I would like to use a firewall on my DSL internet connection. Therefore I have to use PPPoE. A sufficient modem is available. Unfortunately the PPPoE integration with the firewall is buggy so I have to do that with another device and that should be a MikroTik hex. Of course I don‘t want to place a network between the hex and the firewall since this will lead to double NAT.
Can somebody tell me how to configure that avoiding double NAT?
Is there a way to pass the Public IP to the firewall transparently or any other way?
I was able to configure things with double NAT but not without:
192.168.89.1/30
as network for routeros and firewall where the routeros device works as gateway for the firewall.
Routeros doing masquerading for all outoging packages to the PPPoE interface.
This is working only if the firewall is doing masquerading too which leads to double NAT.
If there is no masq on the firewall side ICMP is working for instance but not HTTPS. Any ideas?
Please provide a network picture so we can understand what you are trying to achieve.
Where is the PPPOE client? Configure that node to do the NAT. Now add some routes from that node to the rest of the network (most likely some RFC1918 networks like
“route 192.168.0.0/16 to the next nodes RFC1918 address”
and use only RFC1918 in the internal network.
I have such a setup at the moment.
I have the PPPOE client on my router (the modem is actually a VDSL modem in an SFP). The router does the VLAN de-capsulation and then does the actual NAT.
Now I route all internal (RFC1918) traffic to my internal network through my firewall (PFSENSE HA setup) with RFC1918 addresses. That firewall does the rest of the filtering as required, but it sees only RFC1918 addresses for the internal nodes and uses RFC1918 itself.
To make things easy use a transit RFC1918 network to connect the PPPOE client and the firewall
I managed to have a setup like you described. The flow is Internet → Router → Firewall and vice versa without double NAT.
NAT is only running on the RouterOS device.
by the way: If I’m looking for a NAT with a static port for outgoing packets is netmap the thing I need?