[SOLVED] How to avoid double NAT?

[alh]

We use an Internet connection that performs a kind of load balancing between a DSL and LTE connection. This all happens inside the providers router. We are therefore stuck with this router that can neither offer VPN services, VLANs nor can one setup static routes.

My goal is to have OPNsense running behind the ISP router offering VPN services etc. If I understand  correctly that rules out a "filtering-bridge" setup for OPNsense. Is there an alternative to avoid double-NAT?

Could I e. g. configure somthing like this?

- ISP router LAN 192.168.1.1
- Switch tags with VLAN 999
- OPNsense WAN 192.168.1.2
- OPNsense LAN 192.168.1.254
- Switch
- LAN 192.168.1.0/25

And then disable NAT and setup a gateway for 192.168.1.1? Does anyone run a similar setup?

[mitsos]

Problems and why it will not work:
1) Your subnets are messed up. Different subnets on different interfaces. Rule, set in stone.
2) Don't use any other subnet other than /24. Ever.


that being said:
There are two scenarios you could follow:
1) OPNSense in filtering bridge: No IPs are needed internally (the bridge doesn't "exist" on the network), no subnets.
2) OPNSense in routing: double NAT, which depending on what you are trying to do could involve the ISP's modem cooperation to work.

How is the ISP's "external" IP being handled? Does your ISP route your external IP over both connections in a round robin fashion, or is it more like a failover, ie. DSL goes down, everything switches to LTE?

In "round robin": Your ISP is handling everything, you shouldn't have any issues. This includes a special failover scenario where the DSL goes down, your ISP automatically routes packages over LTE, without your external IP changing (BGP style)
in "pure failover": Your external IP changes when links flap, which will break any VPN tunnels you are trying to use (except wireguard (=client side on OPNSense only), but I wouldn't recommend it in production use yet). Your established tunnels have no way to know that your ABC IP changed, so they can't find you since now your external IP is XYZ.

Double NAT isn't an issue, assuming everything else is handled correctly (I doubt the ISP's modem is smart enough to know that states apply to both connections, so everything *isn't* handled correctly, guaranteed, I can offer a signed contract in my blood for this). Even if everything is set up as it should on your ISP's side (up to the modem), then the modem itself will break your tunnels since it will not be able to figure out that states for "incoming connections to port 1194 apply to both connections, so this packet that suddenly showed up on LTE is actually an answer for a packet on DSL".

TL;DR: What you are trying to do isn't going to work. It *may* work for a day or two, but will eventually blow up. What I would recommend is (if you **actually** need failover) is to get your ISP to add you to their "BGP style" routing, with you being able to push updates to them (and use a bat to convince them that you should only push updates for *your* IPs, not mine). This usually comes with a mandatory couple of zeros after the montly price, so back to square one: Set everything up as you normally would (see first paragraph for my comments) and don't worry about the link going down. Or set up two VPN instances and tell your users when A isn't working, disconnect and connect with B.

[hbc]

Avoid double NAT would be pretty easy if your ISP router could static routes.

Of course you can use a filtering bridge, but you should use /24 mask for everything, else 192.168.1.1 for ISP router and 192.168.1.254 would lay in different subnets.

A transparent bridge connects devices on same subnet.

[alh]

The internet connection is more the "burst" kind of type. So basic load is handled via DSL and any bursts are send over LTE. As written before we have zero influence on this and this is all handled by the ISP. All we get is the router which cannot be bridged, no static routes whatsoever. Just port forwarding...

The filtering bridge looks tempting but I'm not sure if I can define VPN servers in OPNsense to listen on the WAN if bridge is enabled.

[mitsos]

It should, you just assign an IP (alias if need be) on its "WAN" side, but as I said, your setup will break incoming connections if it flaps all over the place with regards to your external IP.

[alh]

Thanks for your reply. AFAIK there is just one external IP. All the "flapping" is managed by the ISP and is between the external IP and the Router. They do something like LISP. So that should be fine. I will try and setup a filtering proxy and then see if I can get VPN working. I was under the impression that the bridged "WAN" and "LAN" interfaces "disappeared" so I could not use the "WAN" as VPN endpoint anymore.