Introducing pfSense to my network - a step at a time?
As I mentioned on a separate thread, I am about to move pfSense, with my machine arriving soon (just discovered it's Out for Delivery, two days early :)). Anyway, I am thinking through the logistics of introducing this and would appreciate some input.
At a high level, my initial ambition is to take a regular consumer setup (modem plus ASUS Wifi router) and move to a situation where I have...
- pfSense router connected to my modem (WAN port)
- An IOT-related subnet, served by the existing ASUS Wifi Router, connected to one of the pfSense LAN ports
- A separate subnet for my secure/private devices, to another LAN port
If possible, I want to take a very iterative approach to this, preferably avoiding any situation where I need to change a whole bunch of devices all at once. So, what I'd like to do initially is just introduce pfSense between my modem and my ASUS Wifi Router, before I start taking advantage of pfSense initially. The hope would be that ALL devices (IOT and private) would just continue to work off the WiFi router, blissfully unaware of any change.
My working assumption here is that a) I can initially just let the ASUS router continue offer DHCP and b) pfSense will INITIALLY just effectively pass everything through, until I start incrementally start taking advantage of it. As an example, my second phase might be to introduce an access point to the second LAN port, to serve my secure devices (PCs, etc).
I'd be interested in whether this is a viable plan, just to start me on my way. My major concern is that this initial step would, presumably, mean that I need to have pfSense allow everything through (since the ASUS router would be unchanged). With pfSense being reasonably secure by default, I don't like the idea of opening up stuff on pfSense, just to tighten it up later.
And that's why I am asking this here - is this a reasonable initial step, just to get pfSense introduced, without having to reconfigure all my devices across my house.
Very open to suggestions. Thank you.
I can initially just let the ASUS router continue offer DHCP and b) pfSense will INITIALLY just effectively pass everything through
You can for sure just double nat with pfsense in between your modem and your asus... The only caveat is that you need to make sure that pfsense lan network does not overlap your asus lan network.
So if your asus is currently using say 192.168.1/24 for its lan network... You would need to make sure pfsense lan network is not 192.168.1/24 or that it would over lap, like 192.168.0/23
Make sure pfsense is using something different than your asus lan network, if using 192.168.1/24 for example - make sure pfsense lan that your plugging your asus wan router into is say 192.168.2/24
@johnpoz Thank you. So, is the suggestion that I configure pfSense (initially) just for NAT alone, with none of the major firewall features enabled?
That means traffic is simply passed through, in both directions, without pfSense really playing much of a role i.e. I won't need to disable or reconfigure certain features I will eventually need. Then, I can start just start enabling features (DHCP, adding LAN ports, rules, etc) to achieve my eventual objective. In this context, pfSense is pretty passive, initially.
Am I interpreting this correctly?
with none of the major firewall features enabled?
Not sure what you mean with that.. Like IPS? Or proxy? You prob never would need these anyway..
Out of the box pfsense blocks all inbound unsolicited traffic inbound from wan, and allows all traffic outbound from lan.
@johnpoz Sorry - should have been more clear (and I'm still learning how/where pfSense falls into place here, in terms of its initial configuration). I was thinking about more 'foundational" features, such as as a DHCP server, DNS, toughening up security with some simple rules, etc, etc.
But your last comment clarifies things, I think. It seems I can simply drop pfSense between my modem and ASUS router and use double NAT. The default configuration you describe sounds exactly as I'd want (and allow my existing devices to continue "blissfully unaware").
The only thing I'd need initially is OpenVPN, since I regularly remote into desktops from coffee shops over RDP (and don't plan on forwarding ports), etc. With VPN installed and configured, I'd be pretty much at parity with what I have now and can then start walking down the path of leveraging pfSense to the full, particularly as I implement IOT isolation across a couple of subnets.
Thank you again, @johnpoz .