Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dsl modem in transparent bridge mode with pfsense

    Off-Topic & Non-Support Discussion
    2
    3
    9.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wbond
      last edited by

      My home DSL service included an Actiontec Q1000 modem/router that worked ok as a DSL modem, but I wasn't happy with it as a router.  It didn't take long before I added a Netgear WNDR3700 router and put the modem into transparent bridge mode and used the Netgear as the router and wireless access point.  This worked well enough until I heard about pfsense and have since been using a small dual NIC box as a pfsense router and the WNDR3700 is now used solely as a wireless access point.

      Somewhere along the way I found that if I plugged a second Ethernet cable between the WNDR and the Q1000 (both have 4 port switches built in) that I could access the web gui on the Q1000 from inside the network.  This came in handy as I could use the gui to reboot the Q1000 when it lost the internet connection, which is seemed to do on a semi regular basis.  Whenever I had it set up this way I had an uneasy feeling that it might be a huge security hole so usually left this cable unplugged.

      Since the modem is bridged I think that the internet connection comes in and goes straight out the cable to the router, whether it's pfsense or the WNDR.  My question is if having this second cable going from the modem to my internal LAN a security hole.  Since the unfiltered internet connection is going through the modem's switch is there some way for anyone from the outside to get onto the LAN without going through the router.  In other words is there any danger in using the modem's switch as a means of accessing the modem's gui from inside the LAN.  I think the answer is that it's not a risk, but I'd like to see what people think who know more about this than I do.

      Another reason for asking is that the Q1000 is also a wireless router, so I was thinking about using it as a second wireless access point that I could then plug into a smart switch to create a separate wireless VLAN to use with pfsense.  This actually works, I was surprised to find out, but I still have that uneasy feeling mixing WAN and LAN traffic on the same device before it hits pfsense.

      Hopefully this makes enough sense that someone can understand what I'm asking and it's not too much of a newb question.  I realize that this isn't directly related to pfsense, but hopefully it's close enough.

      tia
      Bill

      edit: I should add that when I access the modem from the LAN I'm using the private LAN ip address of the modem.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It probably isn't any sort of risk since the actual WAN connection to your ISP is a PPPoE tunnel that goes through the modem.

        There is no need to use a second cable however, you can do it with just the WAN connection:
        https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall#For_2.0

        There are a couple of tricks you can use to avoid setting outbound NAT in manual mode. I try leave it set to automatic as other wise you have to remember to set all the rules correctly when adding or removing an interface.

        I have seen people use the modem as a wifi access point too. I would probably try to avoid it though just because the complexity of the setup means that configuration errors are far more likely.

        Steve

        1 Reply Last reply Reply Quote 0
        • W
          wbond
          last edited by

          Thanks for the reply Steve.  That's what I was thinking, that there probably isn't any risk of anything breaking out of the tunnel between the ISP and the WAN connection on the pfsense box, but I wasn't sure.

          Thanks for the link as well.  I should have mentioned that I'd seen it, but it seemed easier to plug a cable between the modem and one of the switches on the LAN as no other changes were necessary.  I haven't made any changes for NAT on either the modem or the pfsense box, although may have turned it off on the modem a few years ago when I put it in bridge mode as it's turned off now.  I assume the modem is just passing the internet connection to pfsense and not doing any NAT and that pfsense is the only thing doing NAT.

          The reason I was thinking of using the modem for wireless is to segregate my Directv network from the LAN by creating a VLAN.  The Directv boxes are networked using coax, but they need to use wireless to get an internet connection without some other piece of hardware I don't have and would have to buy.  I don't like having boxes I don't control on the LAN but the WNDR WAP doesn't do VLAN's.  I could buy another access point, but since the modem's wireless isn't being used I figured why not, assuming I'm not opening up a security hole.  Since it's already working most of the configuration is already sorted out.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post