Advice on setting up my SG1100 as a home firewall
-
So currently you have the 1100 just between your ISPs router and a downstream switch?
Is there really no access to the ISP router? You can't even change the WiFi details for example?
It would certainly be better to connect directly with a public IP on the pfSense WAN. Makes it far easier to run a VPN server for example. -
@stephenw10 yeah, and currently the ISP WiFi would be outside the pfSense Firewall -> NOT goog ::-(
The optimum setup would be to get the ISP box configured to Bridgemode so you get a public WAN IP on your pfSense, and then get a proper Accesspoint for WiFi that you setup on the inside of pfSense (LAN side)
-
Well the OP states no way to access the router, let alone set to bridge mode.
I second that moving the pfSense box to the top is required to make it useful. All you can make it do behind the ISP router is set up a separate network with your own WiFi access points and stop using the ISP WiFi. Not ideal because you can get interference so choose different bands. Also, you will have two networks stacked behind each other.So the best thing to do is ask your ISP to set their box into bridge mode remotely. I went the same route.
Also: if you have fiber I assume you have a small box to convert fiber to RJ-45 cable, and the ISP router behind that. You might be able to completely take out the ISP router altogether and use your SG-1100 instead. I experimented with this using KPN fiber (Netherlands) and it worked great. But setting that up it is not suited for entry level users.
-
@sanjdbn said in Advice on setting up my SG1100 as a home firewall:
I would love any suggestions on how i can get my netgate in the mix of things and use features such as content filtering, VPN, Firewall Rules, etc.
Going to be honest with you. You got the wrong device for the job. I have an SG1100 and it can barely run pfBlocker (not a bunch of lists enabled). I get OOM (out of memory) messages a lot which leads to other services crashing (snmpd). Truthfully other than routing to the internet this device cannot do what you are asking it to do from a content filtering point of view. It can VPN and Firewall all day but that's it.
-
Yup VPN in/out can certainly work but you'd need to be able to forward traffic through the ISP router for inbound.
-
@stephenw10 Thank you for your reply. Currently the device is not connected. Iv contacted the ISP and also tried every trick to login to the router. Maybe i will contact them again and state my purpose, then we can go from there. Appreciate the advice
-
@keyser Thank you. Will get intouc with the ISP to push for some login
-
@Cabledude Thank you for this. So i will contact the ISP to set the device to bridge mode and then take it from there. Thanks for the advice, appreciate it
-
@michmoor Thank you for the advice. Appreciate it
-
@sanjdbn said in Advice on setting up my SG1100 as a home firewall:
@Cabledude Thank you for this. So i will contact the ISP to set the device to bridge mode and then take it from there. Thanks for the advice, appreciate it
You're welcome. Please do be aware of the following:
Bridge mode means that the router only forwards the internet connection and all router/firewall functionality will be bypassed.
So once your ISP router has been set to bridge mode, the ISP box WiFi that you are currently using will stop working and the internet connection that the bridged router now passes on will be totally unprotected!
To do it right, first make sure you have a complete and well functioning replacement router, firewall and WiFi. You'll need to provide and set up a WiFi Access Point, with a WiFi name (SSID) and password for your devices to have WiFi access. You'll want to test it thoroughly before proceeding. Your setup then is SG-1100 + Access point, optionally with a switch between to connect printers or other cabled devices. I use UniFi gear but any good brand will do.
Then you can connect the outgoing cable from the bridged router to the WAN port of your pfsense box (SG-1100), which will provide basic (good) protection. Then you can learn and develop your network from there.
Also, please read up on eMMC failures on this forum, your SG-1100 is also vulnerable IF you decide to do logging, use pfBlocker with logging etc. You may want to opt for an external USB SSD to run the pfSense OS on.
Good luck! -
@michmoor said in Advice on setting up my SG1100 as a home firewall:
@sanjdbn said in Advice on setting up my SG1100 as a home firewall:
I would love any suggestions on how i can get my netgate in the mix of things and use features such as content filtering, VPN, Firewall Rules, etc.
Going to be honest with you. You got the wrong device for the job. I have an SG1100 and it can barely run pfBlocker (not a bunch of lists enabled).
I respectfully disagree. I have used SG-1100's for years as reliable firewalls, including pfBlocker (for ad blocking with lots of lists and GeoIP) and OpenVPN. It has always worked fine from a performance point of view. The only issue I had was the wear on the eMMC, for which I switched to external USB SSD, which solved the issue.
So I would say an SG-1100 is just fine even in 2025 for a primer and when you want to explore possibilities. If you wish to go further, then at some point you'll want something more powerful, yes, but for just occasional VPN work it's not that bad.
I moved up to an SG-2100, mainly for the 4GB RAM, as the CPU is more or less the same.
