Double NAT TCP/UDP not returning

  • I have been searching around the forums but haven't found anything yet that fits my case.

    • I have a Ubuiquiti USG as my perimeter firewall and router, one of it's interfaces gateways is the other is
    • has a single device, a virtual pfsense router with as WAN side IP.
    • is the LAN side pfsense IP.
    • Devices pointed to a gateway of can resolve dns and ping via IP but when trying to returns any other tcp traffic it just leaves the network and doesn't seem to come back. That's of course if I am reading the packet captures correct :)

    I know double NAT's are bad but it's either this or just trash pfsense and use the USG. Was hoping to find a way to use pfsense for fun and learning. Eventually I want to use the pfsense box as a second gateway for vpn traffic but I can't get any traffic to return with just a standard config. I figure something strange is going on with the route tables.

    My config in pfsense:
    alt text

    alt text

    I also have my WAN set to the default route.

  • LAYER 8 Netgate

    Why would you put the same subnet (10.3.3.X) inside pfSense as you have on the other router?

  • I don't have the gear for vlan's right now so am a little limited in what I can do with subnets. You think that is my problem?

  • LAYER 8 Netgate

    Well, yeah, probably. pfSense will think 10.3.3 is a local subnet. If you are putting pfSense LAN on the LAN of the outside router you'll have asymmetric nonsense.

  • But remember, the perimeter router is serving two internal subnets on two interfaces. example; eth0 is and eth1 If pfsense WAN is physically on 10.4.4.x wouldn't it not be an issue that pfsense LAN is physically on 10.3.3.x?

    I didn't mention because didn't want to complicate things too much but...

    pfsense is virtualized (proxmox) i have created a virtual only interface as well on (called dmz in pfsense). In this case I get the same result. That would eliminate the two gateways on one LAN problem (10.3.3.x), but the problem still remained.

  • LAYER 8 Netgate

    It makes no sense to me why you would do it that way.

    Might need a diagram to see how it is all logically connected.

  • LAYER 8

    you are going out from LAN/DMZ -> -> but i bet packet are coming back from

  • @kiokoman I think it's this or something like it. But have not been able to pin it down.

    alt text

  • LAYER 8 Netgate

    Yeah putting a router on the same backside subnet like that will only cause you grief and pain.