Hello,

Would appreciate any solid advice as to whether or not using one-to-one NAT could eliminate double NAT to solve a VPN connection issue, or if one-to-one NAT is still NAT, leaving the issue of double NAT.

Network:  Firewalla Gold (Router mode) >> ER8411 (Router mode) >> Switch >> Work PC 

                                       - private networks between Firewalla and ER8411 (.10.0) and on my LAN behind the ER8411 (.20.0)

The PC needs to be able to utilize a VPN back to my company's office; this is the only issue I'm having and this PC is the only client that I need to resolve double NAT for.

Will using one-to-one NAT on the ER8411 for the PC (use its .20.x IP address as both the Original and the Translated IP addresses) and then putting a static route on the Firewalla for routing .20.x traffic back to the ER8411's .10.0 interface work?  Would enabling DMZ forwarding be needed?

So that we don't go down any rabbit holes:

     - NAT can't be turned off on either the Firewalla or the ER8411.

     - I can only pull one public IP address from my ISP, so I can't put the Firewalla into bridge mode.

     - I don't have the wiring / infrastructure to connect the PC directly to the Firewalla to eliminate the double NAT.

     - I would like to keep both the Firewalla and the ER8411, with the ER8411 at the edge of my LAN.

Again, any experts out there, I welcome your advice.

Thank you