Real world Bridge mode vs DMZ differences? aka Is double NAT even a problem with DMZ?


I am having a hard time finding practical and real world differences between Bridge mode and DMZ with regards to having two routers in “series”.

Let me explain: I live in a country where modem/routers are the norm. Furthermore, since ISPs have to pay one license for internet and one for POTS phone lines, all of them have started to upgrade to VoIP that is tightly controlled through their provided modem/routers.

Some of them are willing to provide VoIP usernames/passwords through a lengthy, multi day process and offer no support, while some are not even willing to do that.

Even furthermore(?), most lines are DSL and double play (internet + phone), which means PPPoE calls for authentication.

So, in regards to adding a pfSense or DD-WRT device, you can either set a static IP on the device and simply add it to DMZ, or you can go through the hassle of putting the ISP modem/router in bridge mode (if that is even available with the provided hardware), asking for the PPPoE username/password, configuring all that in pf or DD, then asking for the VoIP username/password, buying an ATA and configuring that for your region and then be done.

I get it that a second router in DMZ actually leads to double NAT and “is not the proper way to do things” but besides the probably negligible extra latency, does it make any difference at all? It certainly does not for port opening/forwarding, which seems the main problem with double NAT scenarios.

You may run into issues with various protocols (likely crypto related if anything, or brain dead protocols that embed ip information into their packets) due to your pfsense box not having full visibility on the original packets, if the stuff reaching it is already NATed and you’re doing double-nat. It will also perhaps cause problems with UDP based traffic if other stuff behind the first NAT is also doing UDP based protocols.

Performance/throughput will probably be no different (Stuff will either work or not, the latency from the additional NAT will be insignificant unless your hardware totally sucks), but if you can get the outside interface of your PFSENSE box on a real, world-routable IP i would highly recommend it.

I guess if you’re lazy, try it with double-nat, and see what breaks. I’d try put it on a real address though personally, as it’s one less thing to check out every single time you have some weird network issue.

And that’s something i’d personally spend the time up front NOW to avoid while you’re thinking about it, and not in 6-12 months time when you run into some random weird network problem that you spend a week wondering “wtf” only to find it is due to double-nat that you could have avoided introducing today.

1 Like

You can just configure pfsense without NAT. That’s usually how a DMZ is configured. You have gateway firewall with a private subnet for the DMZ and you have a firewall in the DMZ subnet with another private subnet behind it. You just lose any NAT functionality that your ISP’s hardware can’t provide (like port forwarding).

That’s a bit more complex - if you’re not using NAT anywhere, the ISP router will need to be aware of any subnets you plan to run on/behind your firewall. I.e., it will need a route for your subnet(s). And likely doesn’t have one.

e.g., if you plan to run say 192.168.x.y on your LAN, and your ISP gives you 10.x.y.z, then you will need NAT.

If the ISP only allocates you say, and you have say anywhere, you will need NAT.

1 Like

You only need NAT at the edge, but yeah you do need routes. I forgot about that.

1 Like

You could set it (Pfsense) up as a passive filtering bridge. What pfsense functionality are you primarily interested in?

Personally, I would prefer to have ISP equipment in bridge mode if possible. If you do not have this option, well, then NAT / DMZ is not perfect but also without tragedy.

Many people have this configuration in docsis 3.1 networks because that’s how cable networks work. ISPs give their router / modems and people put their better routers behind them. So bridges and DMZ are commonly used and there is not much complaining.


I’m running ISP equipment in bridge mode, and have a pfsense running NAT and DMZ after it, without a hitch.

1 Like

Yeah, if you do that though you have no real control over port forwarding, etc. A lot of people don’t complain even when faced with what others would consider totally unacceptable service, in terms of either speed, feature set or other factors :slight_smile:

It’s how a lot of ISPs get away with it.

I worked in a small local ISP a long time ago. We had a different approach than many ISPs today.
We laid the optical fiber as close as possible and then the last mile to the customer’s location based on cat5e and only mounted the socket on the wall. We didn’t give any equipment. The infrastructure was built in such a way that we gave the client one public IP which was assigned by us per MAC and terminated on the physical port in the switch. All the customer had to do was set our MAC address on their device to have access. We have not used any sophisticated authorization methods on the network. The client is responsible for what is happening in his home with his internet tip.

If the client for some reason was not / did not want to clone the MAC address, we took his device MAC and changed on our side. Everything else was a matter of the client himself. We didn’t block anything except port 25. We didn’t give any firewall / anti ddos. We did not respond to any copyright claims. Only state authorities designated by law, we cared, and others to /dev/null.

The client could do theoretically what he wanted until he violated local law or caused us damage. The customer also had no technical restrictions except 25, he could buy voip from other companies and use it if he wanted. We did not care whether the client has 1 pc or 10 and whether he has a router.

Land of free and brave

1 Like