OPNsense Forum
English Forums => General Discussion => Topic started by: cnaslund on February 10, 2018, 03:47:11 am
-
My thank you's to the dev's for their hard work on this great product. I happily contribute to support for dev's who save me time and frustration!
I'm hoping some of you will be able to help me with my doubleNAT issue:
I have the following Setup:
Internet (VLAN10) Fibre---> (PublicIP):Fritz!Box 7490(NAT, FW enabled, Port Sharing Exposed Host for single IP) --> Static Private IP *.*.1.* --->ESXi 6.0:WAN--->Static Private IP *.1.*:WAN NIC:OPNSense 18.1 (DHCP, NAT, FIREWALL)LAN NIC: --> Managed Switch (Private IP *.*.30.*) --> Home Servers/PC's, Devices
When I connect directly to the Fritz!Box 7490 using SpeedTest.net, I get 900/500Mb speeds
When I connect through OPNSense using SpeedTest.net, I get 349/359Mb speeds
When I do a tracert of 8.8.8.8 when connected directly to Fritz!Box LAN port I get single private IP from Fritz!Box as first leg of the trace.
When I do a tracert of 8.8.8.8 when connected directly to OPNSense LAN (via the managed switch) I get two Private IP's in the trace with the first leg being the OPNSense IP, the second leg being the Fritz!Box.
My research yields that the Fritz!box 7490 does not have DMZ. Rather, I've configured the Fritz!box to have a dedicated Shared Port which is supposed to allow all ports available to the IP of the OPNSense Fireware. This appears to work as my UPnP settings have no issues.
Question:
How do I remove the double NAT issue with OPNSense being behind the Fritz!box to improve my network speeds? If I turn off NAT on Fritz!box, I get no internet (or access to the Fritz!box for that matter). I'm a neophyte with this sort of device so clear instructions would be appreciated if possible.
Thank you
-
If you can't set up the Fritz as a modem, your best bet is to use OPNsense as a bridge: https://wiki.opnsense.org/manual/how-tos/transparent_bridge.html
Bart...
-
Mind the fact that your speed issues might come from the ESXi part, might be a virtualization problem. Same here, I get 350 - 400 Mb/s up/down on a symmetrical 1 Gb/s connection, couldn't figure it out yet. But I know for sure that I don't have double NAT. The only similarity we have is ESXi.
Test this, if you would, before making big changes on your topology based on a (probably) wrong assumption.
Thanks.
-
Not sure if this will be helpful but sharing this anyway.
I have a FritzBox 5490 and OPNsense set-up as follows:
INTERNET ----[Fritz5490]----[OPNsense]--- LAN
On my FritzBox there is a setting under Internet > Permit Access that allows you to set port sharing. Under the same setting I have an option to fully expose a host (see image).
That's how I got rid of the double NAT
-
Not sure if this will be helpful but sharing this anyway.
I have a FritzBox 5490 and OPNsense set-up as follows:
INTERNET ----[Fritz5490]----[OPNsense]--- LAN
On my FritzBox there is a setting under Internet > Permit Access that allows you to set port sharing. Under the same setting I have an option to fully expose a host (see image).
That's how I got rid of the double NAT
You are very right, from the screenshot you took I can say that this is the freaking DMZ, but in a not so obvious expression.
And, yes, the only two ways to properly get rid of the double NAT are:
1. Put the front device (the one most close to the internet/ ISP) in bridge mode.
2. If 1. is not possible, declare the back device (the one most close to the private network) as DMZ in the front device.
THX.
A good day!
-
Not sure if this will be helpful but sharing this anyway.
I have a FritzBox 5490 and OPNsense set-up as follows:
INTERNET ----[Fritz5490]----[OPNsense]--- LAN
On my FritzBox there is a setting under Internet > Permit Access that allows you to set port sharing. Under the same setting I have an option to fully expose a host (see image).
That's how I got rid of the double NAT
You are very right, from the screenshot you took I can say that this is the freaking DMZ, but in a not so obvious expression.
And, yes, the only two ways to properly get rid of the double NAT are:
1. Put the front device (the one most close to the internet/ ISP) in bridge mode.
2. If 1. is not possible, declare the back device (the one most close to the private network) as DMZ in the front device.
THX.
A good day!
The problem is, you wont get the external IP arriving at the OPNsense router. the fritzbox will still give you a internal ip for the WAN-port of your OPNsense-machine.
Thats exactly the problem i have right now.
Fritzbox only opens EVERY port and forwards it to this specific internal IP, except the ports you specify in the fritzbox to forward to other internal IPs.
So it doesnt solve the double-nat problem. Its like you set all ports open in the firewall of the fritzbox and forward the traffic to the specific internal IP.
-
I dont think NAT is your issue.
I have several Networks running with double NAT and no problems.