Pfsense with double NAT



  • All,

    I am having an issue getting this to work correctly.  I have that Xfinity Arris TG862 from Comcast that is a gateway modem.  Unfortunately it cannot be put into "bridged" mode.  What I have done so far is this:

    On Comcast Modem, my main IP is 10.0.0.1

    On Pfsense, may WAN IP is 10.0.0.3

    On Pfsense, I have setup a gateway of the 10.0.0.1 and added under the gateway section of my WAN IP.  With it like this, I am able to get internet on all of my computers with no issues.  My main issue, is I am trying to port forward one of my internal devices (it is an SSLVPN appliance) so I can esentially type in my link "remote.site.com:8000".  I have set port forwarding to allow port 8000 to translate to HTTPS, and I see it in my log as being blocked:

    Act Time                  If    Source           Destination         Proto
    block Nov 13 03:36:14 WAN 10.0.0.3:53232 192.168.1.6:443 TCP:S

    Does anybody have any suggestions so I can get this to work?  If any other info is needed, please let me know and I will post it.


  • LAYER 8 Global Moderator

    Did you uncheck blocking private networks?

    Who says you can not put that into bridge mode?  This userguide sure looks like you can

    http://www.arrisi.com/support/documentation/user_guides/_docs/ARRIS_Router_Setup_Web_GUI_UG.pdf




  • That was Comcast that said this device cannot be put into bridging mode; I guess I can call them instead of doing online tech support and see what they can do. And I did see that screen shot actually.  The first thing I found on google about the arris I have was the PDF for the device  :).  As far as the blocking of private networks, I actually have that checked for my WAN.  I'll uncheck that and post my results.


  • LAYER 8 Global Moderator

    If your blocking private

    10.0.0.3:53232

    Is your source and would be blocked would it not, since its private.

    But there should be NO reason why that device can not be just a modem.. Chatting with the IDIOTS with comcast are not going to be much help ;)

    Question for you - I have comcast, are they not charging you like $7 a month for that device?  Just buy your own and like a year you are paid up with cost and after is just saving money.  I bought my own couple years back SB6120 and have not had issue one with it.  Paid for itself twice already ;)



  • Since I unchecked the Block private networks, I don't get any block's in my log for the 10.0.0.3, but I am still unable to connect to my device over port 8000.  Comcast wise, I have to use theirs because I have phone from them as well :(.  So it sort of limits my choices at the moment.


  • LAYER 8 Global Moderator

    Then you got your nat configured wrong.

    Did you not let the nat create your wan rule?

    Hmm this seems odd as well
    192.168.1.6:443 as dst on your wan interface?

    How did you forward through your TG862 via DMZ or did you setup a specific forward?

    Why are you using 8000?  Why not just 443, comcast does not block that - I use it to access openvpn on my pfsense.

    so you have to forward on TG862 to pfsense wan IP, 10.0.0.3 I believe you set it to be?  for whatever port you want.  Then on pfsense you need to forward that port to your inside box - assume the 192.168.1.6

    if your stuck doing nat because you have phone with them as well, then I would just put your pfsense wan IP in the DMZ of the thing and then you only will have to forward at pfsense for any future ports you want.



  • This is what I was thinking.  I have been out of the Pfsense usage for awhile (I switched to a Juniper SSG5, but it was giving me issues with gaming).  Anyways, since I did the unblock of private networks, I don't have any logs as I did in the first post.  For my arris, the only things I set on that, were in its DMZ, I put my firewalls WAN IP of 10.0.0.3, and I did the same in the arris' port forwarding settings as well using the 10.0.0.3 for that port 8000.  I know this sounds kind of cryptic, if you need any screenshots or anything, Ill be glad to post them.



  • Here is my NAT as it is now on the firewall:



  • LAYER 8 Global Moderator

    and where is your firewall wan rule that matches up with that?  And dest address should be your WAN address

    here are my nats



  • LAYER 8 Global Moderator

    Once you put the 10.0.0.3 in the DMZ you would not also forward ports on it.



  • Here's the firewall rule:



  • LAYER 8 Global Moderator

    So put in your wan address as destination in your nat (this is default why did you change it to *), and verify your alias, why use alias for a private IP address?  Alias makes sense if you have a group or something, or something changes like a public fqdn that you don't have control over, etc..  But what do you have sslvpn pointing to?  Can it resolve it?  Do you have it as IP - why not just put in IP.

    There was user back that had typo in his alias 192.163 vs 192.168 or something.

    I would just put direct info in - this way you can see everything with one easy view of your rules vs having to look at your aliases, etc.



  • I will give this a try.  As far as the NAT goes, when I am under the destination part, it has WAN address, but the field under it will not let me put anything in.  Should I just do single host or alias?  I appreciate the help!


  • LAYER 8 Global Moderator

    And how many hosts are you going to forward too?  Thats 1 right - so why do you need an alias?

    Why do you need to put something under Wan Address - is that not going to be the destination IP??  What is normally your Public IP, or in your case 10.0.0.3 which your first router will be NAT inbound traffic to, since you put your pfsense wan IP in its DMZ.

    No other forwards on your first router - just the DMZ setting is all that is needed.


Log in to reply