Some questions please
-
Thx. Yes Port forwarding I can do on the ISP Router no problem, I already tested that. Port forwarded on the ISP router which got handled by the ASUS and got sent to a Sample Webserver on a PI! Works great.
That VPN setup I will get back to in the future as that's my ideal goal! But better take it step by step!
Another question if I may.
Are the any caveats (read: precautions) I have to look out for when putting the pfsense in the DMZ? (edit 2: Any reading material ???)
Thx, really appreciated!
Edit: First step for me is to incorporate the pfsense in the network and let it handle DHCP / Firewall etc before going to the step of opening up the network to the outside world)
-
@iammike said in Some questions please:
I have to look out for when putting the pfsense in the DMZ?
No.. Its no different than if it was exposed to the public internet.. All the isp router dmz is a really a big port forward off all traffic that hits its wan.
Out of the box pfsense blocks all unsolicited inbound traffic to its wan..
edit: The point of the dmz thing on the isp router, is so you don't have to setup port forwards on it.. Because you will be controlling what gets to your actual devices via port forwards on pfsense.
-
This post is deleted! -
Update:
Pfsense ordered coming in the next week or so.
I went again to my provider and asked about the DDNS, and they made me a better offer.
I now (in the next couple of days) have 1 (Public) IP Address and thus get rid of CG-NAT. And because of a promotion they are having I am getting an increase in speed from 100/100 -> 300/300, 1 Static Ip address all for the same monthly fee as before.
-
Yep, you can often get a better deal if you call your provider occasionally and see what they have to offer. I have done that several times with both my cable services and cell phone.
-
Thx yes indeed, but we only live less then 1 year at this address, and normally they don't change promotions here until that year has past. But now the contract for the "new" one is 2 years.
Oke now for something completely different
I am thinking of setting the Netgate 1100 (which I ordered) like this.
ISP Modem network
192.168.1.1ISP Modem DMZ
192.168.1.2Pfsense wan
192.168.1.2Pfsense lan
10.0.0.1Would this work in my case?
TiA
-
Makes no difference what rfc1918 space you use.. As long as your wan and lan do not overlap.
I sure hope you don't plan on using 10.0.0.0/8 as your mask for your lan ;) I would assume /24 is more than enough for your devices.
Also just clarification on terminology.. The isp "network" would not be 192.168.1.1, that is a host address. 192.168.1.0/mask would be a network.
With your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
-
@johnpoz said in Some questions please:
Thanks for the clarification. Yes will use 10.0.0.0/24 for my LANWith your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
Unfortunately NO, I asked but it was a BIG NO-NO (why, no idea they wouldn't give me an explanation), but I will try and ask again in a couple of weeks, also will "pester" their Phone Support
-
I thought you said you were getting a public IP.
"I went again to my provider and asked about the DDNS, and they made me a better offer."
-
@jknott said in Some questions please:
I thought you said you were getting a public IP.
"I went again to my provider and asked about the DDNS, and they made me a better offer."
Yes I am getting (already have) a Public IP address (1.4.x which shows both in the Wan Section of the ISP Router and in What's my IP), but the question from @johnpoz was about them putting the ISP modem in Bridge Mode so that the Pfsense can handle everything and that they refused to do that.
Edit: Or do you mean something else?
-
Sorry of this is off topic, remove if it is.
Question, about connecting to a remote server through a VPN when the local network subnet address is the same as the remote network.
My friend started to get enthusiastic what I am trying to do with the pfsense. His network is identical as mine (so 10.0.0.0/24 for the lan same as mine)
When setting up the VPN server in his ASUS when connecting with an iPhone via 4G it works great, but when connecting with the PC in my House I can't connect.
VPN is connected and it also shows in the Asus that I am connected.
My Guess it has something to do with that the local network subnet address is the same as the remote network. (Both 10.0.0.0/24)
Correct or am I missing something here?
-
@iammike said in Some questions please:
Correct or am I missing something here?
Your not... Why would traffic go down a vpn tunnel to get to 10.0.0.X if 10.0.0 is the local network..
Use something different than 10.0.0, its COMMON! Just like 192.168.0 or 192.168.1 are.. Use 10.42.0/24 for example for your network.
Then you don't have a problem except for the idiots using 10/8 for their local network ;)
-
Thx for the confirmation.
Now I have to start arguing with my friend on who is going to change their network
Thx again, really appreciated.
-
There are ways around it with nat.. But why, when you both should change to something not so "common"
-
@johnpoz said in Some questions please:
There are ways around it with nat.. But why, when you both should change to something not so "common"
Thx, but no I don't want that (read: ways around it). I am just experimenting with this (on the ASUS) till the pfsense arrives, and this exercise was a good learning experience.
And using the pfsense for this will be the goal (and I think my friend is going to order one as well) and the ASUS will end up being only a Wifi AP.
So any range in the 10.0.0.0 would do?
For example
Me 10.124.0.0/24 and him 10.95.0.0/24 ?
Ps: Why these numbers they are our house numbers
-
ASUS routers get regular updates as well as pfsense.
They have WIFI built in andcan do MESH which is important if you have a multistory house.
Pfsense is a homelab/small business firewall and nothing else.
-
@cool_corona said in Some questions please:
ASUS routers get regular updates as well as pfsense.
They have WIFI built in andcan do MESH which is important if you have a multistory house.
Pfsense is a homelab/small business firewall and nothing else.
Thx for your comments, but
-
I think the pfsense is a better firewall then the Asus (and it also has more options for example the ASUS VPN server only has PPTP and OpenVPN) and reading the threads on here, I think I am right about this!
-
I will keep the Asus but only as a WIFI AP (and my RT-Ac58u though it supports OpenWrt (and the installation goes way over my head (this requires soldering a pin header on the router PCB.) https://openwrt.org/toh/asus/rt-ac58u
-
Even if the Pfsense is only a small business firewall I don't mind spending the 179 USD (exclu Shipping) to try to know a bit better or I could have saved 179 USD and bought something on AliExpress but Id rather have the real deal to tinker with.
Maybe it's not right for me but I really don't mind the learning experience in doing so! And thanks to @johnpoz and @JKnott and the whole forum I think I am getting my monies worth
-
-
Do yu plan to use many VPN services at any given time?
ASUS supports OpenVPN and it doesnt fit your purpose?
-
@cool_corona said in Some questions please:
Do yu plan to use many VPN services at any given time?
ASUS supports OpenVPN and it doesnt fit your purpose?
Maybe not, but am I not allowed to use the pfsense for this and must I use the Asus just because I have it?
Just want to expand my experience/knowledge
-
@iammike said in Some questions please:
just because I have it?
Yes - your not allowed to switch your devices. Once you buy X, your locked in to using X forever. You can never switch brands, you can never move to more feature rich anything..
You can never out grow this device X, and must use it now until the end of time.
Nor can you leverage it anything else but your 1 everything box /S
Did you not read the small print on the EULA you agreed to when you fired it up the first time? hehehe
