Double NAT Not working
-
Hello Guys,
I am new to this forum and i wish i would never had to go here cause it means i got an issue i am not able to solve since 5 days.
I got a home network in which i have a double NAT configuration. So we this this configuration :
Internet
|
|
ISP (NAT Enabled / Public IP : 87.x.x.x, internal IP : 192.168.1.1/24, 192.168.1.254/24 (I don't know why but both IP belongs to the ISP router, both pingable but only the .254 is used to access WebGui).
|
|
TP-LINK (Nat - Enabled / WAN IP : dhcp 192.168.1.10/24 - LAN IP : Static 192.168.2.1/24 - DHCP enabled
|
|
COMPUTERSWith this configuration, everything wasworking flawlessly and no perticular configuration was done to make it work.
Now i have removed the TP-LINK router and replaced it by a pfsense box (mini computer hp with 2 NIC cards (1 onBoard and 1 USB > Ethernet):
Internet
|
|
ISP (NAT Enabled / Public IP : 87.x.x.x, internal IP : 192.168.1.1/24, 192.168.1.254/24 (I don't know why but both IP belongs to the ISP router, both pingable but only the .254 is used to access WebGui).
|
|
Pfsense box (Nat - Enabled / WAN IP : dhcp 192.168.1.10/24 - LAN IP : Static 192.168.2.1/24 - DHCP enabled
|
|
COMPUTERSIn this configuration, i can ping 8.8.8.8 or 8.8.4.4 without any issue so i can assume that there is no issue in regards to the routing.
However, name resolution from computers does not work and this regardless of the DNS configured for the client. I have tried to use google DNS 8.8.8.8, ISP DNS and i also disabled DNS resolver and forwarder on Pfsense box. Firewall Rules were added to pass all traffic from/to any source, destination or port to eliminate any issue firewall related. Still, name resolution won't complete.
DNS requests fails even when issued from the pfsense box WAN interface. I never see the replies. When typing pfctl -s state it looks to me that there is an issue with the NAT aspect :
IP > IP SINGLE:NO_TRAFFIC or NO_TRAFFIC:NO_TRAFFIC whatever.
Can you guys please help me to sort this out ? Maybe i have to create some additional NAT Rules which i am not aware of…
Kind regards,
Romaric
-
Unless you have changed the default settings, NAT and rules from LAN to WAN should work out of the box. Make sure you have disabled or removed the 'Block Private Network' rule at the top of your WAN firewall rules as this will prevent traffic from your ISP router from reaching your LAN. Might be worth seeing if you can flush the state table on the ISP router as I see your PFS and your TPLink are using the same IP address in both scenarios.
In the event you're still having trouble, post a screenshot of your firewall rules (LAN and WAN) and your NAT rules (LAN and WAN) and someone might be able to assist further.
-
Hi muswellhillbilly and thanks for your reply.
Yes i confirm that during the setup, i have unchecked the "Block Private Network" box. I will revert to factory settings and send some screenshots. I will try to reset to factory the ISP router as well though i cannot do much customization on this one (No Bridged Mode, no CLI, no NAT Table flush and so on).
Thanks
Bitterjuice
-
Hi,
I have performed some test today and I am almost sure that the issue is with the USB NIC. When i use the onboard nic for the WAN, everything works fine from WAN to ISP LAN (Double NAT) which means that the USB NIC is for the LAN side of pfsense. In this configuration, my computer is not even able to connect to the webgui. I can see that the firewall automatically drop or rejects the outbound traffic LAN_IP:443 > COMPUTER_IP:RANDOM_PORT though there is the default rule anti lock out. Furthermore, when i assign the USB NIC to a new side, it takes like 5 min to load the conf settings. For the onboard NIC, it takes a few seconds. The USB NIC is a UNITEK USB 2.0. tomorrow i ll buy a PCI NIC and i will let you know if that solves the issue.
Kind regards,
-
If you can stay away from USB NICs, I have not had any luck with them keeping a stable connection I'm thinking it has something to due with power management. If you are able to put a pci-e or pci (only if your machine doesn't have pci-e slots) NIC. Also if you are double natting because there is no bridge mode in your modem then I strongly recommend that you put your PfSense box in the DMZ of your ISP NAT.
The DMZ will forward all unsolicited packets to PfSense. That way if you want to setup a server inside your network you will only have to create a port forward rule on your PfSense box and not the ISP's box.
Lastly if your box only has one NIC and you can't add another port without using USB, than you can connect a switch to your pfsense box and create virtual ports using VLANS, I have done this in the past and works great. You will need a smart switch to do this.
-
Hi,
Unfortunately i do not have a switch which can handle VLAN tags but i just received a nic card Intel pro 100/1000 PCI-E so i believe that i won't get any issue now. Regarding the DMZ, yes i will try to do that as i m aware that double NAT works but is not a good practice in terms of optimization.
I will let you know later on if everything works good.
Thanks.
-
Hi guys,
sorry i forgot to update this thread. Everything is working fine since i installed a new NIC PCI-E.
this topic can be closed.