Suggestion for double nat



  • hello to everyone!
    I'm not sure if I'm right so I would like to have your suggestion about this my doubt:

    my configuration:

    INTERNET (dynamic ip public)

    modem-router 192.168.0.1(wan)
    NAT ENABLE

    pfsense 192.168.0.2(wan)
    NAT ENABLE.

    interface lan
    192.168.1.1 (firewall)
    dhcp 192.168.1.2-254

    So I have to keep  nat for both  or better I cancel nat on modem or pfsense?

    Thanks for reply
    roberto



  • Normally you should avoid double NAT. My advise is to disable NAT on modem-Router, connect WAN port of modem to WAN port of pfSense.
    Set up pfSense WAN in order to get public IP (it depends on your ISP connection, PPPoE, PPPoA?).

    So I should setup as follow:
    pfSense WAN –-> DHCP or PPPoE or whatever is supported by your ISP and router.
    pfSense LAN ---> 192.168.1.1 or other private IP
    Modem ---> 192.168.0.1 or other private IP (different subnet of pfSense LAN).

    Basically you will use your modem as a pure modem letting pfSense act as firewall/router.

    This is exactly as my network is.


  • LAYER 8 Global Moderator

    "Modem LAN –-> 192.168.1.x or other private IP (same subnet of pfSense LAN)."

    What.. This makes NO sense..  I agree with this
    "Basically you will use your modem as a pure modem letting pfSense act as firewall/router."

    But then you go to say connect his modem/router device to LAN of pfsense??  "connect LAN port of modem to LAN port of pfSense. "

    I would suggest you ignore anything stated in his post, not sure how anyone would make any sense of it..

    Yes you should turn off nat on your device from your isp and just use it as "modem"

    This should connect to WAN interface of pfsense.

    isp device --- wan (pfsense) lan -- your network.

    Pfsense should get a public IP on its wan interface. What device do you have from your isp, are you using that for wireless?  Or do you have other wireless APs?



  • @johnpoz:

    "Modem LAN –-> 192.168.1.x or other private IP (same subnet of pfSense LAN)."

    What.. This makes NO sense..  I agree with this
    "Basically you will use your modem as a pure modem letting pfSense act as firewall/router."

    But then you go to say connect his modem/router device to LAN of pfsense??  "connect LAN port of modem to LAN port of pfSense. "

    I would suggest you ignore anything stated in his post, not sure how anyone would make any sense of it..

    Yes you should turn off nat on your device from your isp and just use it as "modem"

    This should connect to WAN interface of pfsense.

    isp device --- wan (pfsense) lan -- your network.

    Pfsense should get a public IP on its wan interface. What device do you have from your isp, are you using that for wireless?  Or do you have other wireless APs?

    I messed with copy and paste of a different setup with an AP in the middle, you right I amended my previous post.

    Sorry for my confusion



  • Thanks a lot!
    I will do how u suggest, so my new setup will be like this:

    modem-router will be modem
              NAT DISABLE

    PFSENSE
              NAT ENABLE
              connect (PORT WAN) to modem

    PORT LAN
              DHCP ENABLE
              CONNECT TO SWITCH

    WIRELESS: I created vlan and interface on parent interface (LAN)
                                DHCP ENABLE

    SWITCH:
              2 VLAN
              VLAN FOR WIRELESS
              VLAN FOR LAN

    ACCESS POINT
              NO DHCP
              CONNECT TO SWITCH (WIRELESS VLAN)

    That's all.

    bye bye
    roberto



  • That all looks good.
    When you choose private subnets for LAN and WiFi nets, I suggest you move away from 192.168.0.0/24 and 192.168.1.0/24 - those are used by so many other cafes etc. One day you will want to have OpenVPN Road Warrior so you can VPN back to home while sipping coffee at your favourite cafe… It is a hassle if the Cafe and your home are using the same private IP address space.



  • THANKS A LOT!!!!

    really I'm very happy to have always answers from someone, so this is one reason more to install pfsense and to know any problems
    u can ask in forum and someone is ready to help u.

    bye and again thanks.

    roberto


Log in to reply