Oh my, double NAT … what a pita ...

  • Hi folks,

    I moved from the city to a rural location. I have a WISP (d:10/u:1; works 50% of the time and get 50% speed at best, but unlimited data), but I also want to add LTE modem from a big cell phone provider (Tower is 5km away and generally I get 70% signal strength, plan to use antenna and might get 90%+ signal but 500GB data limit).

    So, both the WISP and the mobility provider use their devices and do NAT+firewall on them. I cannot turn routing off on both and have to live with it.
    When I was living in the city, I had fibre 150/150 (but got more like 165/165 almost consistently and 99% reliable; talk about "downgrading …").

    I have my pfsense setup with pfblockerng and do not want to run my internet without it (I also want pfsense to do all the other stuff, policy routing, firewall, dns, dhcp etc). I also had and want to continue using voip (using mobility network). Problem is double nat etc. But I am stuck using the devices provided to me, I asked if I can use something different, but that is a "no" (the WISP has another modem+antenna setup that has no NAT, but I have to pay for the install plus the devices ...)

    So, long explanation short, i want to use DigitalOcean to setup a VPN server, and connect to it from my pfsense box (forget the WISP connection for now, its to slow for VPN, will re-purpose it for something different).

    Once a VPN connection has been established, can I treat the VPN connection as I would have my WAN connection and re-route all traffic thru VPN, do DNS, use pfblocker etc? Basically the same stuff as I am used to do in the city with the WAN interface, but now with the VPN interface.

    You guys have any pointers, ideas, suggestions? Is it possible?


    So long,


  • Do the WISP/Mobility providers not let you specify a DMZ IP? If you use the DMZ IP as your pfSense gateway then you can avoid double NAT. I've done this with my LTE modem.

  • Hi,

    the WISP modem does allow for DMZ, and I believe the LTE modem as well. However, I was hoping to be able to use OpenVPN, so that I have an actual public IP where I can route traffic to and receive it directly on pfsense. Or is there a way to do that with DMZ (I have never used DMZ, so not so familiar with function and setup, but have an understanding why its there and what it "can" do).


  • LAYER 8 Netgate

    "DMZ" in that case is just a 1:1 NAT that forwards all unsolicited traffic inside to a particular address. That address would be your pfSense WAN address.

    You still have double NAT, but you don't have to worry about forwarding from the ISP device to pfSense WAN. Everything is forwarded.

    So the outside address you would use would be whatever the ISP device gets from the ISP. Connections to that address would arrive on pfSense WAN.

  • @eddi1984:

    Or is there a way to do that with DMZ

    That depends on whether your endpoint device gets a public IP. T-Mobile, for instance, uses carrier grade NAT for IPV4 so your WAN IP is still a private IP. Sounds like VPN may suit your needs better. Many of them offer the option of a fixed IP.

  • LAYER 8 Global Moderator

    T-mobile doesn't even give out IPv4 anymore.. Atleast not here in chicagoland on my cellphone.  To connect to ipv4 its being run through their nat64 to get to your ipv4 resource..

    Port forwarding on WISP has always been a problem has it not, since most of them NAT you anyway..  What does your "modem/isp" device show for its public IP?  Is it really public IPv4 or is it some rfc1918 address anyway?

  • @johnpoz:

    T-mobile doesn't even give out IPv4 anymore.. Atleast not here in chicagoland on my cellphone.

    This is true on my iPhone but my hotspot device (one of the two they currently sell) is IPv4 only.

Log in to reply