How to awoid Apple client with "double NAT" go into "Bridge mode"



  • I have a simple setup.
    WAN connection directly into a pfsense box
    Public IP on the WAN side
    10.0.0.1/21 private range to clients

    Clients are single persons and most want a home wifi. So they buy and attach a wifi router. That is fine for most brands, just not Apples Time Capsule and Airport Express. They complain about "double NAT" and then suggest to go into "bridge mode".

    That is no good. And quite a few related issues are now seen.

    Question:
    Can I make a setup with a single public IP for the pfsense and many local clients where Apple routers (client) will not complain about double NAT?

    Is "double NAT" something to complain about when beeing a router? I see no issues of a router behind a router. I guess the whole internet is made that way.



  • Double NAT results in issues when the user is running an application that requires an incoming connection from an internet host. Some voice chat applications, video game consoles, and other home devices might automatically set up a port forward on the Apple router via NAT-PMP, but the connections will still fail because the firewall on the pfSense box isn't set to forward incoming connections to the Apple router.

    That's why the Apple router complains about double NAT.

    IIRC, that message can be acknowledged and ignored, and it won't appear again unless the router is reset. But that still doesn't resolve the actual problem.



  • If all you're doing with that pfsense box is extending internet access to clients who always put firewalls in place, turn NAT off on pfsense and use the box as a router. No need to NAT the private address space since the clients will ultimately be using their own firewalls.


  • Netgate

    He has to NAT because he only has one public IP.

    Trying to be a proper ISP with one public IP will be kind of tricky.



  • Duh!  Big brain fart on my part. Yeah, NAT would kind of be a requirement.



  • So to avoid double NAT one need to have public IP I guess?

    Our setup gives two options.

    1. Public IP (mainly online gamers and a few with local servers).
    2. And local IP if the user has no specific needs.

    But the Apple routers (airport express and time capsule) seems not to like beeing on a Local network.

    I found lots of questions on "Airport express and hotel" that is an identical issue.

    What is the fix apart from public IP's for everyone? Is there any solution with local IP's that an Apple router will accept without defaulting to Bridge mode because of double NAT?


  • Banned

    I think the ultimate fix is to NOT buy equipment broken by design?



  • can we agree on that beeing Apples routers?


  • Banned

    Yeah, apparently. Routers telling me what to do and breaking with a "smart" suggestion, instead of doing what I configured them to, do don't count as working equipment (here at least)…



  • Okay, slow down there!

    Apple routers are not broken by design. They provide additional services for Apple devices such as Back to My Mac, which is a remote access technology that iCloud leverages.

    Apple's routers use an implementation that is similar to UPNP for Apple devices/technologies. In order for these things to work, the device checks for a double NAT implementation. If it finds one, you get the alert. This is because double NATing the Apple router essentially breaks some of their technologies, and that's the way it notifies the user.

    The devices can be put into bridged mode, which is how I have all of my Apple WiFi access points configured. I don't use any of those cool Apple technologies, so it doesn't matter to me.

    I have a 10.0.1.0/24 network for my Apple crap to live on. It's very happy there. But the way you have your implementation running, people with Apple WAPs/routers will be losing some Apple-specific functionality because of the network design.



  • @tim.mcmanus - We have two options:

    static IP and dynamic on a LAN behind a firewall.

    Those who need a static IP are usually self helped and know the basic about network. They usually gives no hassle at all.

    The rest that do not ask for a static IP are all places behind the firewall (pfsense) that provide DHCP on a LAN. We have just seen a great increase in users that attach Apple routers that go into bridge mode. There are several reasons why we do not want that.

    I only see one solution: That is to tell all switches only to allow one MAC and then prepare helpdesk for all the calls from Apple users that suddenly only can have one pieec of equipment on there wifi at the time. We will have to help them one at the time to setup there routers as DHCP routers instead of bridge mode (access point)