Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How to awoid Apple client with "double NAT" go into "Bridge mode"

    DHCP and DNS
    5
    11
    2994
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tillebeck last edited by

      I have a simple setup.
      WAN connection directly into a pfsense box
      Public IP on the WAN side
      10.0.0.1/21 private range to clients

      Clients are single persons and most want a home wifi. So they buy and attach a wifi router. That is fine for most brands, just not Apples Time Capsule and Airport Express. They complain about "double NAT" and then suggest to go into "bridge mode".

      That is no good. And quite a few related issues are now seen.

      Question:
      Can I make a setup with a single public IP for the pfsense and many local clients where Apple routers (client) will not complain about double NAT?

      Is "double NAT" something to complain about when beeing a router? I see no issues of a router behind a router. I guess the whole internet is made that way.

      1 Reply Last reply Reply Quote 0
      • virgiliomi
        virgiliomi last edited by

        Double NAT results in issues when the user is running an application that requires an incoming connection from an internet host. Some voice chat applications, video game consoles, and other home devices might automatically set up a port forward on the Apple router via NAT-PMP, but the connections will still fail because the firewall on the pfSense box isn't set to forward incoming connections to the Apple router.

        That's why the Apple router complains about double NAT.

        IIRC, that message can be acknowledged and ignored, and it won't appear again unless the router is reset. But that still doesn't resolve the actual problem.

        1 Reply Last reply Reply Quote 0
        • T
          tim.mcmanus last edited by

          If all you're doing with that pfsense box is extending internet access to clients who always put firewalls in place, turn NAT off on pfsense and use the box as a router. No need to NAT the private address space since the clients will ultimately be using their own firewalls.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            He has to NAT because he only has one public IP.

            Trying to be a proper ISP with one public IP will be kind of tricky.

            1 Reply Last reply Reply Quote 0
            • T
              tim.mcmanus last edited by

              Duh!  Big brain fart on my part. Yeah, NAT would kind of be a requirement.

              1 Reply Last reply Reply Quote 0
              • T
                Tillebeck last edited by

                So to avoid double NAT one need to have public IP I guess?

                Our setup gives two options.

                1. Public IP (mainly online gamers and a few with local servers).
                2. And local IP if the user has no specific needs.

                But the Apple routers (airport express and time capsule) seems not to like beeing on a Local network.

                I found lots of questions on "Airport express and hotel" that is an identical issue.

                What is the fix apart from public IP's for everyone? Is there any solution with local IP's that an Apple router will accept without defaulting to Bridge mode because of double NAT?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  I think the ultimate fix is to NOT buy equipment broken by design?

                  1 Reply Last reply Reply Quote 0
                  • T
                    Tillebeck last edited by

                    can we agree on that beeing Apples routers?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned last edited by

                      Yeah, apparently. Routers telling me what to do and breaking with a "smart" suggestion, instead of doing what I configured them to, do don't count as working equipment (here at least)…

                      1 Reply Last reply Reply Quote 0
                      • T
                        tim.mcmanus last edited by

                        Okay, slow down there!

                        Apple routers are not broken by design. They provide additional services for Apple devices such as Back to My Mac, which is a remote access technology that iCloud leverages.

                        Apple's routers use an implementation that is similar to UPNP for Apple devices/technologies. In order for these things to work, the device checks for a double NAT implementation. If it finds one, you get the alert. This is because double NATing the Apple router essentially breaks some of their technologies, and that's the way it notifies the user.

                        The devices can be put into bridged mode, which is how I have all of my Apple WiFi access points configured. I don't use any of those cool Apple technologies, so it doesn't matter to me.

                        I have a 10.0.1.0/24 network for my Apple crap to live on. It's very happy there. But the way you have your implementation running, people with Apple WAPs/routers will be losing some Apple-specific functionality because of the network design.

                        1 Reply Last reply Reply Quote 0
                        • T
                          Tillebeck last edited by

                          @tim.mcmanus - We have two options:

                          static IP and dynamic on a LAN behind a firewall.

                          Those who need a static IP are usually self helped and know the basic about network. They usually gives no hassle at all.

                          The rest that do not ask for a static IP are all places behind the firewall (pfsense) that provide DHCP on a LAN. We have just seen a great increase in users that attach Apple routers that go into bridge mode. There are several reasons why we do not want that.

                          I only see one solution: That is to tell all switches only to allow one MAC and then prepare helpdesk for all the calls from Apple users that suddenly only can have one pieec of equipment on there wifi at the time. We will have to help them one at the time to setup there routers as DHCP routers instead of bridge mode (access point)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense Plus
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy