Double nat and 1:1 nat



  • Hello,

    I have two modems and since they share the same gateway I know pfsense does not support that.
    So I went ahead and put a Linksys wrt1200ac router after of one of the modems.
    I'd like it so the wifi connections on the linksys can still communicate with the computers on the 192.168.1.1 lan network.

    I have assigned the linksys a LAN ip of 192.168.2.1
    Pfsense is assigned on WAN as 192.168.2.100

    LAN on pfsense is 192.168.1.1

    How can I go about doing this? From what I looked up I have to set up some rules in 1:1, but it would always be nice to get some direct feedback.
    Thanks



  • It is possible to make use of a WiFi device that is in front of the pfSense WAN. Not recommended for production office use - it is bit to tricky to support because everyone needs to really understand what is going on. I found that the main hassle was when people would think "I can't reach the internet, there must be a problem with pfSense" and they would unplug the pfSense WAN cable and wonder why they still cannot get to the internet via the front-end WiFi. Well that was because devices on the front-end WiFi are getting DHCP from pfSense WAN, and routing in and out of pfSense WAN. The thing at the remote office would be that they call the ISP. Of course the ISP kindly resets the front-end WiFi-router for them to make "the internet" work. So the unusual back-routing of the front-end WiFi into pfSense WAN is unexpected by various support staff.

    I posted here https://forum.pfsense.org/index.php?topic=54650.0 and it does work (read the whole thread). It will let device on the front-end WiFi access LAN and also "the internet" - whichever you wish. But unless you really need to save every watt, I would forget about the front-end WiFi and put a separate AP back in the LAN or on an OPT1 interface.



  • @phil.davis:

    It is possible to make use of a WiFi device that is in front of the pfSense WAN. Not recommended for production office use - it is bit to tricky to support because everyone needs to really understand what is going on. I found that the main hassle was when people would think "I can't reach the internet, there must be a problem with pfSense" and they would unplug the pfSense WAN cable and wonder why they still cannot get to the internet via the front-end WiFi. Well that was because devices on the front-end WiFi are getting DHCP from pfSense WAN, and routing in and out of pfSense WAN. The thing at the remote office would be that they call the ISP. Of course the ISP kindly resets the front-end WiFi-router for them to make "the internet" work. So the unusual back-routing of the front-end WiFi into pfSense WAN is unexpected by various support staff.

    I posted here https://forum.pfsense.org/index.php?topic=54650.0 and it does work (read the whole thread). It will let device on the front-end WiFi access LAN and also "the internet" - whichever you wish. But unless you really need to save every watt, I would forget about the front-end WiFi and put a separate AP back in the LAN or on an OPT1 interface.

    Hey thanks for that, that is quite informative.
    My case is very similar, just a few differences. I want DHCP on the wrt1200ac router.
    Reason is because the power goes out sometimes. Not that common, but it does happen and usually for a few hours. It would be nice to just have the wrt1200ac router and the modem on the UPS so I can a few hours of wifi. Pfsense drains the ups battery in a few minutes.

    You wrote that "WAN has a rule allowing anything in with a source address in WAN subnet - lets the WiFi clients get to pfSense."

    I tried creating a few similar rules, but no luck. I can access the wrt1200ac from pfsense's lan, but the wifi clients on the wrt1200ac cannot access pfsense or any of the computers on its lan.

    EDIT: What is interesting, is that I can ping and access the wrt1200ac(running openwrt) from pfsense and pfsense's lan, but I can't ping any of the computers on the wrt1200ac. Maybe the wrt1200ac is blocking access, I'll play around.






  • Ah there we go, it was just the firewall rules. Didn't seem to need any special outbound rules in pfsense or anything special with openwrt.
    I just used these rules below and all is well.First one is a bit redundant, but I'll leave it since it doesn't hurt.

    Thanks for the help!

    EDIT: I just realized, since they can both access each other, I wonder if they will compete for DHCP… more testing to do.
    EDIT2: I have multiple access points across the house(wired), and they are all connected to pfsense, so my laptop will get a 192.168.1.x ip. I move towards the area with the wrt1200ac(which has the same name/login as the other ap/s) and the laptop's ip changes to a 192.168.2.x ip and everything works seamlessly. I go back to the other side and the ip changes back to  192.168.1.x with pretty much no interruptions.
    I'm surprised it works so well. So far I have not see any other type of DHCP competition for the wired computers or anything like that.