Security Architecture for Home
I would like to integrate a PFSense firewall into my home network but before I do, I was hoping some security experts could advise on how best to do so. My reason is that I do not trust my ADSL router. My current setup is simple: an ISP supplied ADSL router with WiFi that I connect various devices to.
My questions are as follows:
Should I place the PFSense firewall in front of the ADSL router or behind?
If I place the PFSense firewall in front of the ADSL router can I still connect a WiFi AP to the firewall for devices on my LAN to connect to i.e can I use both the ADSL AP AND the PFSense AP?
Can I still connect remotely to devices on my LAN i.e. from the Internet?
Can I still host a web-server using a spare firewall port?
Is there any design documentation that is available to help beginners assess the various configuration options/trade-offs?
Many thanks for your time!
The ADSL router likely has a copper-wire telephone-style physical connection that does the ADSL modulation stuff. That physical interface will be needed at the telephone cable coming into your home. So you are stuck with leaving the ADSL device at the very front.
Typically you would put it into a "bridged mode" so that it just forwrads everything through to its LAN (ethernet) side, then connect pfSense WAN to the ADSL device "LAN". Then pfSense WAN gets the real IP address from your ISP, and whatever public services they are letting you do/provide.
If the ADSL device does not "bridge", then you can just make it port forward everything from its WAN side to some private IP on its LAN side, and put pfSense WAN at that IP. That way of doing it does mean that there is an extra layer of NAT happening, and pfSense WAN does not directly have the IP allocated by the ISP.
Then you put and AP on the LAN side of pfSense to do WiFi.
Note: If you are using method (2) above, then it is possible to turn off DHCP on the ADSL device, turn on DHCP server on pfSense WAN (giving private IPs in that ADSL-LAN-to-pfSense-WAN subnet to the ADSL device WiFi clients), then NAT those back out WAN (so that they route symmetrically - client WiFi device<->pfSense WAN <-> ADSL "LAN" <-> ADSL WAN <-> ISP/internet). But that is all quite tricky when fault-finding or explaining it to someone else. Usually it is easiest to just put another AP on the true pfSense LAN side.