Consensus on pfS. with Sky broadband, replace Sky router or attach via DMZ?



  • I have UK Sky Broadband at home. I want to get some experience with using pfSense.

    The Sky router (model SR102) does not have a bridge mode and Sky make using another modem quite tricky. Is there a consensus on which is better -
    1.  Extract the user name/password and get alternative hardware to use as a bridge or
    2.  Attach a pfSense box via the DMZ of the Sky provided ADSL modem/router?
    3.  Something I haven't thought of.

    What are the pros and cons of each? Thanks.



  • Get an openreach modem off fleebay. you no longer need to extract username and password, you could use mypfsense@skydsl|abxdef123 as the option61 string and it would work. Then connect up pfsense and away you go. There are quite a few of us running pfSense on Sky. Goto http://www.skyuser.co.uk/forum/ and enter pfSense as a search param, you'll find plenty of info.

    Using the existing Sky router is no use as it does not support bridge mode therefore you'll end up with a double NAT, thus making life a lot harder.

    Here's a link to a page that will show you how to setup pfSense with Sky, using an Openreach modem.

    http://www.skyuser.co.uk/forum/ipv6/58986-sky-ipv6-settings-non-sky-routers-12.html



  • @marjohn56:

    Get an openreach modem off fleebay.

    Isn't that a FTTC gizmo? I'm on steam ADSL. As it happens I've got an old Draytek Vigor 120 and a TP-Link TD-8817 which has a bridge mode. I'm not sure if either can do MAC spoofing. Is that still required for ADSL?. Thanks.



  • The modem doesn't do the spoofing, the router does. Trying to think back to my ADSL days…

    I used to run a Billion 7800 and that worked fine, any modem/router you have that can do bridge mode should work, then  you set up the correct settings in pfSense. Have a look on the SkyUser forum I mentioned in my previous message, you should find out all you need there, people have been using alternatives to the Sky supplied routers long before FTTC.



  • @marjohn56:

    you'll end up with a double NAT,

    Does the 'double NAT' problem occur when using the DMZ route as well, I thought the DMZ was on the outside (internet side) of the firewall/Network Address Translation? This page suggests using DMZ as a solution to double NAT.  http://www.practicallynetworked.com/networking/fixing_double_nat.htm
    Confused now…



  • DMZ will cause double NAT.

    Internet -> Sky Router/Modem ->( DMZ  192.168.1.1 )-> Second Router ( 192.168.2.1 ) = Double Nat

    Internet ->Modem ( Bridged Mode - WAN IP) -> Second Router ( 192.168.1.1 ) = No Double NAT

    Does that make sense?

    All a DMZ does is pass everything through to a specific address, it still NAT's it.

    That link is not working, for me at least.



  • Hmmm, there's a lot of misinformation out there suggesting DMZ is the solution to double NAT. The site I reference above is the first in a search on DuckDuckGo for 'double nat' , and has the following as one solution to the double NAT issue:

    "If you have a lot of ports to forward, doing them individually can get a bit cumbersome, so a simpler method is to configure the first NAT device to make your router's IP address the DMZ. This will hustle all incoming traffic through the first layer of NAT no questions asked, but when it hits your router it will be filtered or forwarded as appropriate.

    This comes up on a Netgear forum:

    "The second and easiest way around a double NAT situation like this would NORMALLY be DMZ. Putting our WNDR4500 WAN IP as our house owners DMZ IP is supposed to simply toss all port translations not having a port forward or UPNP link directly to our WNDR4500 router resolving in us not needing to manually port forward anything and all should be all good and dandy."

    So it's all a bit confusing for the lazy and hopeless like m'self.



  • I think it's the way it's written, it's misleading to say the least.