Question pfsense behind an ISP router, double NAT: How big of a deal is this in practice?

PingSpike

Lifer
Feb 25, 2004
21,729
559
126
I have a pfsense VM I'm playing with. I've got it setup working behind my ISP router/modem combo which since its not in a DMZ is double NAT. Everything says this is bad. So far...web browsing seems fine. I tried downloading a linux distro, it seemed fine as well although it took it a bit to find peers. But it also took a bit when I tested with a direct to ISP router machine so that is probably just how it is.

I gather it can be an issue for games since they can't punch through double NAT but in my case I don't really plan to game with anything connected to this pfsense instance. Are there other things that are typically problematic?

I plan to setup OpenVPN on this next which is sort of the whole point of this experiment, a separate network that only runs through that while most of my machines connect directly.
 
Last edited:

aigomorla

CPU, Cases&Cooling Mod PC Gaming Mod Elite Member
Super Moderator
Sep 28, 2005
20,839
3,174
126
If your hosting multiplayer games, or need to open ports for outside access, GG on a double NAT.
If you just internet like normal people (Browse / Stream / Games where u don't host) then it probably wont matter.
 

SamirD

Golden Member
Jun 12, 2019
1,489
276
126
www.huntsvillecarscene.com
In general, double nat won't hurt just regular browsing or anything.

However, it may be an issue for openvpn depending on that handles nat traversal. I know with regular IPsec vpn tunnels double nat would potentially cause a lot of issues.
 

PingSpike

Lifer
Feb 25, 2004
21,729
559
126
Guess I'll have to give the VPN setup a shot. I noticed that with DNSSEC enabled I was not getting DNS resolution when accessing through the pfsense instance. It did work however when I tested with a protonVPN client application.
 

fkoehler

Member
Feb 29, 2008
193
145
116
Why don't you just tak it out? Even if it is a combo cable modem/router you can usually disable the router portion.
Sounds like he is new to pfSense and 'playing with it', so maybe later when he's more familiar and confident with his config he could just put the router in bridged mod and let pfSense take over.
Correction, pfSense is just a VM, so he can't take out the router.

Haven't used it, however is Wireguard an option? Looks like Wireguard is back as an Experimental Package now. I know you're just testing, however if at some point you bridge the ISP router and use pfSense on some hardware, WG should give you a fair bit of extra performance from what I've read.

 
Last edited:

sdifox

No Lifer
Sep 30, 2005
94,679
14,934
126
Sounds like he is new to pfSense and 'playing with it', so maybe later when he's more familiar and confident with his config he could just put the router in bridged mod and let pfSense take over.
Correction, pfSense is just a VM, so he can't take out the router.

Haven't used it, however is Wireguard an option? Looks like Wireguard is back as an Experimental Package now. I know you're just testing, however if at some point you bridge the ISP router and use pfSense on some hardware, WG should give you a fair bit of extra performance from what I've read.


You can definitely run pfsense in a vm and have it be the router. That is my setup. You just need to dedicate nics to that vm.
 
Last edited:
  • Like
Reactions: SamirD and mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,100
126
sdifox is correct. You will need a dedicated NIC for pfsense, at least for the WAN side. If not and the VM's WAN side NIC is bridged to the host's NIC, the packets could be dropped.

Haven't used it, however is Wireguard an option? Looks like Wireguard is back as an Experimental Package now. I know you're just testing, however if at some point you bridge the ISP router and use pfSense on some hardware, WG should give you a fair bit of extra performance from what I've read.

Yep, WG returned as an Experimental Package


 
  • Like
Reactions: SamirD

PingSpike

Lifer
Feb 25, 2004
21,729
559
126
I am actually running it in a VM. The WAN link is a virtual bridge and LAN link is a real USB NIC. Not sure why I went that way I think it was just the first configuration I got to work. Stuff keeps breaking in my house but I think my next step is to just configure openVPN and see how it goes.
 

Red Squirrel

No Lifer
May 24, 2003
67,198
12,027
126
www.anyf.ca
I had to do this for a while. Had to use ISP provided router because of the way the fibre setup works. Can't just plug straight into the ONT (at least not simply... more on that after). So I had ISP router -> PFsense -> LAN. To save a bit of work when port forwarding stuff I just port forwarded everything to the pfsense router. But it was still double NAT as far as everything is concerned so still kind of not a good setup.

Then at some point someone wrote a custom firmware for a specific Asus router specially for my ISP. This firmware allowed to emulate the ISP router, but allowed more options such as pass through, while also having a port dedicated to TVs. You could then plug a regular switch in there if you have multiple TVs.

Eventually I got rid of TV service, so was able to even remove that Asus router and plug straight into the ONT. On the PFsense side I just had to specify a vlan for the WAN port, as the internet comes on a specific vlan on the ONT. (35 I think but this will differ by isp)

But long story short, yeah there are sadly situations where you are stuck with double NAT unless you find a workaround like I did. Depends on the ISP.