Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Oh my, double NAT … what a pita ...

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      eddi1984
      last edited by

      Hi folks,

      I moved from the city to a rural location. I have a WISP (d:10/u:1; works 50% of the time and get 50% speed at best, but unlimited data), but I also want to add LTE modem from a big cell phone provider (Tower is 5km away and generally I get 70% signal strength, plan to use antenna and might get 90%+ signal but 500GB data limit).

      So, both the WISP and the mobility provider use their devices and do NAT+firewall on them. I cannot turn routing off on both and have to live with it.
      When I was living in the city, I had fibre 150/150 (but got more like 165/165 almost consistently and 99% reliable; talk about "downgrading …").

      I have my pfsense setup with pfblockerng and do not want to run my internet without it (I also want pfsense to do all the other stuff, policy routing, firewall, dns, dhcp etc). I also had and want to continue using voip (using mobility network). Problem is double nat etc. But I am stuck using the devices provided to me, I asked if I can use something different, but that is a "no" (the WISP has another modem+antenna setup that has no NAT, but I have to pay for the install plus the devices ...)

      So, long explanation short, i want to use DigitalOcean to setup a VPN server, and connect to it from my pfsense box (forget the WISP connection for now, its to slow for VPN, will re-purpose it for something different).

      Q:
      Once a VPN connection has been established, can I treat the VPN connection as I would have my WAN connection and re-route all traffic thru VPN, do DNS, use pfblocker etc? Basically the same stuff as I am used to do in the city with the WAN interface, but now with the VPN interface.

      You guys have any pointers, ideas, suggestions? Is it possible?

      Thanks.

      So long,

      Eddi

      1 Reply Last reply Reply Quote 0
      • N Offline
        nycfly
        last edited by

        Do the WISP/Mobility providers not let you specify a DMZ IP? If you use the DMZ IP as your pfSense gateway then you can avoid double NAT. I've done this with my LTE modem.

        1 Reply Last reply Reply Quote 0
        • E Offline
          eddi1984
          last edited by

          Hi,

          the WISP modem does allow for DMZ, and I believe the LTE modem as well. However, I was hoping to be able to use OpenVPN, so that I have an actual public IP where I can route traffic to and receive it directly on pfsense. Or is there a way to do that with DMZ (I have never used DMZ, so not so familiar with function and setup, but have an understanding why its there and what it "can" do).

          Thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            "DMZ" in that case is just a 1:1 NAT that forwards all unsolicited traffic inside to a particular address. That address would be your pfSense WAN address.

            You still have double NAT, but you don't have to worry about forwarding from the ISP device to pfSense WAN. Everything is forwarded.

            So the outside address you would use would be whatever the ISP device gets from the ISP. Connections to that address would arrive on pfSense WAN.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N Offline
              nycfly
              last edited by

              @eddi1984:

              Or is there a way to do that with DMZ

              That depends on whether your endpoint device gets a public IP. T-Mobile, for instance, uses carrier grade NAT for IPV4 so your WAN IP is still a private IP. Sounds like VPN may suit your needs better. Many of them offer the option of a fixed IP.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                T-mobile doesn't even give out IPv4 anymore.. Atleast not here in chicagoland on my cellphone.  To connect to ipv4 its being run through their nat64 to get to your ipv4 resource..

                Port forwarding on WISP has always been a problem has it not, since most of them NAT you anyway..  What does your "modem/isp" device show for its public IP?  Is it really public IPv4 or is it some rfc1918 address anyway?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 25.07

                1 Reply Last reply Reply Quote 0
                • N Offline
                  nycfly
                  last edited by

                  @johnpoz:

                  T-mobile doesn't even give out IPv4 anymore.. Atleast not here in chicagoland on my cellphone.

                  This is true on my iPhone but my hotspot device (one of the two they currently sell) is IPv4 only.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.