First Timer Needing hardware Advice (Network Topology)
Its the first time i am setting up pfSense i have brought a mini fanless pc to use as a dedicated pfSense box thats will remain turned on always.
I am on a ADSL/2 connection via phone line so i have a modem-router all in one (ASUS DSL-AC68U) https://www.asus.com/uk/Networking/DSLAC68U/
Am i right that i will need another router or Access point ? So my DSL-AC68U will bring in the internet connection (WAN) then will go thought pfSense firewall then into the Modem / AP then everything internal shoulf connect to that mode / AP in order for it to filter through pfSense ?
If this is correct could i use the original isp modem router as the WAN point to pull in the internet turn off the router feature and used bridged mode (if supprted) and use the ASUS modem router as the AP ?
If thats correct what if the ISP modem does not support bridged mode ? (The ASUS does not)
Is this the only possible way to connect ? or is there a way to use only my ASUS and pfSense dedicated hardware ?
Yes, that is how it should connect:
modem --> pfSense --> switch/access point --> clients
It is possible to use just one device in some circumstances but it's complex to setup and the results is.... sketchy!
I would advice you to get a different adsl modem that really is a modem and then use your Asus as an access point.
You linked to a UK site, are you in the UK?
Thanks for the reply. Yes i am in the UK desperate to get this setup as i want the snort IDS addon running on my network too so need to set this up the best and most secure way possible. only thing is i dont want to spend money on something that doesnt work correctly for example my ASUS cannot bridge. If i have to buy a new device id rather turn off routing and wifi from this asus and use only as a modem then ill buy a linksys or asus that supports DD-WRT and the latest tech (wifi and such) and use that as the AP then i would get faster speeds and a better connection all round wouldn't i ?
Or would you advise still buying a separate modem only for the first point of connection over using the ASUS and buying a better router ?
The Draytek V120 modem can be had very cheaply second hand because it doesn't do VDSL. I had great success with that before switching to FTTC. The V130, which does do VDSL, is not expensive either if you wait a while.
A modem device like that makes it much easier to configure port forwards etc. A router in bridged mode is good. A router in some quasi bridge mode like a DMZ mode is OK but can get in the way.
Do you actually need more than AC1900 that the Asus provides? You don't as a test...
Thanks! checked out the link that's real cheap! Might get that. I am on talk talk at the moment (terrible) so it should work fine.
Yeah i need a pretty powerful one as i can easily have around 15 - 20 devices all connected at once which is why i need the best AP i can get, otherwise everything starts to lag. (also need to setup separate vlans as lots of devices i dont particularly trust).
Id be looking at a new ASUS or a Linksys AP where i can flash DD-WRT for full control
Yeah to test it though i was going to use the default talk talk modem/router and turn it to modem mode only (if possible) then make sure everything works before i buy the newer hardware. If it doesnt i can wait till the modem arrives.
Once i set this up i should be able to set a guest network from my AP and have a separate default network like from the guest as normal shouldn't i ? the AP would work the same but without the Routing or connection to the net directly right ?
Then for vlans i would connect create them via pfsense software ?
I hope i got that right.
Yes, define the VLANs in pfSense and they appear as separate interfaces so can have different rules etc.
The VLANs must exist on whatever it connected to pfSense of course so a managed switch or a VLAN capable AP directly.
Thanks for the help Steve. Much appreciated!