Cascade pfSense behind Frontier Router



  • Re: PfSense firewall BEHIND router

    Hello all. I have a similar situation to the topic above.

    Frontier provided me a new router with a "cascade router" configuration option. I want to put my pfSense as this cascade router. And, similar to the topic above, there is a conflict in the subnets.

    If I use the example provided in the topic (shown below), here are my questions:

    1. Do I have to allow private networks (RFC 1918) at the pfSense WAN interface to communicate to the 192.168.1.0 subnet on the Frontier router? If so, should I also enable any other setting/rule on the pfSense to protect the 192.168.5.0 network behind the pfSense by enabling this RFC 1918 access via the WAN?
    2. How would I limit it to just the 192.168.1.0 subnet versus all RFC 1918? Would this be nothing more than a firewall rule on the LAN side of the pfSense?

    Example provided in the related topic:

    Network: 192.168.1.0/24 (255.255.255.0)
    IP Address: 192.168.1.1/24 static or fix
    DHCP: off

    pfSense WAN:
    Network:192.168.1.0/24 (255.255.255.0)
    IP Address: 192.168.1.2/24 static or fix
    DHCP: off
    DNS: 192.168.1.1/24

    pfSense LAN:
    Network:192.168.5.0/24 (255.255.255.0)
    IP Address: 192.168.5.1/24
    DHCP: on IP range from 192.168.5.2 - 192.168.5.254/24
    DNS: 192.168.1.2/24

    Obviously, my fear is exposing my private network behind my pfSense to a private subnet in front of my pfSense. I'd rather ask and be safe than sorry later for a rookie mistake.

    Thanks



  • The Block RFC1918 is only really meant for unsolicited inbound traffic to one of your NATs. If you don't have any servers you're forwarding then you don't need to worry about that at all.



  • What if I had a device on the 192.168.1.0 network and I want it to talk to a device on the 192.168.5.0 network? Is this port forwarding? Would the RFC1918 setting come into play then?



  • "What if I had a device on the 192.168.1.0 network and I want it to talk to a device on the 192.168.5.0 network?"

    You would have to add a WAN rule to allow it. By default, WAN blocks ALL inbound unsolicited traffic.

    "Is this port forwarding?"

    No. Port-forwarding is a method of making a server on a private network publicly available by punching a specific hole in the firewall to allow traffic from the Internet to hit your server on the defined port. Think web server running on LAN or DMZ. You create a NAT port-forward to allow tcp80,443 from WAN to your web server.

    "Would the RFC1918 setting come into play then?"

    Yes, if you're trying to initiate communications from the WAN side.

    Can you describe what's really going on here? Not too many people have devices on WAN that they need to access LAN. Usually everything is on LAN.



  • It is nothing more than having a Frontier router in front of my pfSense. Before I had my pfSense connected directly connected to my Spectrum modem and that was that. However, as I look at this setup, I put my pfSense in one of the LAN ports of the Frontier router and said to myself (given I have a few more ports on the Frontier router) what if I connected a laptop to one of the other ports? How would I route to devices behind my pfSense? Maybe I can test my firewall vulnerabilities if I put a device on one of these router ports? That is all, just technical curiosity. At the end of the day, I plan to keep my devices behind my pfSense.

    At the moment, I'm in between pfSense configurations and have devices connected to the Frontier router for Internet and work VPN access out. Once I'm done, everything will go back behind the pfSense but it is good to know I have a testing point when I'm troubleshooting my network/firewall.

    Thanks for your quick response and patience with my questions.



  • Oh, one other small note... I know I can remove this router and plug their Ethernet right into my pfSense WAN, but I thought I'd leave it in front of my pfSense to be my point-of-presence (POP) for my ISP. After all, I am paying for this router whether I use it or not. :)



  • If I was you I'd punt their crap router, connect pfSense WAN directly to your cable modem and then put all your devices on a switch connected to pfSense LAN. Boom, done.



  • @KOM Yes sir. I may do that eventually. Thanks again for your patience with my questions.


Log in to reply