(SOLVED) is it a good practice to disable the DSL routers firewall.

whitekalu · May 1, 2019, 9:54 AM

Hello friends.
I have a firewall enabled (with default firewall rules) from ISP on DSL routers in front of pfSense router.
So I need your suggestion, should I disable the DSL routers firewall so that all firewall work is done via pfSense ?
Or leave the DSL routers firewall turned ON as it will provide redundancy.
Thanks

NogBadTheBad · May 1, 2019, 8:28 AM

@whitekalu said in is it a good practice to disable the DSL routers firewall.:

Hello friends.
I have a firewall enabled (with default firewall rules) from ISP on DSL routers in front of pfSense router.
So I need your suggestion, should I disable the DSL routers firewall so that all firewall work is done via pfSense ?
Or leave the DSL routers firewall turned ON as it will provide redundancy.
Thanks

Can you put your DSL router into modem mode?

Im guessing that the IP address on your pfSense router is a RFC1918 address and you'll have a double NAT going on.

whitekalu · May 1, 2019, 8:46 AM

Hi NogBadTheBad.
Yes pfSense is on RFC1918 and yes double NAT is going on.
I don't know if I can configure the DSL router in modem mode.
I can see a option that says use other router in cascading mode.
Attached is the snapshot of my DSL router.
Thanks

NogBadTheBad · May 1, 2019, 8:47 AM

What is the router out of interest ?

whitekalu · May 1, 2019, 9:07 AM

@NogBadTheBad said in is it a good practice to disable the DSL routers firewall.:

What is the router out of interest ?

https://www.dslreports.com/hardware/Pace-5268AC-h4060

NogBadTheBad · May 1, 2019, 9:11 AM

Ah looks like you can't :(

https://forums.att.com/t5/AT-T-Fiber-Equipment/How-to-run-Pace-5268AC-in-simple-bridge-mode/td-p/5290058

whitekalu · May 1, 2019, 9:42 AM

Thankyou NogBadTheBad.
That was my bad luck. I should try DMZ+mode some time.
but my divine question still remains unanswered.
If my DSL Modem/Router was able to run in a simple bridge mode.
Is it good to have pfSense a WAN IP and do all the firewalling stuff. OR it's more secure to have Double NAT. If someone passes through DSL Modem's firewall the pfSense will still be there to defend and kick 'em out. Well management wise it will be burden because One have to look for firewall settings in 2 places One in the frontline router and Second in the pfSense but we'll have dual line of fire fire wall
Thanks

NogBadTheBad · May 1, 2019, 9:45 AM

@whitekalu

I'd leave them, you just won't see many hits on the pfsense wan interface.

whitekalu · May 1, 2019, 9:52 AM

@NogBadTheBad said in is it a good practice to disable the DSL routers firewall.:

@whitekalu

I'd leave them, you just won't see many hits on the pfsense wan interface.

Thanks going after wise man's suggestion.
I will leave them.

conor · May 1, 2019, 10:41 AM

Depends on the DSL modem, some providers in Europe provide really cheap residential grade DSL modems to business users, the issue is that these cheap routers only support about 1000 states in the modem, so you need to set the modem to bridge modem so that the states are handled on the pfSense device only and there is no states on the DSL modem.

In some modems the down side in bridge mode is that you can't check the modem's interface web page for line sync status/speed or CRC or FEC errors.

whitekalu · May 1, 2019, 10:26 AM

@conor said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

Depends on the DSL modem, some providers in Europe provide really cheap residential grade DSL modems to business users, the issue is that these cheap routers only support about 1000 states in the modem, so you need to set the modem to bridge modem so that the states are handled on the pfSense device only and there is no states on the DSL modem.

The down side in bridge mode is that you can't check the modem's interface web page for line sync status/speed or CRC or FEC errors.

That is a great answer!
Thanks conor

JKnott · May 1, 2019, 10:38 AM

@whitekalu

I find the built in firewall in the modem is nowhere near as capable as pfSense. Also, I see your modem supports IPv6. Having 2 firewalls makes it much harder to provide IPv6 to your network.

JKnott · May 1, 2019, 10:40 AM

@conor said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

The down side in bridge mode is that you can't check the modem's interface web page for line sync status/speed or CRC or FEC errors.

I can on mine. With the Hitron cable modems, the status can be accessed at 192.168.100.1, when in bridge mode. It's also possible to reset it to gateway mode.

conor · May 1, 2019, 10:43 AM

@JKnott said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

I can on mine. With the Hitron cable modems, the status can be accessed at 192.168.100.1, when in bridge mode. It's also possible to reset it to gateway mode.

Fair point i have edited my post to reflect that this is the case in "some modems".

whitekalu · May 1, 2019, 11:11 AM

@JKnott said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

@whitekalu

I find the built in firewall in the modem is nowhere near as capable as pfSense. Also, I see your modem supports IPv6. Having 2 firewalls makes it much harder to provide IPv6 to your network.

I agree the built in firewall in modems don't even come near to knees in comparison with pfSense's rich feature and reliability.
Not a big fan of IPV6 .. https://ipv6.he.net/certification/
I have disabled the IPV6 feature on my modem. Nice to know that 2 firewalls makes it much harder to provide IPv6 on a network.
Thanks

Gertjan · May 1, 2019, 11:29 AM

@whitekalu said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

Not a big fan of IPV6 .. https://ipv6.he.net/certification/

@whitekalu said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

I have disabled the IPV6 feature on my modem. Nice to know that 2 firewalls makes it much harder to provide IPv6 on a network.

Thanks to those guys - he.net I have a working local IPv6 - all my mail and web servers are IPv6 compatible and it won't be me who has to handle the new kind of "Internet People" that only have an IPv6 at their disposal.

Less known, but really needed : the upfront router need to pass protocol 41 ( see here : it's not TCP or UDP, but IPv6 or 6in4 ) so the he.net tunnel server can connect to our pfSense using a GIF interface. Yep, that's an incoming connection !
If you upstream router can handle that protocol, and a "DMZ" doesn't exist or doesn't transmit "41" neither, the it's game over.

Btw : I've done it :

("Nowwhat" is me in another live)

JKnott · May 1, 2019, 9:37 PM

@whitekalu said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

Not a big fan of IPV6

Why's that? That's the future, as IPv4 hasn't been adequate for many years.

whitekalu · May 2, 2019, 5:27 AM

@JKnott said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

@whitekalu said in (SOLVED) is it a good practice to disable the DSL routers firewall.:

Not a big fan of IPV6

Why's that? That's the future, as IPv4 hasn't been adequate for many years.
because i find it easier to read 10.152.155.22 than fe80::14bd:3881:c4a4:b750%11.
also using ping command, ping ipv4 address is very easier than ping ipv6 address.
seems like the thread is going off topic, mods and admins feel free to lock the thread :)