(Solved) Double nat pppoe

hello everyone, I would like to avoid the double nat but I can't figure it out.
My network is composed like this, ont --> router openwrt pppoe --> firewall --> switch.
I find myself in the situation that both openwrt and the firewall do nat while I would like only the firewall to take care of the nat and openwrt to only do the pppoe connection, how can I do it?
I attach my openwrt config

br-lan    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.170.1  Bcast:192.168.170.255  Mask:255.255.255.0
          inet6 addr: fd35:xxxx:xxxx::1/64 Scope:Global
          inet6 addr: fe80::xxxx:xxxx:fexx:f062/64 Scope:Link
          inet6 addr: 2a07:xxxx:xxxx::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9749 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1564205 (1.4 MiB)  TX bytes:9533261 (9.0 MiB)

eth0      Link encap:Ethernet  HWaddr 88:01:xx:xx:xx:xx  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:80a00000-80afffff 

eth1      Link encap:Ethernet  HWaddr 88:01:xx:xx:xx:xx  
          inet6 addr: fe80::8a01:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2048753 errors:0 dropped:0 overruns:0 frame:0
          TX packets:404234 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2929093156 (2.7 GiB)  TX bytes:347830639 (331.7 MiB)
          Memory:80800000-808fffff 

eth1.835  Link encap:Ethernet  HWaddr 88:01:xx:xx:xx:xx  
          inet6 addr: fe80::8a01:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7006 errors:0 dropped:0 overruns:0 frame:0
          TX packets:404227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4345231 (4.1 MiB)  TX bytes:347829813 (331.7 MiB)

eth2      Link encap:Ethernet  HWaddr 88:01:xx:xx:xx:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:407556 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2053613 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:345321400 (329.3 MiB)  TX bytes:2917987928 (2.7 GiB)
          Memory:80600000-806fffff 

eth3      Link encap:Ethernet  HWaddr 88:01:xx:xx:xx:xx  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:80400000-804fffff 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:109 errors:0 dropped:0 overruns:0 frame:0
          TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9723 (9.4 KiB)  TX bytes:9723 (9.4 KiB)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:195.xx.xxx.xxx  P-t-P:100.xx.xxx.xxx  Mask:255.255.255.255
          inet6 addr: 2a07:xxxx:xxxx:1::1/64 Scope:Global
          inet6 addr: fd35:xxxx:xxxx:1::1/64 Scope:Global
          inet6 addr: fe80::a067:xxxxx:xxxx:f9ef/128 Scope:Link
          inet6 addr: 2a07:7e87:2000:xxxxx:xxxxx:xxxx:xxxx:xxxx/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:6735 errors:0 dropped:0 overruns:0 frame:0
          TX packets:403952 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:4277559 (4.0 MiB)  TX bytes:338934024 (323.2 MiB)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:3622:a023::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '1'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.170.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option pppoe_vlan '835'
        option username 'campanelliangel20of'
        option password '85gzhtqb'
        option ipv6 'auto'
        option force_link '1'
        option device 'eth1.835'
        option ip6assign '64'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '835'
        option name 'eth1.835'
        option ipv6 '1'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:xxxx:xxxx::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '1'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.170.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'wan'
        option proto 'pppoe'
        option pppoe_vlan '835'
        option username 'xxxxxxx'
        option password 'xxxxx'
        option ipv6 'auto'
        option force_link '1'
        option device 'eth1.835'
        option ip6assign '64'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '835'
        option name 'eth1.835'
        option ipv6 '1'

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config forwarding
        option src 'lan2'
        option dest 'wan'

config redirect
        option dest 'lan2'
        option target 'DNAT'
        option name 'firewalla dmz'
        option src 'wan'
        option dest_ip '192.168.170.90'
        list proto 'all'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'wan'

config forwarding
        option dest 'wan'

any help is appreciated

Why do you have a separate firewall relative to the OpenWrt device? OpenWrt's firewall is secure and flexible.

That said, if you want your second firewall but want to avoid double-NAT, the easiest way to achieve that is to allow the OpenWrt router to handle NAT, then use symmetric routing for the rest. To do this, disable masquerading on the upstream side of your second firewall. Then, add a static route into your OpenWrt router (for example: 10.0.52.0/24 via 192.168.170.4 where 10.0.52.0/24 represents the lan downstream of your 2nd firewall, and 192.168.170.4 represents the IP address of your 2nd firewall's wan connection; adapt as necessary).

your solution works but it's not what i was looking for because in this way openwrt does Nat while i would like the firewall to do it. to answer your question i use the firewall because it has some functions that unfortunately openwrt doesn't have, like ids/ips

The location of NAT isn't really that critical, honestly. You'll still be able to do IDS/IPS on your secondary firewall even if it's not doing NAT.

But, with that in mind, why do you want OpenWrt to do PPPoE and nothing else? At that point, why not use your other firewall to also handle the PPPoE termination?

Because if I set pppoe on firewall I reach 1800 Mb/s
Instead if I set firewall in static mode with openwrt pppoe I reach 2300 Mb/s

Fair enough regarding your bandwidth limits. PPPoE is indeed CPU heavy.

That said, I'm not aware of a way to pass the ISP issued (typically public) IP through OpenWrt to the downstream device when OpenWrt is used for PPPoE termination.

As I said before, the location of NAT isn't really going to make any difference if you have symmetric routing setup. You won't be dealing with double NAT with my earlier suggestion.

Ok, thanks for the suggestion, in the next few days I will try what you said. one last question, on the firewall I have several vlans, do I have to set a static route for each network?

Yes, a static route for each VLAN will be required. That said, if your subnets can be treated as a larger contiguous one, you can set fewer static routes. For example, if you had 192.168.0.0/24 and 192.168.1.0/24, you could simply set a static route for 192.168.0.0/23 and that could cover both of the VLANs.

everything works great. thank you so much

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.