Pfsense setup question CGNAT

Dobby_

@Crossy2 said in Pfsense setup question CGNAT:

Do you mean the NAS being in the DMZ?

DMZ types

• "pseudo" DMZ
  Exposed Host, non real and only in some cases
• Real DMZ (clean dmz)
  Bastion host, dual homed router or firewall combination: Internet > Router > DMZ > Firewall
• non real DMZ (dirty dmz)
  DMZ Port at the router or firewall

DMZ port types (routers or firewall)

• A real dedicated DMZ port
  A single port, with its own switch chip,
  no other data will running over, only for
  that port made and able to use
• A non real dedicated DMZ port
  Many port will be connected to one and the same switch chip and all their data runs together over that switch chip but the port can configured
  as a DMZ port
• A DMZ port
  One LAN port will be used as a DMZ port only with another IP range and port will be opened
  to the internet and back into that pseudo DMZ

My ultimate goal but (I think) it’s not doable because I’m behind CGNAT would to use Wireguard to access my NAS which is inside of my LAN.

You will need a so called jump host else where
in the internet placed, perhaps at a hoster.
You will be able to reach that host from everywhere and it is connected to your home
network, so CGNAT is not anymore the problem.

In the DMZ you will be able to reach your NAS from the outsite (over the internet) and from the
inside of your LAN. If you are VPN at home, the
NAS will be "safe" and in normal all such devices will be placed inside of a DMZ, so if you are now
opening ports at the second router or firewall,
you will be opening your LAN too, but this
should be secured by the second router or firewall!

For sure everybody can do what he want or is able to realize, but how much more and often
you will be setting up special work arounds you
will be ending at one day up with more problems
then you will own.

Crossy2

@Dobby_

Thx, food for thought.

This is something for the distant future, let me first try to make my home network a bit more secure.

This whole coming exercise is also because we are getting solar in the next weeks and the inverters do need to be connected to the WWW (Via WiFi). And I don’t want them to snoop around in my LAN read PC, NAS etc, but I would still like to be able to manage them.

So
inverter -> WWW oke
Inverter -> LAN not oke
Main PC -> Inverter oke

Dobby_

@Crossy2 said in Pfsense setup question CGNAT:

This is something for the distant future, let me first try to make my home network a bit more secure.

Ok forget that the CGNAT exists! It is only well to know for you if you want VPN in over the internet!

This whole coming exercise is also because we are getting solar in the next weeks and the inverters do need to be connected to the WWW (Via WiFi).

For sure that is ok.

And I don’t want them to snoop around in my > LAN read PC, NAS etc, but I would still like to be able to manage them.

Ok, and you must use the router from your ISP?
Or can you also take a modem in front of your
pfSense? Make things more easy for you.

So
inverter -> WWW oke

Set the inverter inside the dmz (between the )
ISP router and the pfSense. Now it could be having a connect to the internet with ease
and you could over VPN connect to it.

The pfSense is then securing your entire LAN.
Because it is behind the IPS router!

Inverter -> LAN not oke

If you open now ports at the pfSense WAN
it is not so secured as you may want it!

Main PC -> Inverter oke

If the inverter is in the DMZ between the both routers you can connect from the PC in the LAN
to it (routes) and from the outside (internet) you
could connect too, to that inverter as I see it right.

Crossy2

@Dobby_ said in Pfsense setup question CGNAT:

If the inverter is in the DMZ between the both routers you can connect from the PC in the LAN
to it (routes) and from the outside (internet) you
could connect too, to that inverter as I see it right.

I could connect an WAP to the ISP Router and have the Inverters connect to that because they only connect via Wifi. That would be an easy solution and I have a Spare router available.

The Inverters can then go out separate from my Network but I am not able to reach them remotely (on the road) but that is for now a total NON issue. Brilliant idea! Thx

So for my Understanding plug the WAP into a Lan port on the ISP Router so it gets an IP from the ISP Router and then it's in DMZ? Correct?

Do you have a link for me to read up about on creating those routes from the PfSense to the WAP in the DMZ?

Re: ISP Router

The router from ISP I must use. It's fiber and they don't want
A) set the Router in Bridge Mode
B) give me the PPoE username and Pwd.
It's one of those ZTE Routers.

SteveITS

@Crossy2 To connect from your LAN through a router in the pfSense WAN to your inverter you don’t need anything on pfSense. Just a port forward on that other router. IPv4 only if possible in case your ISP adds IPv6 someday, so the Internet can’t connect to it; or else limit the port forward to your pfSense WAN IP.

Crossy2

@SteveITS

So for my understanding, to access the WAP (Wireless Access point) which is connected to a port of my Router ISP and I want to connect to the WAP from the LAN side I don’t need to do anything but still need to open a port ?

Which ports do I HAVE to open? 80? To reach the management interface for example.

SteveITS

@Crossy2 if your pfSense WAN and AP are both connected to the ISP LAN then your pfSense LAN can talk to it and other devices “out there” because pfSense will NAT the request to that network. I thought you were using a router, perhaps that was a different thread.

Crossy2

@SteveITS

No worries, thx for taking your time to reply

Unfortunately I can’t make a drawing as I am not at home.

But the situation is this currently

WWW - CGNAT - ISP ROUTER - LAN

And I want it to be

WWW - CGNAT - ISP ROUTER - PFSENSE - LAN

And the WAP could be placed like this

WWW - CGNAT - ISP ROUTER - WAP - PFSENSE - LAN

So the the WAP will be connected to a port on the ISP router and the WAN interface of the PFSENSE is also connected to a Port on the ISP router.

Edit: will I need to setup some block/allow rules to prevent the WAP to access the LAN but the LAN to be able to access the WAP?

SteveITS

@Crossy2 A true AP will put those devices on the pfSense WAN network. They are all on the iSP router LAN.

pfSense WAN blocks all incoming traffic by default.

pfSense LAN has an allow all by default so can access devices in WAN.

Crossy2

@SteveITS

Thx again.

It’s an asus router I still have I would like to use as AP for the inverters

asus rt-n12

SteveITS

@Crossy2 If it has AP mode then the above applies. Some routers let you plug in only LAN and thus act like an AP. If it will only be a router then you can forward a port to your inverter on its LAN.

Crossy2

@SteveITS

Yep it has I believe 3 modes and one of those is AP.

I will do some testing and report back but could be a while as I am not at home due to personal circumstances but will report back.

That option to place the AP there is a really great one as it also frees up a port on the Pfsense SG-1100 (I ordered one before I came to this forum, if I knew then what I know I would have ordered a 2100