Double NAT, Fixed IP address, security ?

  • I think I have a double NAT situation? I am unsure of the implications but my internet provider had suggested that they can provide me with a fixed IP address. I would need to provide them with my MAC address...

    Would this fix a double NAT situation? Would this increase my security? Everything seems to be working as is...

    Thoughts or suggestions? I am not even sure what questions to ask...

    Any input would be appreciated.


  • LAYER 8 Global Moderator

    What do you mean you "think" you have a double nat? Does pfsense have public IP on its wan or not? If not then yeah you have a double nat..

    Changing your public IP to static has zero to do with a double nat..

  • Thanks Johnpoz...

    My WAN is showing an IP that is not RFC1918? i.e. 73.xx.206.xx is this a public IP? I think it which case I am OK.

    MY internet provider suggested that a fixed IP would be more secure is this true?

    Thanks again...

  • LAYER 8 Rebel Alliance

    If it is showing the same IP as your WAN Interface you have Public IPv4.
    Fixed VS dynamic IP has nothing to do with Security. I'd prefer a fixed if there is a choice, it makes some things easier, specially if you run any Services at home (VPN, Mailserver, ...).


  • Thanks Rico...

    I am pushing my traffic thru a VPN provider, is showing my VPN address.

    I got the WAN address from my dashboard. I have the "Gateways" widget on my dashboard.

  • LAYER 8 Rebel Alliance

    Then temporarily disable the VPN on your WAN an check again. :-)
    I don't like the idea to push my whole traffic through a VPN provider anyway. If I login to my bank account for example, I don't want to have any 3rd parties involved.


  • Thanks Rico...

    I had to try and unwind my config to run thru my WAN, did a factory reset as an easier approach and then reinstalled my configuration. When I went to it showed a 73.xx.xx.xx IP.

  • LAYER 8 Rebel Alliance

    It showed a other 73.xx.xx.xx then yours on WAN or exactly the same?


  • Interesting, but I checked again and while close the last 3 digits were different???

    So my widget reads(I have changed these for the post) = 73.xx.xx.123

    When I do a factory reset(No VPN) it reads = 73.xx.xx.133

  • Just to clarify:
    So my widget reads(I have changed these for the post) = 73.xx.xx.123

    When I do a factory reset(No VPN) and go to it reads = 73.xx.xx.133

  • LAYER 8 Rebel Alliance

    Most ISPs with dynamic IP give you a different IP with each reconnect.
    To check correctly see what IP is on your WAN and without reconnecting hit and check if the IP is the same or not.
    Same IP = Public IPv4
    Different IP = NAT


  • I think I just did that, specifically:

    My widget reads: 73.xx.xx.123

    Opened a different tab in the same browser, navigated to and it is showing: 73.xx.xx.133

    i.e. they are different...

  • LAYER 8 Global Moderator

    @rico said in Double NAT, Fixed IP address, security ?:

    Most ISPs with dynamic IP give you a different IP with each reconnect.

    I do not agree at all... I have had the same IP since i have moved to this new isp. And before that the same "dynamic" IP for years... The only time the IP would change is if the device connected "router" changed so that the mac address was different when I requested an IP from dhcp. Once this device is connected, until such time that you are OFFLINE for the lease to expire your router would just continue to renew this same dhcp lease from now until doomsday.

    Unless the ISP on purpose rotates the IPs, or changes IP space/dhcp server in your area you should just continue to renew your lease and get the same IP - unless you go offline for such a time that the lease expires and the dhcpd hands out your old IP to some new client, etc.

    If your seeing a different octet on your wan than what whats my IP shows you - it could point to a nat from public to public which seems ODD.. Or maybe your isp is routing your traffic through a proxy? Possible I guess. But also a bit odd..

    Maybe your browser is just pointing to a proxy? And your isp is not actually doing transparent proxy of your web sort of traffic..

    Is your connection say PPPoE based? If so then yeah you could for sure be seeing different IP then on your wan.. Can you hit your wan IP from public IP? And yeah that could change on every reconnection or reauth, etc. But here in the US, atleast every ISP I have ever used or family or friends or clients or whatever is once you grab that lease from the ISP dhcp - it doesn't change until you either change your mac, or have been offline for extended period or the isp does something to change the network or their setup, etc.

  • Thank you both for your help, learning alot.

    Here is more info, I checked again and here is what I see, excue me if I have a noob error. but just trying to understand. I checked again my IPs, however this time I used the "Interfaces" widget, not the "Gateways" widget:

    Fresh Factory restore:
    whatsmyip = 73.xx.xx.133
    Interfaces widget = 73.xx.xx.133

    My configuration pushing traffic thru my VPN:
    Interfaces widget = 73.xx.xx.133
    Gateways widget = 73.xx.xx.123
    whatsmyip = I am having a hell of a time trying to now break free of my traffic being forced thru my VPN. I placed an any/any rule at the top.

    As far as double NAT goes, I don't think this is happening? But I think I might want to look into this more...

  • LAYER 8 Global Moderator

    Ok that EXPLAINS it ;) your "gateway" is the IP of your isp device, ie the device you talk to when you get to the internet - its their router your router is connected too..

    So yes that octet would be different but would be in the same network.

    As to not pushing traffic through your vpn - make sure you do not pull routes in the client config, and then just policy route what you want to go through the vpn.

Log in to reply