Why should pfSense sit behind ISP modem?

  • Hi,
    As a security-minded Linux aficionado, admittedly amateur, running my own Freenas server with a VM with Nextcloud as an alternative to dropbox, I was given a pfSense SG-4860 when it fell into disuse at its previous owner's. I am wondering how to best put it to work at home.

    In the manual it says to install it behind the ISP-provided modem (internet->ISPmodem->pfSense->all my computers, tablets and servers). That leaves the ISP-modem (often cheapo modems) vulnerable to being hacked and DNS-hijacked and things like that.

    Doesn't that to a certain degree defeat the point of having a capable firewall to prevent attacks and hijackings so that I am secure when I do my online banking?

    Or should I think of pfSense only in terms of inbound security?


  • How would you propose to place pfSense ahead of the modem? That side of it is either TV cable or DSL, neither of which are compatible with a router. My cable modem is in bridge mode, so all it does is transparently pass the IP traffic. The modem would be accessible by tech support at my ISP, but not someone out on the 'net.

  • You can't put it in front of the modem, but it's also important to note that a lot of ISPs provide modem/router combination boxes that are more than just a modem. If you have one of those, then you would want to put it into bridge mode, per @JKnott's comment, to disable its router functionality and make it just a modem. If that's the situation you're in, just search for "bridge mode" plus the model number of the device your ISP gave you and you'll hopefully find instructions. But if your ISP box is already just a plain modem, then you're set: wall jack -> modem -> pfSense.

  • Thanks for your replies! So bridging the router/modem from my ISP seems to be the way to go.

    Maybe I am too influenced by bad technology journalists, but I keep thinking that hacked ISP routers are one of those weak points of internet security that is not getting the attention it "deserves". But perhaps I am mistaken?

    Maybe a bridged router/modem can't be (DNS-)hacked?

    Please excuse the naive questions, but I am trying to level-up.

  • If the modem is in bridge mode, there isn't any way for someone to attack it, outside of the ISP. My modem does have a status interface at, but that wouldn't be reachable over the internet. Also, since it's status only, there's nothing to change. It's possible to change things in gateway mode, but that's not available, since it's in bridge mode. I don't even know if that is reachable from the 'net, as some devices don't allow access from the WAN side, even ignoring the fact that the IPv4 address is NAT. I don't recall if there's an IPv6 address available for config.

    BTW, I have read some articles, where it's obvious the author doesn't know what they're talking about.

  • I'm not a network security expert, but I think it's fair to say that anything that's attached to the Internet can, with sufficient determination and resources, be successfully attacked. So everything comes down to threat modeling: against whom are you trying to protect yourself? Generally speaking, home users aren't going to come under attack by determined and well-resourced foes.

    Another thing to keep in mind is that, generally speaking the "attack surface" of your home network begins with your WAN IP (i.e. the Internet-facing IP address assigned to you by your ISP). When your modem/router is in bridge mode, that IP is given to whatever piece of equipment is next in line, which in your case will be pfSense. In that way, pfSense becomes the "owner" of that attack surface, instead of the modem/router.

    So with that configuration, and as long as you configure pfSense itself properly, you ought to be in a good spot security-wise.

  • @pastic said in Why should pfSense sit behind ISP modem?:

    vulnerable to being hacked and DNS-hijacked

    In bridge mode the device is only a translator of data packets from one format to another. You don't see it from the internet and such it's extremely hard to hack it.
    DNS-hijacking is something your PC can suffer from but not your modem. It doesn't need DNS resolution, does it? pfSense should be able to take care of that, though (e.g. DNS over TLS for pfSense and only allow pfSense's DNS server for hosts).

  • Thanks everyone!
    Now, a bit wiser, I know how to proceed.

Log in to reply