Insert SG-1100 between existing cable modem and router

NGUSER6947

Good progress but not quite there.

I have my AP set up as a Bridge. SG gives each device (both wired and wireless) IP addresses via DHCP. I can ping any other device from any device, on the LAN. But nothing gets out to the internet (or back).

In the SG my Dashboard shows all green up arrows for everything, except OPT which I haven't done anything with.

In the Firewall, I added 4 rules: tcp and udp "pass" for both ip4 and ip6. They are green-checked. They are below the built-in rfc 1918 and reserved rules.

I suspect I have a something blocking traffic but not sure what.

NGUSER6947

Success! I realized I needed to create Firewall rules to allow tcp and udp on the LAN side.

Appreciate all your help #KOM! Very grateful.

johnpoz

@NGUSER6947 said in Insert SG-1100 between existing cable modem and router:

I needed to create Firewall rules to allow tcp and udp on the LAN side.

No if its the default lan it would be any any rule out of the box.. You only need to create rules on new interfaces/vlans OPTX, the out of the box lan defaults to any any rule.

In the Firewall, I added 4 rules: tcp and udp "pass" for both ip4 and ip6.

You didn't create rules on your WAN did you?

KOM

Please post screens of your WAN, LAN and OPT1 rules so we can check them out for you.

NGUSER6947

Ok.
Wan:

Lan:

I realize this probably isn't "firewalling" much of anything right now. My plan was to get everything on my network operating then research how to set up the best rules and lock the device down.

KOM

Rules are evaluated top-down, first match wins. No other rules are processed after a hit.

On your WAN, get rid of those last four allow rules.

On your LAN, also get rid of those last 4 rules. The second rule is already passing all IP4 traffic. Those other rules you added aren't really doing anything. If you're not using IP6 then go to System - Advanced - Networking and disable IP6 there.

NGUSER6947

Ok done. And, everything still works. Thanks folks for the help.

KOM

https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html

KOM

If you do disable IP6, don't forget to go back to your LAN rules and delete the IP6 ones you manually added.

johnpoz

There you go - much better ;)

See no need to have created any rules..

NGUSER6947

Thank you both.

So with the "factory" rules (only) in place, am I better protected than without the SG, or not really until I start creating more specific rules?

KOM

Yes. Default rules allow all traffic out from LAN, and block all unsolicited traffic in to WAN.

johnpoz

depends - with the default rules nothing has been forwarded from wan/internet to your behind pfsense router that is for sure.

Not sure why you want or think you need another router behind pfsense.. If you want wireless - then just use an AP.

edit
What is this exactly "Ubiquiti wife router." Do you mean an AP like an AC-Pro or -Lite? What is the model number of this device? you have from unifi?

NGUSER6947

@johnpoz. It is an AirRouter. I have it set up in bridge mode. Although most of my gear is hard-cabled, I have a couple of devices I can only get to via wifi.

Courierdog

@johnpoz Courierdog here and I have a similar requirement.
My ISP provides the Fibre ONT (Modem) to their ISP Router.
The ISP Router also provides the IP TV and the ISP provided Home Security System
From the ISP Router I feed a Bitdefender Box 2 (WiFi Router)
The Netgate SG-1100 does not have WiFi
I would like to configure the SG-1100 so all the ethernet LAN connections pass through the SG-1100 which then connects to the Home Network Switch.
The ISP Router provide the Internet connection
The Bitdefender Box 2 provides the monitored WiFi Access Point
The Netgate SG-1100 provides the Firewall for the Home Ethernet network
I have in the past used a Router with Tomato Firmware whereI now want to place the Netgate SG-1100
I configured the Tomato Router as a static IP addressed Bridge using one address within the range of the Bitdefender Box 2 DHCP range of addresses.
I am unsure if the Netgate SG-1100 can be configured this way or would it have to be placed in front of the Access Point which would have to be configured as the Bridge.
Thanks in advance

stephenw10

It can be configured as a transparent firewall like that but doing so requires bridging VLANs.

It's almost always better to avoid bridging if you can.

An Access Point would normally be a layer 2 device anyway, no need to bridge anything or already internally bridged.

I'm unclear where the USP router fits in here. Potentially you have 3 routers with 3 levels of NAT. Really you want 1.

Steve

Courierdog

@stephenw10
We have no option on the ISP Router That Must stay in place.
However, I have revised my thoughts.
ISP Router -> Netgate SG-1100 Firewall - ASUS RT N66U (WiFi AP) -> Home Network Switch
This requires me to reassign the SG-1100 LAN IP
Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.
I may be Somewhat of a newbie but the SG-1100 is not following the Documentation.
Dave

johnpoz

@courierdog said in Insert SG-1100 between existing cable modem and router:

Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.

Huh?? When you setup the sg1100, yeah would be able to access the web gui, on the default 192.168.1.1 IP - unless you changed it?

Directly to the dashboard of what - how or where does it say in the documentation anything different?

stephenw10

I assume you mean you're not seeing the setup wizard?

That can happen if it was previously launched and then escaped but you can run it again at any time fro System > Setup Wizard.

Steve

Courierdog

@johnpoz
Problem is the ISP uses the 192.168.1.1 LAN IP address so I have to change it.
The guide says go to Advanced - Option 2

When I login, I am sent directly to the dashboard

The setup wizard does not appear.

Even if I set up using and empty WAN port and connect my Mac directly to the LAN port, Login takes me directly to the Dashboard.
Very strange.