Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Router recommendations requested

    Scheduled Pinned Locked Moved Hardware
    14 Posts 4 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wallabybob
      last edited by

      There doesn't seem to be much support in FreeBSD/pfSense for Cable Modem cards or ADSL cards and such cards, when they can be found, are pretty expensive. Therefore I think the best option is to use an appropriate modem (not modem/router combination) as first preference then use modem/router in "Bridge" modem (non-routing) as second preference.

      pfsense systems can generally hold much more RAM than commodity modem/routers so can hold many more firewall state entries and consequently support many more concurrent "connections" than devices with a small fixed RAM size.

      1 Reply Last reply Reply Quote 0
      • M
        mr_bobo
        last edited by

        Thanks for answering, wallabybob. I can pick up a Netgear modem for approximately $50US and will probably go with that.

        1 Reply Last reply Reply Quote 0
        • M
          mr_bobo
          last edited by

          @wallabybob:

          Therefore I think the best option is to use an appropriate modem (not modem/router combination) as first preference then use modem/router in "Bridge" modem (non-routing) as second preference.

          What are the benefits of running the modem/router in bridge mode?

          I've always ran my router with the 172.16.0.1 range, with it performing DHCP, and the pfSense box using 192.168.1.1 range. That's just the way it ended up when I first installed pfSense and everything has been working fine up to this point so I never saw the benefit in bridging the router. Is that what they refer to as Double NAT?

          I still haven't found a modem/router I like to replace my old one. The Netgear DM111P I was looking at reportedly runs hot and has a short lifespan. An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.  ::)

          1 Reply Last reply Reply Quote 0
          • S
            Slam
            last edited by

            @mr_bobo:

            What are the benefits of running the modem/router in bridge mode?

            The benefits are that this allows the modem to pass through all traffic to be handled by pfsense, pfsense will also be handling the public ip assigned by your provider, if possible run the modem in bridge mode as pfsense is way more superior at handling services than offered on the modem/router combo.

            I've always ran my router with the 172.16.0.1 range, with it performing DHCP, and the pfSense box using 192.168.1.1 range. That's just the way it ended up when I first installed pfSense and everything has been working fine up to this point so I never saw the benefit in bridging the router. Is that what they refer to as Double NAT?

            Yes, more info here http://www.practicallynetworked.com/networking/fixing_double_nat.htm

            I still haven't found a modem/router I like to replace my old one. The Netgear DM111P I was looking at reportedly runs hot and has a short lifespan. An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.  ::)

            I bought a pair of used Vodafone branded DM111P's about 2 years ago for about £5 each on ebay, flashed them with Netgears own firmware, they have been fine holding up a small but complex dual wan network, they do get a bit warm but placed somewhere nice and cool, they perform very well and I can max them out to what my line allows (13Mb~), I think they are capable of 24Mb.

            There are a few 3rd party firmwares available for some Netgears if you want to go down that route and you can pick up a used one off ebay.

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by

              @mr_bobo:

              An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.

              Unless "states" in "45 states" means something very different than "states" in "88 states" this "modem" was doing a lot more than being a "modem". (The "45 states" suggests it was also acting as firewall/NAT router.)

              1 Reply Last reply Reply Quote 0
              • M
                mr_bobo
                last edited by

                @wallabybob:

                @mr_bobo:

                An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.

                Unless "states" in "45 states" means something very different than "states" in "88 states" this "modem" was doing a lot more than being a "modem". (The "45 states" suggests it was also acting as firewall/NAT router.)

                I was wrong about the terminology used in the Actiontec manual pdf. It states "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

                Thanks for the other info, I may go ahead and buy a DM111P. I don't need to access my computers remotely so my current double NAT setup hasn't been a problem of any sort, in fact I prefer them not being available in that manner, but I'll try bridging the router and see how it goes.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  @mr_bobo:

                  What are the benefits of running the modem/router in bridge mode?

                  @mr_bobo:

                  "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

                  This pretty much answers your question!
                  45 states is nothing if you have several computers behind it. Putting the modem into bridge mode negates this restriction because the modem device does not have to do NAT.
                  pfSense is in a different league in terms of firewall states because, as previously stated, it can have far more RAM. My home box, which has 512MB, is currently showing 114/48000 states.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • M
                    mr_bobo
                    last edited by

                    @stephenw10:

                    @mr_bobo:

                    What are the benefits of running the modem/router in bridge mode?

                    @mr_bobo:

                    "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

                    This pretty much answers your question!
                    45 states is nothing if you have several computers behind it. Putting the modem into bridge mode negates this restriction because the modem device does not have to do NAT.
                    pfSense is in a different league in terms of firewall states because, as previously stated, it can have far more RAM. My home box, which has 512MB, is currently showing 114/48000 states.

                    Steve

                    My pfSense box has a 2.66GHz P4 and 2GB RAM, and I have great faith in the OpenBSD pf firewall, so there's no doubt in my mind it's more capable of handling networking and firewall duties than a commercial router. It's just that I haven't had any kind of a problem with the router dropping connections or delivering the speeds I get with my DSL package with my current double NAT setup, and my pfSense box has worked flawlessly since I fired it up, so I haven't seen the point in changing anything before now.  I've never ran this one in bridged mode so I was just curious whether or not it was worth doing so.

                    The problem is that I'm using the 2Wire gateway I bought when I first got DSL over 10 years ago.  The recent pfSense exploit prompted me to check into my router security, and sure enough, it's vulnerable to a directory transversal exploit. The exploit is several years old, so there's no point in freaking out about it at this juncture, but I need to find a modem that seems like a suitable replacement and don't want to make the wrong decision.

                    The modems/gateways AT&T supports all seem like more trouble than they're worth, not to mention they backdoor all their branded equipment so they can remote administer them, and the fact that they neglected to advise their customers the router they sold them had a vulnerability or push a firmware update to fix it either, so I don't want to get into that situation again.

                    I do appreciate the advise you guys have provided. :)

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Actually I have totally misread the quote from the modem documentaion.  :-[
                      What they are actually saying is that it supports up to 254 [b]clients behind it but they recomend no more than 45. This is also a restriction that pfSense does not have, you can have a very large subnet on your LAN with a huge number of clients. It's unlikely you'd ever want that on a home setup though.
                      The state table size comments I made still hold true though.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • M
                        mr_bobo
                        last edited by

                        @stephenw10:

                        Actually I have totally misread the quote from the modem documentaion.  :-[
                        What they are actually saying is that it supports up to 254 [b]clients behind it but they recomend no more than 45. This is also a restriction that pfSense does not have, you can have a very large subnet on your LAN with a huge number of clients. It's unlikely you'd ever want that on a home setup though.
                        The state table size comments I made still hold true though.

                        Steve

                        Don't feel bad, I misread it the first time too.

                        I went ahead and got a Netgear N300 modem/router from Walmart. It wasn't really what I wanted but I had to make a decision and it seemed like a better quality piece of equipment than the DM111P and I had to take what I could get locally since I don't use credit cards. I have it set up now and it's running cool.

                        Edit: I set it up in double NAT mode like I've been running it the past several months. I don't play online games or need remote access to my machines and prefer running it like this.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mr_bobo
                          last edited by

                          I went ahead and put the Netgear in bridged mode and am going to run it like this. I don't think it handles traffic as well as my 2wire did in a double NAT configuration.

                          My Up/Down speeds are virtually the same but pages and even small images seemed to take forevah to load with the Netgear before I bridged it. Much longer than they did with the 2wire or with it bridged.

                          The N300 doesn't perform SPI either so at least I can rest easy knowing pfSense is handling the firewall duties.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            @mr_bobo:

                            The N300 doesn't perform SPI

                            Just for information… ;)
                            I would be very surprised if that was true. The Netgear is probably running am embedded Linux of some description and using IP tables. That is a stateful firewall. Though you haven't said exactly which model so I suppose it might be possible.

                            Anyway it's not relevant if you're running it bridged.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • M
                              mr_bobo
                              last edited by

                              @stephenw10:

                              @mr_bobo:

                              The N300 doesn't perform SPI

                              Just for information… ;)
                              I would be very surprised if that was true. The Netgear is probably running am embedded Linux of some description and using IP tables. That is a stateful firewall. Though you haven't said exactly which model so I suppose it might be possible.

                              It's the DGN2200v3 N300 Modem Router and states it has IDS and DoS protection. The N600 Modem Router specifies it does SPI and DoS protection. I believe it is running a Linux distro but with the exception of when I ran the Shields-Up scan against it at grc.com, which it classified as a null scan, everything else it logged for the 4 days I ran it before bridging was classified as a DoS attack: ACK Scan.

                              
                              [DoS attack: ACK Scan] from source: 66.219.34.171:80, Wednesday, January 16,2013 10:42:06     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 10:21:57     
                              [DoS attack: ACK Scan] from source: 67.213.209.173:6000, Wednesday, January 16,2013 09:48:56     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:37:03     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:26:21     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 09:17:18     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:15:49     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:13:56     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 08:50:48     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 08:47:46     
                              [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 07:37:28     
                              [DoS attack: ACK Scan] from source: 91.212.124.132:29000, Wednesday, January 16,2013 06:56:47  
                              [DoS attack: ACK Scan] from source: 63.247.91.154:22, Tuesday, January 15,2013 13:52:18      
                              
                              

                              I have serious doubts it was logging everything it blocked due to the large number of varied log entries I had with pfSense within an hour of setting it to do the firewall duties. It may well be doing SPI, and I run the pf firewall on my computers so I wasn't worried, but it didn't instill any confidence in me for it as far is it being a firewall beyond doing NAT.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.