PRO's and CON's of having a modem in bridge mode
-
thank you sir!, well noted example for divide/conquer in case of troubleshooting.
-
Like phil said, but even if remote sites have no IT, if you can build in redundancy into your net access, you've got mobile/cellular 2/3/4G, Mesh networks and satellite internet modems which can also be used to handle bandwidth and so mitigate against leaving a router in DMZ mode to pfsense. Besides if you have another basic fw/router in front of pfsense how can you spot the potential hacks as easily, to keep abreast of changing tactics?
It strikes me how many businesses/people rely on internet access, go to great efforts with redundancy in rack servers, Raid-x hard drives, etc, but dont realise their business could be harmed considerably from a natural/man-made event that takes their sole net access down for a couple of days. Even something simple, like the ISP messing up the allocated fixed IP addresses can be bad for business.
So CARP'ed firewalls with a couple methods to connect to the net is always useful even for just smoothing bandwidth consumption during peak times.So thats an alternative pov to leaving remote sites with routers in bridge modem mode. Besides even if on the road with no net access to hand because of driving, if you've done the configuration yourself and you get that call, its been possible to talk people with little to no IT knowledge/experience over the phone to resolve most problems.
Another problem with a router DMZ'ing to pfsense is you cant control the wifi as easily although getting better now with many ISP supplied routers offering a single on/off schedule, plus you cant see who is borrowing your bandwidth in that situation/hacked the router, although again ISP supplied routers are now better than they were say 10 or 15+ years ago.
Its mainly a question of how far do you take your net access redundancy? What matters most etc etc.
-
Another problem with a router DMZ'ing to pfsense is you cant control the wifi as easily although getting better now with many ISP supplied routers offering a single on/off schedule, plus you cant see who is borrowing your bandwidth in that situation/hacked the router
Yes, that is a problem. Once the "secret" password for the WiFi on that front-end device in a remote office is given to some local office person it gets leaked all over an everyone has their mobile phones connected to it and sucking bandwidth that completely bypasses any pfSense traffic shaping or limiters. I really should turn those off and make a local fault-finding person have to physically plug a network cable to get to the front end that bypasses pfSense.
-
thanks for all that have posted their ideas. anyways.
is there any NAT issues with a modem used in conjunction to pfsense, will this be considered double NAT?
this is one reason why I have placed the modem in bridge mode so that there is only 1 NAT and by pfsense only.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
am sorry for the confusion sir, I was referring this to the "non-bridge" mode type for the modem.
I'll try to update it as clearly as I can -
If you have to NAT on the first device, then NAT on the second, it's double NAT.
-
Yes, that is a problem. Once the "secret" password for the WiFi on that front-end device in a remote office is given to some local office person it gets leaked all over an everyone has their mobile phones connected to it and sucking bandwidth that completely bypasses any pfSense traffic shaping or limiters. I really should turn those off and make a local fault-finding person have to physically plug a network cable to get to the front end that bypasses pfSense.
Just like Dell, HP et al sticking windows serial number labels on their pc's for staff to copy and use/sell elsewhere, hence the change to the Micorosoft funding model by going to a franchise method with Windows 10 as software companies now get charged annually to pay for apps to go through the MS app store.
-
Exactly. No. There is no NAT done by the modem when it is in bridge mode.
There is little to debate about. If you can put your WAN device in bridge mode and make pfSense the first hop your provider sees, do it.
Why specifically? Other than a few ambiguous comments, and a mention of wireless security/compatibility, why wouldn't a capable VDSL modem be desirable to handle PPPOE connections?
The simplest answer would be that you don't get or cannot use as easily, most functions people require(or expect) - NAT/port forwarding, firewall rules, general security, live status, widgets, packages, more features and testing environment(make an interface change on the router, you don't lose PPPOE with outside world. You make an interface change on the modem, you'll likely lose your connection).
I understand why people think it would be a good idea - the modem is the first spokesperson to the outside world. It seems logical that it's job would be to also make and manage the connection to the WAN.
-
Do what you want.
-
I have a PPPoA ISP, my Draytek 120 is connected to pfSense in bridge mode, no issues, no lag, no problem. That modem, once you choose PPPoE<->PPPoA passthrough disables NAT and Firewall, also DHCP is disabled….a dumb modem.
My pfSense unit takes care of what it can do better than a 25 euro combo modem/router.
In the past I had a half-bridge configuration, using a Netgear WNDR3700 router (running openWRT, arokh builds) coupled to a Digicom Modem (it supported half bridge), pfSense seems not to support half-bridge scenarios.
Just my experience, ADSL 20/1.