How to configure pfSense behind a router / NAT

  • I'm rather blank when it comes to pfSense, but I've got a pfSense Server doing all my NAT / firewall and DHCP for the past 6 months and it's been rock solid and stable.

    Now we are moving things around and we are forced into a situation where as we'll be living in a basement apartment utilising the same Internet connection hosted by the house owners forcing us into a situation where we will need to run our own router solution behind their Huawei HG8245 modem / router.

    The reason why we need to do this is because they don't want us to be on the same local network, but there is no way to get a optional / second Internet connection going so we have to hook ourselves behind their HG8245 creating a double NAT situation.

    What would be the best way for us to configure pfSense in a double NAT situation and still get UPNP and automatic port mapping working successfully without needing to manually port forward every single port I would ever need through the HG8245. How would one be able to all of this in the most efficient matter?

  • Netgate Administrator

    This is always going to be a nasty situation unfortunately. However the best way to connect would be use whatever DMZ facility is in the Huawei router and put your pfSense box in it. That way all incoming connections will be sent to your pfSense box. If you have UPNP enabled then it should be able to open and forward ports in pfSense and that traffic will be arriving on WAN so all should be well.
    I do not think UPNP will work in a double NAT situation, I don't think it can auto open ports in both the pfSense box and the Huawei box. Though I've never actually tried that.

    A problem here would be that your hosts would end up with priority over you. If something on their network used UPNP to open a port on the Huawei router that traffic would no longer arrive at your pfSense box. That may not be a problem unless it's a common port.

    Setup a VPN connection. That way you can have your own public IP also your hosts cannot snoop on your connection, should they ever want to.
    Persuade your hosts to up grade to a pfSense box.  :)


  • Why not put the pfSense box out in front, give it the public IP, and then create two networks behind it, that can both access the internet but not each other. There must be a way to set the Huawei modem/router into bridge mode. So then you have WAN, LAN1, LAN2.

Log in to reply