PRO's and CON's of having a modem in bridge mode
-
Greetings to All!,
First of all, I would like to ask for apology as this might have been asked and answered before and I may just be too dumb how to search it.
I would like to hear from fellow pfsense people about the PRO's and CON's of having the modem in bridge mode [making the modem turn into a 'dumb' wire and have pfsense control the routing and/or PPPoE (for example)]?
Or as well…, please point me to good documents for this one.I'll appreciate any comments or violent re-actions on this one!
thanks in advance!---edit---
is there any NAT issues with a modem (non-bridge mode) used in conjunction to pfsense, will this be considered double NAT?
-
Nearly everyone here is likely to advise putting the front-end device into bridge mode whenever possible and having pfSense see the ISP-given IP address (be it public or CGN or private). If you are offering services (web site, VPN road warrior…) to people on the internet then great.
For me, the time I do not do this is for remote sites that do not have any level of IT knowledge on-site and that have just outgoing connections - client computers doing their normal internet stuff and OpenVPN site-2-site clients connecting up to a central office OpenVPN server, that kind of thing.
In that case it is really handy for fault-finding that the front-end device can do ordinary vanilla internet. e.g. a lot of my sites have ADSL and the ADSL device already comes with 4 LAN ports and WiFi and gives DHCP on those. By not messing with that it means an ordinary user on-site can be given the front-end WiFi password or plug a cable directly into one of the front-end device LAN ports and if the ADSL internet is working they will get it. They can also browse to the ADSL-device config page and report things to the IT support guy who is on the telephone. Or they can plug their 3G dongle into their laptop, get some internet, then the IT support guy can connect by TeamViewer and look themselves at the ADSL status... all independent of pfSense.
All this was very useful in the recent 2.2.3 problems with file system corruption - you can at least determine that ADSL is working (and pfSense is broken) and then give the ADSL WiFi password to everyone and let them have general unrestricted internet while you ship them another pfSense with a good 2.2.4 image on it.
Others will give you many reasons to use bridged mode...
-
thank you sir!, well noted example for divide/conquer in case of troubleshooting.
-
Like phil said, but even if remote sites have no IT, if you can build in redundancy into your net access, you've got mobile/cellular 2/3/4G, Mesh networks and satellite internet modems which can also be used to handle bandwidth and so mitigate against leaving a router in DMZ mode to pfsense. Besides if you have another basic fw/router in front of pfsense how can you spot the potential hacks as easily, to keep abreast of changing tactics?
It strikes me how many businesses/people rely on internet access, go to great efforts with redundancy in rack servers, Raid-x hard drives, etc, but dont realise their business could be harmed considerably from a natural/man-made event that takes their sole net access down for a couple of days. Even something simple, like the ISP messing up the allocated fixed IP addresses can be bad for business.
So CARP'ed firewalls with a couple methods to connect to the net is always useful even for just smoothing bandwidth consumption during peak times.So thats an alternative pov to leaving remote sites with routers in bridge modem mode. Besides even if on the road with no net access to hand because of driving, if you've done the configuration yourself and you get that call, its been possible to talk people with little to no IT knowledge/experience over the phone to resolve most problems.
Another problem with a router DMZ'ing to pfsense is you cant control the wifi as easily although getting better now with many ISP supplied routers offering a single on/off schedule, plus you cant see who is borrowing your bandwidth in that situation/hacked the router, although again ISP supplied routers are now better than they were say 10 or 15+ years ago.
Its mainly a question of how far do you take your net access redundancy? What matters most etc etc.
-
Another problem with a router DMZ'ing to pfsense is you cant control the wifi as easily although getting better now with many ISP supplied routers offering a single on/off schedule, plus you cant see who is borrowing your bandwidth in that situation/hacked the router
Yes, that is a problem. Once the "secret" password for the WiFi on that front-end device in a remote office is given to some local office person it gets leaked all over an everyone has their mobile phones connected to it and sucking bandwidth that completely bypasses any pfSense traffic shaping or limiters. I really should turn those off and make a local fault-finding person have to physically plug a network cable to get to the front end that bypasses pfSense.
-
thanks for all that have posted their ideas. anyways.
is there any NAT issues with a modem used in conjunction to pfsense, will this be considered double NAT?
this is one reason why I have placed the modem in bridge mode so that there is only 1 NAT and by pfsense only.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
am sorry for the confusion sir, I was referring this to the "non-bridge" mode type for the modem.
I'll try to update it as clearly as I can -
If you have to NAT on the first device, then NAT on the second, it's double NAT.
-
Yes, that is a problem. Once the "secret" password for the WiFi on that front-end device in a remote office is given to some local office person it gets leaked all over an everyone has their mobile phones connected to it and sucking bandwidth that completely bypasses any pfSense traffic shaping or limiters. I really should turn those off and make a local fault-finding person have to physically plug a network cable to get to the front end that bypasses pfSense.
Just like Dell, HP et al sticking windows serial number labels on their pc's for staff to copy and use/sell elsewhere, hence the change to the Micorosoft funding model by going to a franchise method with Windows 10 as software companies now get charged annually to pay for apps to go through the MS app store.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
Why specifically? Other than a few ambiguous comments, and a mention of wireless security/compatibility, why wouldn't a capable VDSL modem be desirable to handle PPPOE connections?
The simplest answer would be that you don't get or cannot use as easily, most functions people require(or expect) - NAT/port forwarding, firewall rules, general security, live status, widgets, packages, more features and testing environment(make an interface change on the router, you don't lose PPPOE with outside world. You make an interface change on the modem, you'll likely lose your connection).
I understand why people think it would be a good idea - the modem is the first spokesperson to the outside world. It seems logical that it's job would be to also make and manage the connection to the WAN.
-
Do what you want.
-
I have a PPPoA ISP, my Draytek 120 is connected to pfSense in bridge mode, no issues, no lag, no problem. That modem, once you choose PPPoE<->PPPoA passthrough disables NAT and Firewall, also DHCP is disabled….a dumb modem.
My pfSense unit takes care of what it can do better than a 25 euro combo modem/router.
In the past I had a half-bridge configuration, using a Netgear WNDR3700 router (running openWRT, arokh builds) coupled to a Digicom Modem (it supported half bridge), pfSense seems not to support half-bridge scenarios.
Just my experience, ADSL 20/1.