CGNAT and IP Passthrough
-
Hi all,
In a situation where the ISP is using CGNAT, is there any advantage to still pass through the IP address to pfSense from the ISP provided gateway to avoid a triple NAT setup (i.e. pfSense NAT, gateway NAT, ISP CGNAT), or does it not really matter? I understand that even if the IP is passed through to pfSense leading to double NAT setup, the CGNAT limitations still remain. Would this double NAT setup be preferred over triple NAT? Thanks in advance for your help, I appreciate it.
-
@tman222 The best solution would be to find an ISP that does not use CGNAT.
-
@WN1X - thanks for the response. For the sake of this question, let's assume that's the only choice (i.e. an ISP connection with CGNAT). What would be the best option then, IP passthrough with double NAT, or triple-NAT? Thanks again.
-
@tman222 generally a provider will still only provide a limited amount of addresses.. and they may or may not be firewalled from other users.
If you only have a single device then choosing to pass through the single up is not a bad idea if you can make use of a firewall somehow..
Triggering snowflakes one by one..
Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box. -
@tman222 In my experience with outbound connections double NAT doesn’t matter. Pass through is probably a bit simpler if available.
-
To continue.. I use Verizon as a backup account. That modem is in passthrough mode to my pfsense router. Thus I am not triple natted.
-
Thanks everyone for your help, I really appreciate it. In the case where the ISP is T-Mobile, could IP passthrough on the IPv4 side cause any issues? As I understand it, T-Mobile's network is IPv6 only so IPv6 translation occurs once any IPv4 traffic leaves the CPE (gateway). This results in an IP assigned to the CPE on the IPv4 side in the
192.0.0.0/29subnet (if I recall correctly; was looking at RFC 6333 and RFC 7335 for more details/explanation). If an IP in that range was assigned via passthrough to pfSense, do you think that could cause any issues? -
I also have Verizon Fios. The Pfsense box is connected directly to the ONT. When using Fios there is no need to use the supplied router unless mocca is being used for TV service. In said case the Fios router can be connected to the internal network facilitating the mocca conversion to the cable box.
-
@scottjh1 Fios here also. Pfsense is working well and I use a goCoax moca converter to connect two of my televisions behind Pfsense.
-
-
Yup there probably isn't much point passing through a CGNAT IP. Unless they support setting up forwards which I've never seen an ISP do.
-
@tman222 I've got T-Mobile Home Internet (THMI) set up as my backup to Starlink in a pfSense failover gateway group. It is kept alive by a ping to 8.8.8.8 and my gateway always has the ipv4 address of 192.168.12.1.
The pfSense interface gets .12 address, right now, .12.145.
For science, I turned on ipv6 dhcp to get the one and only ipv6 address from the TMHI gateway and it did get an ipv6 address it couldn't really do much with, kept alive by pinging the ipv6 of 8.8.8.8. Until it didn't work.
One day the ipv6 address and interface was just dead and the ipv6 address wouldn't come back with some usual efforts. Since it was just an experiment, I shut the ipv6 off. Since TMHI won't give a prefix, it's really not much use that I can tell to have the router interface have an ipv6 address with nothing else downstream. So it just uses ipv4.
Note, I have shut off all the wifi on the box and just use it through the ethernet port. I used a great IOS app called HINT Control to shut off the wifi on the TMHI gateway. I have my own wifi, so I don't need it polluting the em spectrum with more.
Since we live in the sticks, both our Starlink and TMHI use CGNAT of a sort but I don't have any problems with double-NAT with either. It just works.
