NAT over NAT?



  • Hello,

    i'm new to this forum, not exactly sure if this is the right place for this qustion, but still.

    I have one windows client on a network that connects to a linux server that is connected to a pfSense firewall.
    The linux server is performing NAT for the windows client for the network between the server and the pfsense. The pfsense is then performing NAT so that both the client and the server can access to the internet. Is there a way for the to block internet access specifically for the network where the windows client is on, before the first NAT on the linux server? I'm guessing it's something related to NAT maybe?

    Thanks in advance.


  • LAYER 8 Global Moderator

    for what possible reason would you be setup like this?

    Connect your window machine to the same pfsense network your linux box is connected to, or even 2 different pfsense networks so that you could firewall how you want between these 2 networks or to the internet.

    I can not think of one sane reason to have it setup like you have it.



  • Thank you for the reply.

    It's actually an university project I'm doing, my teacher says it's hard but doable, so that's why I was asking if it was possible at all.


  • LAYER 8 Global Moderator

    well yeah you can have like 30 nats chained together if you wanted it too - but WHY???

    So your trying to figure out what clients are behind the other nat?  Yeah you could do that with simple look a the ttl's on the packets most likely.

    If all your wanting to do is block it, then why are you forwarding it your linux box?  If you want us to do your home work for you - going to have give us the exact details..



  • Once again, thank you for the reply.

    Sorry if I wasn't being clear enough. The linux server have three subinterfaces, with three different networks. They can all acess the internet through the pfsense. The purpose is to block internet acess to one specific network between a specific hour period.


  • LAYER 8 Global Moderator

    well you would do that on the linux box then..  if your using your linux box as your firewall/router why not just replace it with pfsense?  Or your other fav linux based firewall/router distro that makes it all very simple to do such things since the distro has been modified for the specific use as a firewall/router - like pfsense, its just tweaked out version of freebsd that makes it easy to use as a firewall/router.


  • LAYER 8 Netgate

    Or tell linux to NAT each subnet out a different "outside" address. Then you can identify what subnet is what on pfSense by the NAT IP address.


  • LAYER 8 Global Moderator

    Yup you could do that..  But what is the point of the linux box other than some class work??  As I said in the beginning there is no point to double nat.. If you had a down stream router (linux in your case) there would be no point to nat there.


  • LAYER 8 Netgate

    I double NAT in my lab all the time, else I can't test NAT configs on the lab machines. Identifying networks behind NAT is a little strange.



  • I know this configuration is completely nonsense and it would be so easy to "repair" it. The thing is it's a school project and so I can't modify the design and I'm being told that it's possible to do this, hard but doable, so I don't know..


  • LAYER 8 Netgate

    It's not hard.  Put a bunch of Virtual IP address on WAN, and use manual or hybrid outbound NAT to map each LAN subnet to a different WAN IP.

    After that, in the outside pfSense you can tell what subnet on the back side of the linux router the traffic is coming from based on the "inside global" NAT address.

    The trouble for you is all the real work has to be done on the linux router and this is a pfSense forum.


  • LAYER 8 Global Moderator

    "I double NAT in my lab all the time"

    I hear ya - sometimes you have to, shit at work there are so many freaking nats it makes my head spin sometimes.  And joke I like to use when troubleshooting with fellow techs at work is "we need another nat" there are only 3 ;)

    But to be honest it is something to be avoided!!

    As to your design gohancore - while you might not be able to modify it for the course work your instructor wants you to do..  I would bring it up to him for discussion that its a BAD design and there seems in this scenario no reason to nat the downstream rfc1918 networks if your just going to want to block one, etc..  But as Derelict has mentioned couple of times now the easy fix is to use different IP on the wan of your linux box for the nats for the networks on the inside of the linux router so that you can just block the 1 you want at pfsense.  Maybe this is the solution your instructor is looking for??

    Not sure why just doesn't try and teach whatever concept he is trying to teach you without nonsense like double natting..  Why not show you how to work with a downstream router via a transit network, which seems to be something lost on many other users to this forum as well ;)


Log in to reply