pfSense behind ATT Gateway
-
This post is deleted! -
People talk about double NAT being a problem but honestly I've never seen it. We've been running our office and my home that way for years, as well as a few clients where the ISP couldn't/wouldn't turn on bridging. We are using 1:1 NAT in our office and a DMZ setting on other ISP routers that aren't bridged (which forwards all ports to the DMZ IP). In Interfaces/WAN you can uncheck "Block private networks and loopback addresses" to be able to connect to the AT&T router.
-
@teamits said in pfSense behind ATT Gateway:
People talk about double NAT being a problem but honestly I've never seen it.
It can be problematic depending on what protocols your using.. Agree most normal use wouldn't have a problem.. But there are many protocols that could have issues with it for sure.
Depending on how many users you have, and if they have applications that require specific ports, you could have problems doing that sort of thing as well, etc.
its also not as efficient, and anything that is doing nat will cause a hit.. Be it you actually notice it or not is another thing.. The answer here is you should avoid it if you can.. But unless your doing something specific, most likely everything will work.
-
This post is deleted! -
@MilesMorales I don't understand the comments about DNS override settings since that shouldn't affect what address the WAN interface gets. Is your WAN set to DHCP? If you use the DMZ feature of the AT&T router you can give your pfSense a static IP and use whatever DNS servers you want in System/General.
@johnpoz said in pfSense behind ATT Gateway:
applications that require specific ports
We don't enable uPnP as a rule, and just set up port forwarding on the pfSense as normal. In our office we have several hundred client PCs checking in, have email/Exchange, master DNS, remote connections, etc. I'm not saying you're wrong just never run into an issue. :) My guess is it's mostly a problem if people don't set up the pfSense to be in the ISP router DMZ and don't forward ports in the ISP router. As I noted ISP router passthrough mode may be easier if it works so the pfSense gets a public IP. I've just had mixed results with that on AT&T DSL/Uverse.
-
@teamits said in pfSense behind ATT Gateway:
'm not saying you're wrong just never run into an issue
And do you run a passive ftp server behind your double nat.. Do you have clients that trying to do active ftp to some server on the public internet? Where on of the natting routers doesn't have APM to allow for the for data ports? Do you run any software that requires static ports.. Say ISAKMP?
The are plenty of scenarios where it could be problematic..
Even when you put pfsense into the DMZ setting of the upstream router - doesn't matter if there is issues with the double nat. Just because you have not run into a specific issue with your stuff, doesn't mean it can't be an issue.
You sure shouldn't choose to be behind a double nat if you don't have to..
The problem quite often isn't that whatever couldn't be done with a double nat, its that you don't have access to do what you need to do on the upstream isp router that is natting.. Where if you could remove that nat, you would only have only 1 nat to deal with that you control..
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
For anyone that is still struggling with the dreaded pfsense behind ATT gateway, I managed to set this up yesterday in a true bridged mode. First, setup Pass through mode (there is plenty of documentation on this). The missing piece is setting up the cascaded router. For this (on the ATT router) navigate to Home Network >Subnets & DHCP. Leave the Private Lan Subnet and Configure IPV6 DHCP alone. In the cascaded router section:
Cascaded Router Enable - On
Cascaded Router Address - Your expected public IP address
Network address - the above x.x.x.0/24
Subnet Mask - 255.255.255.0Do the normal dance.. Reset the ATT Router then Reset you Pfsense machine. (The ATT box needs to be done before the Pfsense machine is reset).
Enjoy your public IP with no Double NAT.
-
Unfortunately I think this still ends up doing a 1:1 NAT in the box. It's limited to about 4K NAT table entries, which is inadequate if you have a lot of devices.
The problem is with 2.5 the RG bypass methods that people like me have used don't seem to work, so we will hang on 2.4.5 until things get sorted out.
