Is it possible to use IDS/IPS with pfSense in bridged mode?

  • Question for the community:

    I currently have Comcast and run pfSense with Suricata IPS and also pfBlocker. I have Unifi AP, with the Unifi controller also running on my pfSense box. A relatively clean setup.

    My residential building recently got Starry ISP. It's a startup ISP that uses microwave technology for delivering connectivity. As I understand they use standard Ethernet protocols to deliver connectivity from the receiver on the roof of the building to the apartments. However, they require that you use their router/wifi equipment ("Starry Station") for connectivity, I suppose it does some sort of proprietary negotiation with their HQ to establish connectivity and get a public IP address. They claim that, at this time, you cannot place their router into a bridged mode.

    My question: first, anyone has any experience with this type of setup for other ISPs? I would like to keep the protections that the pfSense offers (IPS, pfBlocker). I guess I have two options: (1) double-NAT (which may lead to other issues down the road when I want to do some port-forwarding); (2) place pfSense into bridge mode and connect Starry Station on the LAN side of the pfSense. In the case of #2, would I be able to still have my traffic inspected and blocked as I have today?

    Any other options?


  • Bridge mode would mean bypassing pfsense I believe. So, when it comes into your apartment, does the ISP assigns a private IP address to you? If so, it would still'll need to disable (uncheck) the private address on WAN.
    Screen Shot 2019-07-12 at 1.23.14 PM.png

  • LAYER 8 Global Moderator

    You can run in double nat mode without any real issues if you must - that is going to be way less complicated then running pfsense in bridge mode..

    I would just double nat, until such time you run into some issue.. Since your prob not going to..

  • @NollipfSense I think they would assign a public IP, but I don't know for sure. I got a 3-month trial. Will test next week.

  • @johnpoz Yes, I think that will be the easiest solution for now. My only question: would the VPN on my pfSense still work? I guess I'll need to do some port forwarding from the ISP's router. Or maybe even place the LAN side on their router into DMZ mode.

  • LAYER 8 Global Moderator

    Normally what you would do in a double nat setup is yeah put pfsense wan IP in the dmz host of the router upstream.. This way you only need to mess with 1 place for port forwards.

    But sure if you need port X to be forwarded on pfsense to something behind, then you would make sure the nat upstream forwards port X to pfsense wan IP first.

Log in to reply