PfSense will then receive the needed connection info via DHCP, so you have nothing to configure on the WAN side. Also, by using bridge mode, you may also get IPv6, assuming your ISP is providing it.
-
@JKnott said in Deploying pfsense behind ISP router with double nat:
Do you even know there's something with that 192.168.100.254 address? While any address within the local address block, other than .0 or .255, can be used for the router, typically .1 is used.
The pfSense box has the address 192.168.100.254. The attached desktop on the LAN side has address 192.168.100.1.
Did you actually read what I posted?
Since you want to use pfSense as a router, you should set your modem to be in bridge mode, not gateway. This will get rid of double NAT. PfSense will then receive the needed connection info via DHCP, so you have nothing to configure on the WAN side. Also, by using bridge mode, you may also get IPv6, assuming your ISP is providing it.
My ISP router does not have a bridge mode. It can receive an IP via DHCP. I have now set a reserved address. I don't know why you bring this up, I can't see the relevance of it.
-
I tried starting again with a fresh install of pfsense, keeping all the default settings.
I can now ping the ISP router, but I cannot ping anything further, such as 8.8.8.8.
Any suggestions?
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
Any suggestions?
No, that really should work out of the box on LAN.
-
@Bob-Dig said in Deploying pfsense behind ISP router with double nat:
@hypernova said in Deploying pfsense behind ISP router with double nat:
Any suggestions?
No, that really should work out of the box on LAN.
I would have thought so too... Here's some traceroute info. I don't know if this is helpful?
Through pfsense router:
traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
1 pfSense.localdomain (192.168.1.1) 0.268 ms 0.266 ms 0.273 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
(end of output)Through my debian based router:
traceroute 192.168.0.1
traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
1 pigrey (192.168.2.254) 0.214 ms 0.242 ms 0.283 ms
2 192.168.0.1 (192.168.0.1) 3.293 ms 4.517 ms 5.505 msThe second output looks sensible. The first does not look at all sensible.
After a reboot I was able to ping 8.8.8.8, but the response was slow.
I was not able to ping www.google.com. So this suggests perhaps there is something wrong in the configuration which is interfering with the ability for DNS to resolve.
In the logs I am seeing a lot of instances of a particular error:
"wan dhcp sendto error (error 65)"
This might be related?
-
@hypernova I hope you don't Block private networks on WAN?
-
@Bob-Dig said in Deploying pfsense behind ISP router with double nat:
@hypernova I hope you don't Block private networks on WAN?
Interfaces->WAN/LAN->Reserved Networks
both checkboxes unchecked - is this what you refer to?
-
Well this is strange... I managed to get something working, and I think I'm now connected via the pfsense router...
I added a new USB interface - a gigabit one, connected via USB 2.0 (so it won't actually be gigabit.)
I was using a USB 2.0 to 100Mbs interface. That is still attached as WAN, and the other one is now attached at OPT.
Why is this other USB interface working when the other one did not? Is this a known issue, some form of compatibility problem with certain USB interfaces?
-
Having thought about this for a while, I believe I remember what got me down the path of implementing double nat some months ago.
I think I am correct in stating that this is required for external access, such as to ssh ports.
The reason being that with most ISP routers (at least all the ones I have come across) there is no way to open a port to anything other than the immediate local network.
For me this is 192.168.0.X.
However I wish to direct ssh traffic to another machine, on another network.
Hence why double nat is required?
-
1:
Without the pfSense box doing NAT on the WAN , your ISP router needs a static route (for the linux lan), in order to send the ping reply packages back to (via) the pfsense box.
You might be "bitten" by RFC1918 default blocking of inbound wan packets too.2:
If you let pfSense NAT on the wan port , you won't need any routes in the ISP Router, as all apears to come from the pfSense , that is on a known Lan (The ISP inside Lan)3:
You might want to look at your ISP routers "Portforwarding possibilities".
I had such a ISP setup , where the ISP outer did NAT , and i needed to run a Linux FTP/WEB server behind it.I had an option to portforward "everything" to one specific inside ip address (easy setup).
Just portforward everything on your ISP router to the pfSense , and then portforward the interesting ports in the pfSense to the correct pfSense inside ip's.
/Bingo
PS:
If you let pfSense NAT , and does not block RFC1918 on WAN (Your ISP router uses RFC1918, on the inside Lan).Then your ping/access of your ISP router from teh Linux PC , should work flawlessly.
-
@hypernova said in Deploying pfsense behind ISP router with double nat:
The reason being that with most ISP routers (at least all the ones I have come across) there is no way to open a port to anything other than the immediate local network.
For me this is 192.168.0.X.
However I wish to direct ssh traffic to another machine, on another network.
Hence why double nat is required?????
If ssh is blocked by the first router, how can double NAT possibly fix that?
The solution is to put the modem in bridge mode and use pfsense as your only router.
-
@bingo600 said in Deploying pfsense behind ISP router with double nat:
1:
Without the pfSense box doing NAT on the WAN , your ISP router needs a static route (for the linux lan), in order to send the ping reply packages back to (via) the pfsense box.
You might be "bitten" by RFC1918 default blocking of inbound wan packets too.Yes - this is my problem. I cannot assign static routes on my ISP router. There is no such functionality. This is presumably because I am not a business customer, and they require a business plan for such things.
2:
If you let pfSense NAT on the wan port , you won't need any routes in the ISP Router, as all apears to come from the pfSense , that is on a known Lan (The ISP inside Lan)3:
You might want to look at your ISP routers "Portforwarding possibilities".
I had such a ISP setup , where the ISP outer did NAT , and i needed to run a Linux FTP/WEB server behind it.I had an option to portforward "everything" to one specific inside ip address (easy setup).
Just portforward everything on your ISP router to the pfSense , and then portforward the interesting ports in the pfSense to the correct pfSense inside ip's.
This might be possible. My ISP router has port forwarding abilities.
The options are as such;
Local IP: (has to be 192.168.0.X, aka same network)
Local Start Port:
Local End Port:
External Start Port:
External End Port:
Protocol: UDP, TCP or BOTHWhat options should I be choosing here?
Surely if I port forward everything, including things like Port 80, this will break access for other users on net 192.168.0.X ?
/Bingo
PS:
If you let pfSense NAT , and does not block RFC1918 on WAN (Your ISP router uses RFC1918, on the inside Lan).Then your ping/access of your ISP router from teh Linux PC , should work flawlessly.
This is why I think the only option is double NAT, but then this breaks communication between 192.168.0.X and the networks behind pfSense.