Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Public ip on double Nat

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lonblu
      last edited by

      Hello Pfsense folks,

      Can you help me understand the routing in my network?
      My isp router is providing Wifi, and I attach a pfsense Wan interface (virtual machine) to the Wifi subnet. So I have double nat, first from the isp router to pfsense, then in pfsense to my internal servers ports.

      It is working fine for the outside users accessing the servers on the public ip, but for the wifi clients on the same subnet there is an issue. The isp router seem not to route these clients to pfsense, so they hit the isp router asking for credential, either certificate or webui login.

      For the moment I am bypassing this with a second public ip directly attached to another pfsense, serving a vpn.
      Any ideas?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Access the servers by the pfSense WAN IP from the Wifi subnet.
        If you want to access them by host names, set up an internal DNS.

        1 Reply Last reply Reply Quote 0
        • L
          lonblu
          last edited by

          The issue is when I access the public-ip from clients on the wifi subnet. The pfsense wan interface is on the same subnet.
          The same subnet hosts laptop and android clients going out through the router (dhcp gateway).
          The public-ip is is the wan interface of the router.

          The problem is that an ip-television is attached to the same router, so I don't want to bypass the router, because is managed by the isp, partially.
          So I think I should check something in the router, or ask the isp extra technical intervention.

          But also think I will connect an access point to the hyperv server, where I will connect these clients. But for another topic, do I need an extra subnet to connect the access point? Because it doesn't seem Pfsense can detect an access point on a virtual interface….

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Accessing the server by the public IP can only work if the router provides NAT reflection. But I'm in doubt, cause if it does, it is usually enabled by default.
            That is no problem with double NAT.

            Also attaching the wifi clients to an internal pfSense interface will not solve this issue.

            So the best way is to set up an internal DNS and add an override for your servers host name.
            It can be done on pfSense. In this case, best practice is to move also the DHCP server to pfSense.

            1 Reply Last reply Reply Quote 0
            • L
              lonblu
              last edited by

              Thanks for your answer, I hadn't forget.

              But I have some trouble in setting Pfsense as Dns server. I only have activated the forwarder.

              How does it differ from the Microsoft Dns? How do you see override for the servers?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I would forget that the ISP device can provide Wi-Fi, put the ISP device in bridge mode so pfSense gets the public IP address, and get another access point and put it behind pfSense for your Wi-Fi devices.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • L
                  lonblu
                  last edited by

                  Thanks for you input, but as i mention that router serves the television decoder, which gets an ip from it. That part is managed remotely by the Isp, on that router. I had tried to do as you say but there is an issue with the television. It works, but then it doesn't.
                  So I still need the gateway in the router, I think, but is not very well documented device, and not very responsive.

                  At the moment I have only a good Wifi card on the HyperV server, not an AP. Any idea for using that wifi card as AP? The Windows hosted hotspot is limiting…

                  1 Reply Last reply Reply Quote 0
                  • T
                    tim.mcmanus
                    last edited by

                    I have no idea who your ISP is, but this FAQ might help:  http://www.dslreports.com/faq/16077

                    It talks about FIOS and their TV package.  In order to get all of the services to work with your TV, those devices need to be on the FIOS LAN.  How you get a second router or network working in this kind of environment is addressed in the above FAQ.  It might not apply 100% to your particular situation, but it does have some very well thought out approaches to solve the issue that may be helpful to you.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.