Public ip on double Nat

  • Hello Pfsense folks,

    Can you help me understand the routing in my network?
    My isp router is providing Wifi, and I attach a pfsense Wan interface (virtual machine) to the Wifi subnet. So I have double nat, first from the isp router to pfsense, then in pfsense to my internal servers ports.

    It is working fine for the outside users accessing the servers on the public ip, but for the wifi clients on the same subnet there is an issue. The isp router seem not to route these clients to pfsense, so they hit the isp router asking for credential, either certificate or webui login.

    For the moment I am bypassing this with a second public ip directly attached to another pfsense, serving a vpn.
    Any ideas?

  • Access the servers by the pfSense WAN IP from the Wifi subnet.
    If you want to access them by host names, set up an internal DNS.

  • The issue is when I access the public-ip from clients on the wifi subnet. The pfsense wan interface is on the same subnet.
    The same subnet hosts laptop and android clients going out through the router (dhcp gateway).
    The public-ip is is the wan interface of the router.

    The problem is that an ip-television is attached to the same router, so I don't want to bypass the router, because is managed by the isp, partially.
    So I think I should check something in the router, or ask the isp extra technical intervention.

    But also think I will connect an access point to the hyperv server, where I will connect these clients. But for another topic, do I need an extra subnet to connect the access point? Because it doesn't seem Pfsense can detect an access point on a virtual interface….

  • Accessing the server by the public IP can only work if the router provides NAT reflection. But I'm in doubt, cause if it does, it is usually enabled by default.
    That is no problem with double NAT.

    Also attaching the wifi clients to an internal pfSense interface will not solve this issue.

    So the best way is to set up an internal DNS and add an override for your servers host name.
    It can be done on pfSense. In this case, best practice is to move also the DHCP server to pfSense.

  • Thanks for your answer, I hadn't forget.

    But I have some trouble in setting Pfsense as Dns server. I only have activated the forwarder.

    How does it differ from the Microsoft Dns? How do you see override for the servers?

  • LAYER 8 Netgate

    I would forget that the ISP device can provide Wi-Fi, put the ISP device in bridge mode so pfSense gets the public IP address, and get another access point and put it behind pfSense for your Wi-Fi devices.

  • Thanks for you input, but as i mention that router serves the television decoder, which gets an ip from it. That part is managed remotely by the Isp, on that router. I had tried to do as you say but there is an issue with the television. It works, but then it doesn't.
    So I still need the gateway in the router, I think, but is not very well documented device, and not very responsive.

    At the moment I have only a good Wifi card on the HyperV server, not an AP. Any idea for using that wifi card as AP? The Windows hosted hotspot is limiting…

  • I have no idea who your ISP is, but this FAQ might help:

    It talks about FIOS and their TV package.  In order to get all of the services to work with your TV, those devices need to be on the FIOS LAN.  How you get a second router or network working in this kind of environment is addressed in the above FAQ.  It might not apply 100% to your particular situation, but it does have some very well thought out approaches to solve the issue that may be helpful to you.

Log in to reply