Home ISP Router - Best Practices
-
Hi,
I'm looking at installing a PFSense box in the not too distant future and I’m getting confused about the security features of the ADSL modem getting in the way.The configuration I’m looking at is [ADSL Modem > PFSense Box > Switch > All Devices including a Wireless Access Point]
I'm wondering does the standard ISP router configuration matter.
Should I disable the firewall?
Should I enable bridge mode (No idea what this is, heard it mentioned)?
I don’t want to be in a position where i need to configure port forwarding on the ISP router and the pfsense box.
The router I currently have is a Cisco EPC3925
Any help or direction to relevant posts / blogs is much appreciated :)
-
Should I enable bridge mode (No idea what this is, heard it mentioned)?
That makes the ISP device change from being a router into just a "modem" and passing the ISP-allocated IP address through to pfSense. Typically the ISP will have some method of PPPoE login, and so with the ISP device being a "modem" you configure your login details in pfSense.
Should I disable the firewall?
Setting the ISP device to bridge mode effectively disables its firewall anyway.
I don’t want to be in a position where i need to configure port forwarding on the ISP router and the pfsense box.
Yes, if you are offering services on pfSense (OpenVPN server…) or on system behind pfSense, then having the ISP device in bridge mode means you don't have to mess with it to forward ports.
The other option is that many cheap ISP devices have a "DMZ" setting (that is not actually DMZ) that forwards all incoming traffic to a fixed ISP-device-LAN-side private IP. You can send that to pfSense WAN - then all the nasty internet-sourced traffic comes straight through to pfSense, where you can filter and log whatever you like. This option does mean that both ISP device and pfSense are doing NAT - some higher-level protocols that don't play nicely with NAT anyway can be double-trouble with double-NAT.
-
I'm wondering does the standard ISP router configuration matter.
I believe that all the settings on the ISP's router can be ignored once you login to your ISP from the pfsense box using whatever method like PPPoE, which doesn't require any configuration.
At least this is how it works on my side. I never even bother to enter my login and password into the box or configure anything. It acts a simple modem passing packets from one port to another.
Matthieu
-
@Phil.Davis & pagaille
Thanks for answering my questions guys, it turns out I do have a bridge mode option on the modem ;D
All thats left now is build :)