Good afternoon All,
I have a question for the forum.
Is double NAT’ing a bad thing?
What are the pros or cons of double NAT’ing if any?
Regards,
Clyde
You have to make every rule in both firewalls, so it’s mostly inconvenient as it causes double the work.
I’m using double NAT because it’s the only way I can test the new PFsense router - to set it up behind an existing firewall. Seems to be fine for a basic setup. 2 things to watch for:
- You want to disable the private network blocking on WAN, otherwise, you get a lot of noise in the logs about it. Surprisingly, internet still worked for me regardless of the private network block setting for the WAN port on the “inside” network.
- Make sure that each network uses a different IP address range. Otherwise, things break badly.
I only use it in setting up hardware (such as prepping a network at our office before deploying to client), or in a few rare cases where only basic internet usage is needed. I try to avoid it in a busier production environment, because certain types of traffic are not fond of being molested by NAT, not to mention double molested. Some examples…certain VPN clients, or some VoIP. It is an extra hop, technically does add a tiny bit of latency. Can lose some QoS.
Another thing to remember is that RPC/DCOM in the Windows world does not like NAT when it is in-bound to the server, out-bound is fine.