Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security Architecture for Home

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      coppet
      last edited by

      Hi All,

      I would like to integrate a PFSense firewall into my home network but before I do, I was hoping some security experts could advise on how best to do so. My reason is that I do not trust my ADSL router. My current setup is simple: an ISP supplied ADSL router with WiFi that I connect various devices to.

      My questions are as follows:

      Should I place the PFSense firewall in front of the ADSL router or behind?
      If I place the PFSense firewall in front of the ADSL router can I still connect a WiFi AP to the firewall for devices on my LAN to connect to i.e can I use both the ADSL AP AND the PFSense AP?
      Can I still connect remotely to devices on my LAN i.e. from the Internet?
      Can I still host a web-server using a spare firewall port?

      Is there any design documentation that is available to help beginners assess the various configuration options/trade-offs?

      Many thanks for your time!

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        The ADSL router likely has a copper-wire telephone-style physical connection that does the ADSL modulation stuff. That physical interface will be needed at the telephone cable coming into your home. So you are stuck with leaving the ADSL device at the very front.

        1. Typically you would put it into a "bridged mode" so that it just forwrads everything through to its LAN (ethernet) side, then connect pfSense WAN to the ADSL device "LAN". Then pfSense WAN gets the real IP address from your ISP, and whatever public services they are letting you do/provide.

        2. If the ADSL device does not "bridge", then you can just make it port forward everything from its WAN side to some private IP on its LAN side, and put pfSense WAN at that IP. That way of doing it does mean that there is an extra layer of NAT happening, and pfSense WAN does not directly have the IP allocated by the ISP.

        Then you put and AP on the LAN side of pfSense to do WiFi.

        Note: If you are using method (2) above, then it is possible to turn off DHCP on the ADSL device, turn on DHCP server on pfSense WAN (giving private IPs in that ADSL-LAN-to-pfSense-WAN subnet to the ADSL device WiFi clients), then NAT those back out WAN (so that they route symmetrically - client WiFi device<->pfSense WAN <-> ADSL "LAN" <-> ADSL WAN <-> ISP/internet). But that is all quite tricky when fault-finding or explaining it to someone else. Usually it is easiest to just put another AP on the true pfSense LAN side.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.