Double NAT config issue, help required



  • i think im suffering from double nat issue but the way its configured its supposed to work for browsing etc but i get issues in that too, somethings work fine and some work fine at time and stop at other times

    i have a asus router connecting to isp using pppoe and it lacking the option to disable nat im not able to do that so by default nat is on and my pfsense is connected to the lan port on the asus router.
    i have configured wan in pfsense as static and set ip as 192.168.1.2 and gateway as 192.168.1.1 which is the ip of asus router.
    the lan interface on pfsense has dhcp enabled and lan ip 192.168.30.1 and clients on lan get 192.168.30.x
    i have enabled DMZ on asus router so port issue dont come up for pfsense wan ip 192.168.1.2.
    port forwards r configured in pfsense and im able to reach pfsense gui as well as local servers behind pfsense, all traffic coming from the internet come just fine to pfsense and lan behind it.
    AON is enabled with 192.168.30.0/24 for wan1 and 127.0.0.0/8 for wan1 to handle nat

    now problem happens for lan devices on pfsense lan, sometimes web browsing works and at other times it just doesnt work at all, could some1 tell me what am i missing config wise or is it possible to solve this double nat issue, dont ask but i have to use the asus router



  • Perhaps the simplest option would be to select PPPoE passthrough on the Asus router - which would get rid of double NAT - pfSense then logging in and getting external IP directly.

    Most Asus routers have that option, depends upon model?



  • the problem is my isp wont allow same mac id on 2 wan account and i have a pfsense full install with one nic so im using a vlan switch and in this setup u cant spoof mac id on vlans and i need to use both wan connections so with this i need to use asus in between on one of the wans, now if i use bridge and make pfsense do pppoe then the mac id will be that of pfsense so that wont work as the other wan conenction the same mac id, i need to send a different mac id for each wan connection and pfsense wont allow when using vlans

    the machine doesnt have expansion slots so cant add another nic



  • if i set my asus router to bridge mode and make pfsense do the pppoe connection then will the mac id of pfsense goto isp or the bridged asus router working like a modem?



  • Can you show a quick diagram of your setup? With only one NIC are you using an external Switch that is VLAN capable to create the two WANs?
    If so then I suspect the MAC address the ISP will see will be that of the Switch (not pfsense) since the Switch is the last Ethernet hop.



    • im using a cisco vlan capable switch
    • wan1 connected to port 1 on switch for vlan10
    • wan2 connected to prot2 on switch for vlan20
    • pfsense conencted to port3 on switch with config as vlan10 for wan1, vlan20 for wan2 and vlan30 for lan
    • lan device connected to port4 on switch for vlan30

    port1 - untagged
    port2 - untagged
    port3 - tagged
    port4 - untagged

    port3 is part of all vlans

    pfsense one nic so one mac id which is authorized in isp database and works well on wan1, same mac id isp wont allow in its database for wan2 but in pfsense u cant change mac id for vlans and now i need to change this mac id so isp sees a different mac id

    cisco doesnt do any mac id, isp sees the pfsense mac id only for both pppoe conenctions



  • mayb u can show me if i can change mac id in the cisco switch such that isp sees the changed mac id



  • other than create vlans on switch i didnt change any config on it at all and once authorizing pfsense mac id on wan1 it was able to connect to pppoe or else without authorization it wasnt connecting earlier so i guess the isp is seeing the mac id of pfsense as that only connects to pppoe and mayb they bind mac id to pppoe account

    cisco switch sg 200-26



  • port1 is vlan10 but you say it's untagged. Same for ports 2 and 4.
    Shouldn't port 3 be configured as trunk port to pass all VLAN traffic?
    The switch has a MAC id and that is what is typically used as source address for any Ethernet communication. All VLANs on the switch will use that same MAC address. That  Switch MAC address can't be changed.
    It may be that the PPPoE encapsulation passes the original MAC id from the pfsense PPPoE client and that's how the pfsense MAC makes it to ISP. Can you check with wireshark to see what is actually going on.

    If nothing else works you may consider using an intermediate gateway like a Linksys between the switch port and ISP so that you can change the MAC address.



  • port 1, 2 and 4 r on different vlans so untagged is fine and port 3 is tagged meaning trunk port.

    i tried wireshark and its the pfsense mac only that goes to isp, cisco switch has its own mac in between for Ethernet packets but the isp is detecting the pfsense mac based on pppoe encapsulation

    which linksys gateway is this and how is it to be used?


Locked