What's the issue with the poor man bridge aka the dmz double nat ?

[GiantJack]

Hi !

I have read several times that double nat in principle is bad and I understand the issues that it can brings.

But it's less clear when it comes to use double nat through DMZ (sometimes called the poor man bridge mode).

Let's assume that I have 2 routers:
- ISP router, connected to internet on one side, providing a DMZ lan RJ45 on the other side.
ie: all incoming traffic from internet will be forwarded to a defined RJ45
- An Opnsense router with WAN port connected to DMZ RJ45 mentionned above and my LAN on the other side.

What could go wrong exactly ?
or what would work fine with ISP router in bridge mode that would not work with the DMZ trick ?


if it matters:
- I use VPN to access my LAN from my smartphone when I'm away (using vpn server in opnsense).
- I have some playstations (those devices are sensitives to NAT topics).

[lilsense]

ISP bride mode will convert your (Coax/FIOS/DSL/T3/etc) to ethernet. This means WAN port on the Opnsense will be an Internet IP.

HTH

[GiantJack]

Yes, I know.

But there's some place where only available solution is ISP modem that cannot be set in bridge and cannot be removed/replaced.

So, that's why I ask what could be the issues with double NAT through DMZ.
No offense, but I don't ask how to avoid this ;-)

[lilsense]

If the devices ahead of the traffic are natting multiple layers this would create a reduced MTU size which many times create application level issues. one of which is routing. it's kind of odd to route traffic from 192.168.1.1 to 10.1.1.1.

The only way is to remove the NAT from the OPNSense.

[marcquark]

Imho it's perfectly fine to run such as setup if it serves your needs. It can even have some pros to it.

Pro:

• The ISP-provided router can shoulder other duties like being a DECT station or providing an analog phone jack. Yes, there are people who use their landline number(s) with regular phones.
• Whenever your ISP has issues, you can skip all the "it's not our fault, it's your setup" hotline nonsense by plugging yourself directly into the LAN port of their plastic box. They'll try to weasel themselves out of all issues with any excuse they can find. I was once asked which color my cables were. Yeah, it's that bad especially with consumer lines.

Cons

• You're bound to the performance limitations of your ISP router (bandwidth, amount of connections and whatever else you may think of). Though in practice, at least for me, this has never been an issue.
• More power consumption. Not that i would take that argument seriously from somebody playing around with prosumer gear at home, but it is an argument.
• UPnP is YMMV. It is technically possible to daisy-chain it, but it can be a PITA to get it to work
• DynDNS is slightly more difficult to set up.

I personally think that, as long as the provider router is a halfway decent product (e.g. FritzBox), and your provider gives you more than a single /64 IPv6 prefix, it's almost always possible to work around the limitations by just relying more on IPv6 and avoiding NAT altogether. Heck, the providers with bad gear AND bad IPv6 politics are usually also the ones giving you CGNAT, which has all the same issues as your double-NAT anyway, so your best bet is to switch providers if you can. Last resort, rent a VPS and use a VPN to get access to non-castrated IP(v4 and v6)

If the devices ahead of the traffic are natting multiple layers this would create a reduced MTU size which many times create application level issues. one of which is routing. it's kind of odd to route traffic from 192.168.1.1 to 10.1.1.1.

The only way is to remove the NAT from the OPNSense.

I fail to follow here, in what way does NAT have any effect on MTU?
The suggestion to remove the NAT from OPNsense and add static routes to your ISP router instead is actually pretty good though, never thought about that. Less complexity is always nice :)

[GiantJack]

Hi both ! thanks for your great feedback, it give me some thinking and homework (this idea to disable NAT in opnsense need extra processing in my head.

@marcquark, I agree with your point and I would like to add in 'pro' that I could connect work computers ( I mean laptop provided by work) directly on the ISP router : So they stay out of my LAN (they don't need) and also not exposed to any misconfiguration I might do on my opnsense router :)