Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ISP locked router and preventing double NAT

    General pfSense Questions
    4
    10
    1443
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RKCJ last edited by

      Firstly, my pfsense knowledge is pretty basic meaning I'm struggling to know what to "Google" to find a solution to my problem. I've managed to setup an OpenVPN client connection and have specific LAN IP's using the VPN, and I am using a basic pfblockerNG setup for ad blocking; that's all I need for now. The internet connection is currently configured by a PPOE connection on the pfsense WAN port which is connected to an ADSL modem.

      Our apartment block has signed an exclusive deal with a fibre provider who make it mandatory to use their own locked modem/router/gateway, and will not provide the PPOE credentials to use in other routers. Whilst the fibre ISP has been quite helpful in offering to configure their router any way I want, they aren't able to offer any help on what configuration I need to perform on my pfsense setup.

      What would be the best setup for someone relatively new to pfsense?

      Options I've seen so far:

      1. Give the ISP router a fixed IP (192.168.0.1), switch off WiFi and DHCP. Setup pfsense WAN port for internet and gateway to be 192.168.0.1, all pfsense LAN setup (DHCP) use the 192.168.2.xxx range. I've tested this with my ADSL setup, and seems to work, but understand double NAT is involved which will make services like VOIP problematic.

      2. The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT?? What do I need to do on pfsense to make this work?

      3. The ISP's router could be configured to make the pfsense router the DMZ. This is an option I found on the net, but must assume the ISP's router is capable of this; again, what do I need to do on pfsense to make this work?

      Any help on which option to take and guidance/links on how to do the setup would be much appreciated.

      1 Reply Last reply Reply Quote 0
      • R
        RKCJ last edited by

        Anybody with advise to help a newbie out?

        1 Reply Last reply Reply Quote 0
        • N
          NOYB last edited by

          What about bridged mode?  If the ISP's router/modem supports bridge mode maybe that would be the way to go.

          As far as the exclusive deal and ISP requiring use of their router/modem.  Pop over to DSL reports.  People there tend to keep up with legalities, remedies, public shaming, etc. re: this sort of stuff.

          Of course any legalities would vary by country, etc.

          1 Reply Last reply Reply Quote 0
          • R
            RKCJ last edited by

            @NOYB:

            What about bridged mode?  If the ISP's router/modem supports bridge mode maybe that would be the way to go.

            As far as the exclusive deal and ISP requiring use of their router/modem.  Pop over to DSL reports.  People there tend to keep up with legalities, remedies, public shaming, etc. re: this sort of stuff.

            Of course any legalities would vary by country, etc.

            Unfortunately, putting their router in bridged mode is not an option, and they will not provide the credentials for my pfsense router to initiate the connection. I had long discussions with them, it's either accept their router, or not use their service.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              "2) The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT??"

              That is a double nat.. And if you don't have any other options will work..

              As long as pfsense sees all all unsolicited inbound traffic to whatever public IP actually is, does not matter if pfsense has a rf1918 address.  There could be some issues with some off the wall protocols, etc.  But in general this will work just fine.  As long as the traffic hits your pfsense, then you can control whatever port forwards you want with pfsense.

              You just need to make sure that whatever rfc1918 range they are using on your pfsense wan is not used on your lan side.  So for example if they use 192.168.0/24 then use 192.168.1/24 or any other networks that do not overlap with the 192.168.0/24 network on your wan.

              1 Reply Last reply Reply Quote 0
              • R
                RKCJ last edited by

                @johnpoz:

                "2) The ISP has offered to forward all ports from their router/gateway to my pfsense router. This should eliminate double NAT??"

                That is a double nat.. And if you don't have any other options will work..

                As long as pfsense sees all all unsolicited inbound traffic to whatever public IP actually is, does not matter if pfsense has a rf1918 address.  There could be some issues with some off the wall protocols, etc.  But in general this will work just fine.  As long as the traffic hits your pfsense, then you can control whatever port forwards you want with pfsense.

                You just need to make sure that whatever rfc1918 range they are using on your pfsense wan is not used on your lan side.  So for example if they use 192.168.0/24 then use 192.168.1/24 or any other networks that do not overlap with the 192.168.0/24 network on your wan.

                Thank you for the response.

                Just want to make to make sure I understand your response correctly. I don't need to make any additional config's in pfsense for this scenario to work? All I need to make sure is the ISP router is on a different rfc1918 range to pfsense. Is that correct?

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  Correct!

                  1 Reply Last reply Reply Quote 0
                  • R
                    RKCJ last edited by

                    @johnpoz:

                    Correct!

                    Thank you, much appreciated.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mikeisfly last edited by

                      No need to port forward all ports, just have the ISP assign your PfSense box a statically assigned IP address. Then put that IP address in their router's DMZ. That should forward all unsolicited traffic to your PfSense box.

                      1 Reply Last reply Reply Quote 0
                      • R
                        RKCJ last edited by

                        @mikeisfly:

                        No need to port forward all ports, just have the ISP assign your PfSense box a statically assigned IP address. Then put that IP address in their router's DMZ. That should forward all unsolicited traffic to your PfSense box.

                        Thanks for an alternative approach, the install is happening today, will present the options to them.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense Plus
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy