Insert SG-1100 between existing cable modem and router
-
Please post screens of your WAN, LAN and OPT1 rules so we can check them out for you.
-
Ok.
Wan:
Lan:
I realize this probably isn't "firewalling" much of anything right now. My plan was to get everything on my network operating then research how to set up the best rules and lock the device down.
-
Rules are evaluated top-down, first match wins. No other rules are processed after a hit.
On your WAN, get rid of those last four allow rules.
On your LAN, also get rid of those last 4 rules. The second rule is already passing all IP4 traffic. Those other rules you added aren't really doing anything. If you're not using IP6 then go to System - Advanced - Networking and disable IP6 there.
-
Ok done. And, everything still works. Thanks folks for the help.
-
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
-
If you do disable IP6, don't forget to go back to your LAN rules and delete the IP6 ones you manually added.
-
There you go - much better ;)
See no need to have created any rules..
-
Thank you both.
So with the "factory" rules (only) in place, am I better protected than without the SG, or not really until I start creating more specific rules?
-
Yes. Default rules allow all traffic out from LAN, and block all unsolicited traffic in to WAN.
-
depends - with the default rules nothing has been forwarded from wan/internet to your behind pfsense router that is for sure.
Not sure why you want or think you need another router behind pfsense.. If you want wireless - then just use an AP.
edit
What is this exactly "Ubiquiti wife router." Do you mean an AP like an AC-Pro or -Lite? What is the model number of this device? you have from unifi? -
@johnpoz. It is an AirRouter. I have it set up in bridge mode. Although most of my gear is hard-cabled, I have a couple of devices I can only get to via wifi.
-
@johnpoz Courierdog here and I have a similar requirement.
My ISP provides the Fibre ONT (Modem) to their ISP Router.
The ISP Router also provides the IP TV and the ISP provided Home Security System
From the ISP Router I feed a Bitdefender Box 2 (WiFi Router)
The Netgate SG-1100 does not have WiFi
I would like to configure the SG-1100 so all the ethernet LAN connections pass through the SG-1100 which then connects to the Home Network Switch.
The ISP Router provide the Internet connection
The Bitdefender Box 2 provides the monitored WiFi Access Point
The Netgate SG-1100 provides the Firewall for the Home Ethernet network
I have in the past used a Router with Tomato Firmware whereI now want to place the Netgate SG-1100
I configured the Tomato Router as a static IP addressed Bridge using one address within the range of the Bitdefender Box 2 DHCP range of addresses.
I am unsure if the Netgate SG-1100 can be configured this way or would it have to be placed in front of the Access Point which would have to be configured as the Bridge.
Thanks in advance -
It can be configured as a transparent firewall like that but doing so requires bridging VLANs.
It's almost always better to avoid bridging if you can.
An Access Point would normally be a layer 2 device anyway, no need to bridge anything or already internally bridged.
I'm unclear where the USP router fits in here. Potentially you have 3 routers with 3 levels of NAT. Really you want 1.
Steve
-
@stephenw10
We have no option on the ISP Router That Must stay in place.
However, I have revised my thoughts.
ISP Router -> Netgate SG-1100 Firewall - ASUS RT N66U (WiFi AP) -> Home Network Switch
This requires me to reassign the SG-1100 LAN IP
Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.
I may be Somewhat of a newbie but the SG-1100 is not following the Documentation.
Dave -
@courierdog said in Insert SG-1100 between existing cable modem and router:
Currently the SG-1100 Put me directly to the Dashboard this is not what the User Guide states.
At this point I am lost.Huh?? When you setup the sg1100, yeah would be able to access the web gui, on the default 192.168.1.1 IP - unless you changed it?
Directly to the dashboard of what - how or where does it say in the documentation anything different?
-
I assume you mean you're not seeing the setup wizard?
That can happen if it was previously launched and then escaped but you can run it again at any time fro System > Setup Wizard.
Steve
-
@johnpoz
Problem is the ISP uses the 192.168.1.1 LAN IP address so I have to change it.
The guide says go to Advanced - Option 2When I login, I am sent directly to the dashboard
The setup wizard does not appear.
Even if I set up using and empty WAN port and connect my Mac directly to the LAN port, Login takes me directly to the Dashboard.
Very strange. -
@courierdog said in Insert SG-1100 between existing cable modem and router:
The guide says go to Advanced - Option 2
You can set the IP via here option 2
What is the page in the docs your looking at exactly - can you post the url your looking at?
Here for example
https://docs.netgate.com/pfsense/en/latest/config/index.html#connecting-to-the-gui -
@johnpoz let me start over.
my ISP (Telus) provides my Internet/TV/Home Security
I want to leave all of that on one network and using the Netgate SG-1100 to provide my Home Internet Network.
The ISP uses the Standard 192.168.1.1 IP LAN Settings
First I have to change the LAN of the SG-1100 to something different
However the WAN side of the Netgate SG-1100 will come from the ISP Provided Router.
Currently I have managed to LAN configuration of the SG-1100 but the WAN side of the SG-1100 is not connecting to the ISP Router.
Where / How in the configurations settings do I enable the Netgate SG-1100 to accept the Internet connection as provided by the ISP Router.
I hope this makes sense.
I mentioned this to a friend who uses pfsense and he did say I have to enable something on the WAN side to accept the feed from the ISP Router. -
@courierdog said in Insert SG-1100 between existing cable modem and router:
I have to enable something on the WAN side to accept the feed from the ISP Router.
No you don't... You can for sure use 192.168.1/24 on your wan - many users do, just a double nat.
He might be thinking about the default block rfc1918 rule, but the dhcp hidden rules that allow pfsense to be a dhcp client would allow it to get a rfc1918 address.
Change your lan of pfsense to be say 192.168.2 and you would be fine.