Netgate SG-1000 microFirewall

Author Topic: Public ip on double Nat  (Read 292 times)

0 Members and 1 Guest are viewing this topic.

Offline lonblu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Public ip on double Nat
« on: July 10, 2017, 07:11:27 am »
Hello Pfsense folks,

Can you help me understand the routing in my network?
My isp router is providing Wifi, and I attach a pfsense Wan interface (virtual machine) to the Wifi subnet. So I have double nat, first from the isp router to pfsense, then in pfsense to my internal servers ports.

It is working fine for the outside users accessing the servers on the public ip, but for the wifi clients on the same subnet there is an issue. The isp router seem not to route these clients to pfsense, so they hit the isp router asking for credential, either certificate or webui login.

For the moment I am bypassing this with a second public ip directly attached to another pfsense, serving a vpn.
Any ideas?

« Last Edit: July 10, 2017, 07:16:35 am by lonblu »

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2283
  • Karma: +240/-0
    • View Profile
Re: Public ip on double Nat
« Reply #1 on: July 10, 2017, 09:38:42 am »
Access the servers by the pfSense WAN IP from the Wifi subnet.
If you want to access them by host names, set up an internal DNS.

Offline lonblu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Public ip on double Nat
« Reply #2 on: July 15, 2017, 11:48:28 am »
The issue is when I access the public-ip from clients on the wifi subnet. The pfsense wan interface is on the same subnet.
The same subnet hosts laptop and android clients going out through the router (dhcp gateway).
The public-ip is is the wan interface of the router.

The problem is that an ip-television is attached to the same router, so I don't want to bypass the router, because is managed by the isp, partially.
So I think I should check something in the router, or ask the isp extra technical intervention.

But also think I will connect an access point to the hyperv server, where I will connect these clients. But for another topic, do I need an extra subnet to connect the access point? Because it doesn't seem Pfsense can detect an access point on a virtual interface....


Offline viragomann

  • Hero Member
  • *****
  • Posts: 2283
  • Karma: +240/-0
    • View Profile
Re: Public ip on double Nat
« Reply #3 on: July 17, 2017, 04:54:39 pm »
Accessing the server by the public IP can only work if the router provides NAT reflection. But I'm in doubt, cause if it does, it is usually enabled by default.
That is no problem with double NAT.

Also attaching the wifi clients to an internal pfSense interface will not solve this issue.

So the best way is to set up an internal DNS and add an override for your servers host name.
It can be done on pfSense. In this case, best practice is to move also the DHCP server to pfSense.

Offline lonblu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Public ip on double Nat
« Reply #4 on: August 12, 2017, 06:00:01 pm »
Thanks for your answer, I hadn't forget.

But I have some trouble in setting Pfsense as Dns server. I only have activated the forwarder.

How does it differ from the Microsoft Dns? How do you see override for the servers?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 8193
  • Karma: +956/-279
    • View Profile
Re: Public ip on double Nat
« Reply #5 on: August 12, 2017, 06:52:53 pm »
I would forget that the ISP device can provide Wi-Fi, put the ISP device in bridge mode so pfSense gets the public IP address, and get another access point and put it behind pfSense for your Wi-Fi devices.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline lonblu

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Public ip on double Nat
« Reply #6 on: August 13, 2017, 08:15:44 pm »
Thanks for you input, but as i mention that router serves the television decoder, which gets an ip from it. That part is managed remotely by the Isp, on that router. I had tried to do as you say but there is an issue with the television. It works, but then it doesn't.
So I still need the gateway in the router, I think, but is not very well documented device, and not very responsive.

At the moment I have only a good Wifi card on the HyperV server, not an AP. Any idea for using that wifi card as AP? The Windows hosted hotspot is limiting...

Offline tim.mcmanus

  • Sr. Member
  • ****
  • Posts: 573
  • Karma: +25/-7
    • View Profile
Re: Public ip on double Nat
« Reply #7 on: August 15, 2017, 07:28:44 pm »
I have no idea who your ISP is, but this FAQ might help:  http://www.dslreports.com/faq/16077

It talks about FIOS and their TV package.  In order to get all of the services to work with your TV, those devices need to be on the FIOS LAN.  How you get a second router or network working in this kind of environment is addressed in the above FAQ.  It might not apply 100% to your particular situation, but it does have some very well thought out approaches to solve the issue that may be helpful to you.
Intel Core i3-2100 Sandy Bridge dual core - Intel BOXDQ77MK LGA 1155 Intel Q77 - 4GB RAM - 320 GB 7200RM HD - 2 x Intel EXPI9301CTBLK 10/ 100/ 1000Mbps PCI-Express Network Adapter