I am Setting up Pfsense behind CGNAT an a Router Modem which doesn’t have Bridge Mode though there is a DMZ Option…
Is it possible to avoid Double NAT in such a scenario?
If you can not put the router into moderm / bypass mode then you will have double nat
Guessing as the service is cgnat - this will not be an option on the router
1 Like
That would actually amount to a triple NAT. First at the carrier level, then at the ISP-supplied router and finally at your pfSense. The misleadingly-named “DMZ” option on consumer routers (I’ve also seen the term “exposed host” used for it) is a port forward (aka destination NAT), so while traffic will reach e.g. a server behind the NAT, that server still has a non-routable address.
So unless you eliminate both the CGNAT and the additional NAT caused by the lack of a bridge mode on the first router in your network, you won’t get a public IPv4 address on your pfSense.
1 Like
This is another example of why IPv6 is so important. You will already have a public IPv6 prefix on the ISP-provided router. There is simply no CGNAT with IPv6. Then it would be a matter of delegating a part of this public prefix to the pfSense, which itself can pass individual addresses on to end devices. No NAT needed at all. Look for a “prefix delegation” setting on the ISP router.
Oh this is informative…
I am using a Huawei HG8145V5 Router Modem. No Prefix Delegation setting as far as i can see…