Ads by Google

Configure a network with PPPoE pass-through and NAT

If you got a firewall to additionally protect your network or to extend its functionality and now you want to configure your network with PPPoE pass-through and NAT options, you are at the right place. Read on.

Let’s assume that this below is the initial diagram of a home network:

Home network layout modem, router, firewall, switch, ZyWALL, USG

Note that the firewall is connected to our home network, in order to perform its configuration (its functionality will not be active until it’s connected as in the second picture).

When you finish configuring the firewall by using a Web browser, it’s ready to be placed on a new and final position – this is our goal: the resulting diagram:

Home network layout modem, router, firewall, switch, ZyWALL, USG, PPPoE pass-through. NAT, port forwarding.

In this example we want to forward all Internet traffic as well as the public IP address from the modem (that also features routing capabilities), that your Internet provider provided you with, to the firewall. Modem supports PPPoE pass-through option, which allows us to perform this forwarding (somewhere it is referred to as the semi-bridge mode).

With this layout and configuration, all network definition will be placed on the firewall. If you had your modem handle firewall policies or port forwarding, these options must be disabled or turned off, because the firewall will handle all these features.

By the way, a router would by default acquire an IP address from the modem and would perform NAT (Network Address Translation) and isolate the devices from the “outside network”. If the modem is handling the PPPoE connection, then the router would receive a private IP from the modem and then create another private network via NAT. This situation is a little bit complicated because there would be two layers of private networks in this instance and is recognized by many devices as “Double NAT”. This may cause issues with traffic trying to find its way in and out of your network and possibly increase latency.

If you want to use PPPoE passthrough feature, keep in mind that PPPoE parameters from your Internet provider must be configured in your firewall, because now firewall is responsible to establish the PPPoE session.

Read the documentation for your modem, since it’s usually required that modem is connected to the firewall (or any other router or security gateway) by using the LAN1 port of your modem. Other possible services from your Internet provider on LAN2 or other port, that you might use or have subscriptions, can be used on the modem, regardless to the PPPoE pass-through on LAN1 (IPTV, VoIP and similar services):

Modem, router, services example, VoIP, IPTV, local security gateway

Firewall configuration to receive PPPoE pass-through from the modem

Look at the initial diagram of our home network; when you connect your firewall to your network and power it on for the first time, a wizard usually guides you to easily configure some basic settings. You should configure options in this wizard and refer to a user manual that came with your firewall. Although wizard steps vary depending on firewall model, usually you can configure these options:

  • administrator’s password, IP address (i.e., which can be used to access a Web configurator via your favorite browser,
  • Internet connection settings; refer to your ISP if you don’t know parameters of your PPPoE connection (user name, password, and other).

After you finish the quick config, use a Web configurator to configure other options. For example, if you had any port forwarding rules on your modem, they must be configured on the firewall. These settings are usually located in the NAT section of your firewall. Pay attention that:

  • NAT rules type (mapping type) should be: Virtual Server; this makes computers on a private network behind the firewall available to a public network outside the firewall (like the Internet),
  • since the PPPoE pass-through feature is used, configure interface as wan1_ppp (not the wan1 interface),
  • enter a public IP address on the Internet in field named like public IP, original IP or source IP,
  • enter a local IP address of your computer/server in the field named like local IP, mapped IP, or target IP,
  • select the NAT Loopback option if you want to allow users connected to any interface (instead of just the specified Incoming Interface) to use the NAT rule’s specified Original IP address to access the Mapped IP device. For users connected to the same interface as the Mapped IP device, the firewall uses that interface’s IP address as the source address for the traffic it sends from the users to the Mapped IP device. For example, if you configure a NAT rule to forward traffic from the WAN to a LAN server, enabling NAT loopback allows users connected to other interfaces to also access the server. For LAN users, the firewall uses the LAN interface’s IP address as the source address for the traffic it sends to the LAN server. If you do not enable NAT loopback, a NAT rule only applies to packets received on the rule’s specified incoming interface.

When you configure NAT rules, you must configure the corresponding security policies of your firewall as well. You usually need to create objects (e.g. services and its ports, then objects for IP addresses, like the object for the host address, and other) in order to easier create these rules.

Look at the resulting diagram; if you have switch, look on which port is switch connected to the firewall – on that port DHCP must be enabled.

Also configure WAN1 port of your firewall, so the connection to the modem is static, and enter modem’s IP address.

Finally, configure DNS parameters on your firewall; if you don’t have corresponding IP addresses, contact your Internet provider to give you DNS configuration.

How to enable PPPoE pass-through feature on a modem

Start off with the backup of your modem’s configuration.

Afterwards, turn off your firewall policies (if your modem supports that feature and it has been enabled).

Disable or turn off Port forwarding rules on your modem (if you have any rules left on your modem, PPPoE pass-through feature will be locked, and therefore it can’t be enabled).

Enable PPPoE pass-through feature; look for the option named “Local Security Gateway” or “Local security gateway on LAN1 – PPPoE passthrough” or something similar. The specific name depends on the model of the modem. When this feature is enabled, the public IP address isn’t available to your modem any more, but only to your firewall.

Applying the new configuration with PPPoE passthrough and defined NAT settings

Connect the cables in a way that is depicted in the resulting diagram.

Double check if everything is working properly, e.g. your services that need port forwarding. If there are errors:

  • temporarily turn off security policies and check if your services are working properly,
  • check if the NAT type is properly defined, then check ports and other parameters that are mentioned in this article,
  • check if the servers are available; use basic network commands in command prompt for further troubleshooting: ping, traceroute, netstat, ipconfig, and other,
  • connect a laptop to your firewall; if laptop has the Internet connection, check your LAN1 interface (port on which a switch is connected) to see if DHCP server is configured properly (see the first two diagrams in this article).

OK, that’s it, we’re done with the basic configuration.

If this article helped you, share it and support the author 🙂


Configure a network with PPPoE pass-through and NAT
Article Name
Configure a network with PPPoE pass-through and NAT
If you got a firewall to additionally protect your network or to extend its functionality and now you want to configure your network with PPPoE pass-through and NAT options, you are at the right place. Read on.