Routing via ISP router and avoiding double NAT

pduk82

Hi

This is probably a basic question, I am no expert! I had symmetric gigabit internet installed and have had issues to get it to full speed when I connect direct from the netgate to the ONT and using PPPoE because PPPoE is a single threaded workload on BSD (and Linux) based systems and my netgate can't handle that workload.
So the ISP implemented their own router which works at full speed. ISP cannot use DHCP in my area (yet).
Trouble is I now get double NAT when I connect my PFSense to the ISP router.

I decided to post in this category rather than NAT because I think this is all now to do with routing setup in PF sense.

Taking a step back... I use PF Sense at home for a number of reasons:

1. Separating/isolating networks and respective devices for security with vlans/dhcp/dns and firewall
2. Enforce Country block and IP block lists
3. QoS to make sure the more important stuff is prioritized
4. Dynamic DNS for my domains
5. HAProxy (future requirement)
6. VPN (future requirement)
7. Multi-Wan for failover while I have overlap of ISP contracts (temporary)

I understand some of this sounds overkill but #1,2 I feel (please do let me know if I am being over the top) as good security measures even at home. the rest are nice to have.

So to the main question... How can I use the ISP router to handle the PPPoE, and still use my netgate to handle all of the above points, and avoid double nat?

Thanks! apologies in advance if this is super simple stuff - I just have no idea!

johnpoz

@pduk82 said in Routing via ISP router and avoiding double NAT:

Trouble is I now get double NAT when I connect my PFSense to the ISP router.

While not "optimal" is normally not a big deal.. Does your ISP router not support half bridge, if I recall this is how their device can handle the pppoe stuff, but pfsense would get public IP.

pduk82

@johnpoz
Good point! seems to run OpenWRT underneath some interface labelled as SMART/OS. They've locked it down to prevent access to those settings.
I do have a question out to their support to ask if I can have access or if they can switch it but the initial response was no, they either install a ONT in [full] bride mode or install this router but i have gone back to ask again. They have said they do hope to transition my area from PPPoE to DHCP but no timeline, which was another hope I had.

pduk82

Hi ok confirmed again from support. Not possible with the way they apply their app onto the router.

johnpoz

@pduk82 well its not the end of the world - double nat is not all that bad, while there are some special apps that might have problems. Generally speaking most users can be behind a double nat, even triple or have seen quadruple and never notice any issues.. More nats in your chain before public IP can be problematic for allowing inbound traffic via port forwards, but still able to do - just have to port forward on the device(s) upstream of your pfsense