Double Nat How bad ?

  • Hi everyone,

    I have a wireless ADSL modem/router/wireless AP  all in the same device. I am planning to put a pfsense box after the modem: Modem Lan Port > Pfsense Wan Port
    Next I will define a static IP to the WAN interface of pfsense. My modem has a DMZ functionality (not a real DMZ just a "DMZ host" that all ports will be forwarded to) I will define pfsenses WAN IP as the DMZ host in the modem configuration.  I will also keep the modems Wireless AP active. So that it would be a "guest network". All seem logical to me except the double Natting. I read that it causes problems with VPN software. Did someone experience any double natting problems ?

    Also if you have any further commets about my configuration I will love to hear.

    Thanks in advance…

  • The problem with this is that the pfSense doesn't see it's real IP adress at WAN which will cause issues with dyndns (you can't use pfSense's built in dyndns feature therefore) and as you already mentioned VPNs might cause issues as well as it won't detect an IP-change on wan for example (if on dynamic WAN) which might cause blackouts of tunnels for some time.

  • thanks for the answer. My modems WAN ip is static. So if all VPN problems raise from IP changes it won't affect me I guess. Right ?  By the way what about packet size? A second Nat will increase it I guess. Is it neglagable ?

  • Some VPN implementations will have issues behind NATs under certain circumstances. Packetsize has nothing to do with it.

  • The main issue with NAT'ing twice is protocols that are NAT-unfriendly. That includes some VPN client software, some VoIP protocols, FTP, amongst others. These protocols are a pain to deal with when doing NAT once, adding a second NAT into the mix makes it twice as difficult to make these things work right and troubleshoot when things aren't working.

    It should be avoided if possible, because it's usually adding a layer of complexity that's unnecessary. In your case, I would see if you could use the modem as strictly a bridge and put the static IP on pfsense.

    It doesn't affect packet size because NAT changes the source IP and possibly port (depending on the NAT implementation) on packets, it doesn't add anything to them.

Log in to reply