Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cascade pfSense behind Frontier Router

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    8 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pfsense16vP
      pfsense16v
      last edited by

      Re: PfSense firewall BEHIND router

      Hello all. I have a similar situation to the topic above.

      Frontier provided me a new router with a "cascade router" configuration option. I want to put my pfSense as this cascade router. And, similar to the topic above, there is a conflict in the subnets.

      If I use the example provided in the topic (shown below), here are my questions:

      1. Do I have to allow private networks (RFC 1918) at the pfSense WAN interface to communicate to the 192.168.1.0 subnet on the Frontier router? If so, should I also enable any other setting/rule on the pfSense to protect the 192.168.5.0 network behind the pfSense by enabling this RFC 1918 access via the WAN?
      2. How would I limit it to just the 192.168.1.0 subnet versus all RFC 1918? Would this be nothing more than a firewall rule on the LAN side of the pfSense?

      Example provided in the related topic:

      Network: 192.168.1.0/24 (255.255.255.0)
      IP Address: 192.168.1.1/24 static or fix
      DHCP: off

      pfSense WAN:
      Network:192.168.1.0/24 (255.255.255.0)
      IP Address: 192.168.1.2/24 static or fix
      DHCP: off
      DNS: 192.168.1.1/24

      pfSense LAN:
      Network:192.168.5.0/24 (255.255.255.0)
      IP Address: 192.168.5.1/24
      DHCP: on IP range from 192.168.5.2 - 192.168.5.254/24
      DNS: 192.168.1.2/24

      Obviously, my fear is exposing my private network behind my pfSense to a private subnet in front of my pfSense. I'd rather ask and be safe than sorry later for a rookie mistake.

      Thanks

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        The Block RFC1918 is only really meant for unsolicited inbound traffic to one of your NATs. If you don't have any servers you're forwarding then you don't need to worry about that at all.

        1 Reply Last reply Reply Quote 0
        • pfsense16vP
          pfsense16v
          last edited by

          What if I had a device on the 192.168.1.0 network and I want it to talk to a device on the 192.168.5.0 network? Is this port forwarding? Would the RFC1918 setting come into play then?

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            "What if I had a device on the 192.168.1.0 network and I want it to talk to a device on the 192.168.5.0 network?"

            You would have to add a WAN rule to allow it. By default, WAN blocks ALL inbound unsolicited traffic.

            "Is this port forwarding?"

            No. Port-forwarding is a method of making a server on a private network publicly available by punching a specific hole in the firewall to allow traffic from the Internet to hit your server on the defined port. Think web server running on LAN or DMZ. You create a NAT port-forward to allow tcp80,443 from WAN to your web server.

            "Would the RFC1918 setting come into play then?"

            Yes, if you're trying to initiate communications from the WAN side.

            Can you describe what's really going on here? Not too many people have devices on WAN that they need to access LAN. Usually everything is on LAN.

            1 Reply Last reply Reply Quote 0
            • pfsense16vP
              pfsense16v
              last edited by

              It is nothing more than having a Frontier router in front of my pfSense. Before I had my pfSense connected directly connected to my Spectrum modem and that was that. However, as I look at this setup, I put my pfSense in one of the LAN ports of the Frontier router and said to myself (given I have a few more ports on the Frontier router) what if I connected a laptop to one of the other ports? How would I route to devices behind my pfSense? Maybe I can test my firewall vulnerabilities if I put a device on one of these router ports? That is all, just technical curiosity. At the end of the day, I plan to keep my devices behind my pfSense.

              At the moment, I'm in between pfSense configurations and have devices connected to the Frontier router for Internet and work VPN access out. Once I'm done, everything will go back behind the pfSense but it is good to know I have a testing point when I'm troubleshooting my network/firewall.

              Thanks for your quick response and patience with my questions.

              1 Reply Last reply Reply Quote 0
              • pfsense16vP
                pfsense16v
                last edited by

                Oh, one other small note... I know I can remove this router and plug their Ethernet right into my pfSense WAN, but I thought I'd leave it in front of my pfSense to be my point-of-presence (POP) for my ISP. After all, I am paying for this router whether I use it or not. :)

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  If I was you I'd punt their crap router, connect pfSense WAN directly to your cable modem and then put all your devices on a switch connected to pfSense LAN. Boom, done.

                  pfsense16vP 1 Reply Last reply Reply Quote 0
                  • pfsense16vP
                    pfsense16v @KOM
                    last edited by

                    @KOM Yes sir. I may do that eventually. Thanks again for your patience with my questions.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.