Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Why should pfSense sit behind ISP modem?

    General pfSense Questions
    4
    8
    1553
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pastic last edited by pastic

      Hi,
      As a security-minded Linux aficionado, admittedly amateur, running my own Freenas server with a VM with Nextcloud as an alternative to dropbox, I was given a pfSense SG-4860 when it fell into disuse at its previous owner's. I am wondering how to best put it to work at home.

      In the manual it says to install it behind the ISP-provided modem (internet->ISPmodem->pfSense->all my computers, tablets and servers). That leaves the ISP-modem (often cheapo modems) vulnerable to being hacked and DNS-hijacked and things like that.

      Doesn't that to a certain degree defeat the point of having a capable firewall to prevent attacks and hijackings so that I am secure when I do my online banking?

      Or should I think of pfSense only in terms of inbound security?

      Thanks

      1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott last edited by

        How would you propose to place pfSense ahead of the modem? That side of it is either TV cable or DSL, neither of which are compatible with a router. My cable modem is in bridge mode, so all it does is transparently pass the IP traffic. The modem would be accessible by tech support at my ISP, but not someone out on the 'net.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 1
        • T
          TheNarc last edited by

          You can't put it in front of the modem, but it's also important to note that a lot of ISPs provide modem/router combination boxes that are more than just a modem. If you have one of those, then you would want to put it into bridge mode, per @JKnott's comment, to disable its router functionality and make it just a modem. If that's the situation you're in, just search for "bridge mode" plus the model number of the device your ISP gave you and you'll hopefully find instructions. But if your ISP box is already just a plain modem, then you're set: wall jack -> modem -> pfSense.

          1 Reply Last reply Reply Quote 1
          • P
            pastic last edited by

            Thanks for your replies! So bridging the router/modem from my ISP seems to be the way to go.

            Maybe I am too influenced by bad technology journalists, but I keep thinking that hacked ISP routers are one of those weak points of internet security that is not getting the attention it "deserves". But perhaps I am mistaken?

            Maybe a bridged router/modem can't be (DNS-)hacked?

            Please excuse the naive questions, but I am trying to level-up.

            jahonix 1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott last edited by JKnott

              If the modem is in bridge mode, there isn't any way for someone to attack it, outside of the ISP. My modem does have a status interface at 192.168.100.1, but that wouldn't be reachable over the internet. Also, since it's status only, there's nothing to change. It's possible to change things in gateway mode, but that's not available, since it's in bridge mode. I don't even know if that is reachable from the 'net, as some devices don't allow access from the WAN side, even ignoring the fact that the IPv4 address is NAT. I don't recall if there's an IPv6 address available for config.

              BTW, I have read some articles, where it's obvious the author doesn't know what they're talking about.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 1
              • T
                TheNarc last edited by

                I'm not a network security expert, but I think it's fair to say that anything that's attached to the Internet can, with sufficient determination and resources, be successfully attacked. So everything comes down to threat modeling: against whom are you trying to protect yourself? Generally speaking, home users aren't going to come under attack by determined and well-resourced foes.

                Another thing to keep in mind is that, generally speaking the "attack surface" of your home network begins with your WAN IP (i.e. the Internet-facing IP address assigned to you by your ISP). When your modem/router is in bridge mode, that IP is given to whatever piece of equipment is next in line, which in your case will be pfSense. In that way, pfSense becomes the "owner" of that attack surface, instead of the modem/router.

                So with that configuration, and as long as you configure pfSense itself properly, you ought to be in a good spot security-wise.

                1 Reply Last reply Reply Quote 1
                • jahonix
                  jahonix @pastic last edited by

                  @pastic said in Why should pfSense sit behind ISP modem?:

                  vulnerable to being hacked and DNS-hijacked

                  In bridge mode the device is only a translator of data packets from one format to another. You don't see it from the internet and such it's extremely hard to hack it.
                  DNS-hijacking is something your PC can suffer from but not your modem. It doesn't need DNS resolution, does it? pfSense should be able to take care of that, though (e.g. DNS over TLS for pfSense and only allow pfSense's DNS server for hosts).

                  1 Reply Last reply Reply Quote 1
                  • P
                    pastic last edited by

                    Thanks everyone!
                    Now, a bit wiser, I know how to proceed.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post