In short, I am using OpenWrt due to its superior PPPoE throughput vs PFSense.
I'd like to pass through my OpenWrt WAN IP (PPPoE) direct to my PFSense FW connected via "another" port. Ideally, this avoids double NAT and complications when configuring IPSec on the PFSense.
I saw this doc: https://openwrt.ifw.cn/docs/guide-user/network/wan/bridge-mode#:~:text=Half%20bridge,-Most%20common%20in&text=In%20this%20mode%2C%20the%20device,ISP%20to%20the%20downstream%20device.
Which talks about bridge modes and it sounds like I want Half Bridge:
Most common in ISP-provided consumer devices is half bridge mode (cheerfully called “bridge mode” by many manufacturers). In this mode, the device handles authentication (the login/password of your Internet contract) and encapsulation, and it will duplicate the WAN IP address from the ISP to the downstream device. More often than not this makes it inaccessible on the local network so the only way to get it back to normal operation is to reset it. Some devices offer a secondary “management” IP for this mode that can be used to reach their web interface, check the manual.
As indeed I want the OpenWrt appliance to perform the auth and encapsulation instead of the downstream firewall.
Is it possible and is it possible to guide me on how to achieve this please?
Many thanks - Dave
I can't speak to how to achieve the 'half bridge' mode you are asking about (if it is possible, someone else will likely chime on on that), but I can suggest another method to prevent double-NAT.
By simply using symmetric routing, you can turn off NAT masquerading on your PFSense box and let OpenWrt handle PPPoE + NAT. To handle this, all you need to do is add a static route to the OpenWrt router.
For example, lets say that:
- your OpenWrt router establishes a LAN in the 192.168.1.0/24 subnet
- your PFSense WAN has the address 192.168.1.2 (that is in the LAN subnet for your OpenWrt router).
- Behind PFSense, you have a network 10.0.1.0/24
---> in this situation, disable PFSense NAT Masquerading
---> then add a static route into OpenWrt: 10.0.1.0/24 via 192.168.1.2
The PFSense routing engine will not need a static route to the upstream router since it should be the default route. OTOH, the OpenWrt router will need the route as described to ensure that it knows where to send the traffic destined for the 10.0.1.0/24 network. Because NAT masquerading will be turned off on the PFSense box, you will only have a single layer of NAT.
@psherman you are totally right. I was concerned that I NEED the WAN IP on the FW WAN Interface, but as per your suggestion, disabling NAT and configuring the upstream router subnet correctly, whilst setting the FW interface IP to "DMZ" mode, it works!
IPSec NAT-T works perfectly and just handles the single NAT layer as expected.
I think I am good here. Thanks for talking sense in a potentially much more complex path I was walking!
Cheers - Dave
Awesome! Glad that is working
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.