Community discussions

MikroTik App
 
Siggi
just joined
Topic Author
Posts: 4
Joined: Fri Jul 29, 2022 10:32 pm

Firewall behind router - PPPoE

Fri Jul 29, 2022 10:44 pm

Hi community,

I would like to use a firewall on my DSL internet connection. Therefore I have to use PPPoE. A sufficient modem is available. Unfortunately the PPPoE integration with the firewall is buggy so I have to do that with another device and that should be a MikroTik hex. Of course I don‘t want to place a network between the hex and the firewall since this will lead to double NAT.

Can somebody tell me how to configure that avoiding double NAT?
Is there a way to pass the Public IP to the firewall transparently or any other way?

Thanks
 
Siggi
just joined
Topic Author
Posts: 4
Joined: Fri Jul 29, 2022 10:32 pm

Re: Firewall behind router - PPPoE

Tue Aug 02, 2022 12:38 pm

I was able to configure things with double NAT but not without:

192.168.89.1/30
as network for routeros and firewall where the routeros device works as gateway for the firewall.

Routeros doing masquerading for all outoging packages to the PPPoE interface.

This is working only if the firewall is doing masquerading too which leads to double NAT.
If there is no masq on the firewall side ICMP is working for instance but not HTTPS. Any ideas?
 
llag
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Sat Aug 04, 2018 12:12 am

Re: Firewall behind router - PPPoE

Tue Aug 02, 2022 5:17 pm

I was able to configure things with double NAT but not without:

192.168.89.1/30
as network for routeros and firewall where the routeros device works as gateway for the firewall.

Routeros doing masquerading for all outoging packages to the PPPoE interface.

This is working only if the firewall is doing masquerading too which leads to double NAT.
If there is no masq on the firewall side ICMP is working for instance but not HTTPS. Any ideas?
Please provide a network picture so we can understand what you are trying to achieve.
Where is the PPPOE client? Configure that node to do the NAT. Now add some routes from that node to the rest of the network (most likely some RFC1918 networks like

"route 192.168.0.0/16 to the next nodes RFC1918 address"
and use only RFC1918 in the internal network.

I have such a setup at the moment.
I have the PPPOE client on my router (the modem is actually a VDSL modem in an SFP). The router does the VLAN de-capsulation and then does the actual NAT.
Now I route all internal (RFC1918) traffic to my internal network through my firewall (PFSENSE HA setup) with RFC1918 addresses. That firewall does the rest of the filtering as required, but it sees only RFC1918 addresses for the internal nodes and uses RFC1918 itself.
To make things easy use a transit RFC1918 network to connect the PPPOE client and the firewall
 
Siggi
just joined
Topic Author
Posts: 4
Joined: Fri Jul 29, 2022 10:32 pm

Re: Firewall behind router - PPPoE

Wed Aug 03, 2022 3:24 pm

thanks llag,

I managed to have a setup like you described. The flow is Internet -> Router -> Firewall and vice versa without double NAT.
NAT is only running on the RouterOS device.

by the way: If I'm looking for a NAT with a static port for outgoing packets is netmap the thing I need?

Who is online

Users browsing this forum: bashay8, Bing [Bot], dervomsee, kub1x, rogerioqueiroz, tdw, tjanas94 and 85 guests