Some questions please
-
Hi Forum,
Noob here.
I am in the process of buying a Netgate PfSense
(So only in the planning stages. Nothing definite)Current Situation is this
Internet - ISP Router (CG-Nat) - my Own router (handles WIFI and DHCP) - LAN
- ISP Router (not able to set in Bridge Mode, and has IP address 192.168.1.1. NOT possible to get a NON CG-Nat address, I have tried and tried, but they refuse (understandble).) DHCP = Disabled
- Own Router (ASUS), handles DHCP / WIFI etc and has ip address 10.0.0.1 (clients get an address in the range 10.0.0.x (gets IP address 192.168.1.10 from the ISP Router (static).
My current goal is.
ISP Router - Pfsense (firewall handling DHCP) - ASUS (only handling WIFI)
In the distant future I would like to connect to my home network from the Internet.
ISP Router - Pfsense (firewall / VPN / DHCP) - ASUS (only handling WIFI)
I have been reading a lot about this, and I read somewhere that I need to put the Pfsense in the DMZ of the ISP Router (which I have looked at in the ISP Router and is possible)
Now I have the following questions (for now ;))
1- Would I place the Pfsense in the DMZ of the ISP Router?
1a- If so, what IP address should I give the Pfsense? I would like to keep 10.0.0.x range, but if not feasibale. Which range?
2- If not in the DMZ then it's oke to keep the 10.0.0.x range?Any other suggestions / configs would be more then welcome
Ps: Please be gentle (hahahahahahaha)
Thx in advance, really appreciated
Mike
Edit: The reason why I want to connect to my Home Network (over the internet) in the future is to connect to my NAS (Synology)
-
Edit: The reason why I want to connect to my Home Network (over the internet) in the future is to connect to my NAS (Synology)
And the Asus can't do that?
-
Thx, I think the pfsense can do it in a better/safer way? Am I mistaken?
-
@iammike If you will be using OpenVPN, it probably doesn't matter.
- yes
1a. doesn't matter
2 again, doesn't matter
- yes
-
Re: OpenVPN
IMHO I think it's better to rely on something like pfsense, which gets regularly updated (security updates etc) then a product (my Asus router) that could be obsolete (read: doesn't get any updates) in something as important as opening your LAN to the internet. (I could of course buy a new router when that happens ;) but then I don't learn anything about the pfsense)
Thx
-
-
@bob-dig said in Some questions please:
@iammike said in Some questions please:
(read: doesn't get any updates)
Sure, then get one.
Are you saying that pfsense doesn't get up-dated regularly?
-
No what he is saying is get a pfsense router if you want one.
Nothing you mention about ips means anything. Sure you can run in double nat mode if you must.
But 192.168.1.1 is not a cgnat. That is the lan side IP of your isp gateway device.
What is its WAN ip? is in 100.64.0.0/10 ? That would be a cgnat. What rfc1918 space you use behind your natting isp router doesn't matter. Be it 192.168.x or 10.x.x.x or 172.16-31.x.x
You can use any IP space you want in the rfc1918 range.
Keep in mind if your goal is to reach your NAS from the internet, if your behind a cgnat its going to be very difficult. ISPs running cgnat don't normally allow inbound traffic from the internet. And a "dmz" or port forward behind a cgnat is going to do much if no traffic gets to your isp wan IP.
What I suggest you do is look on your isp device - what is its WAN IP??
-
@johnpoz said in Some questions please:
What I suggest you do is look on your isp device - what is its WAN IP??
Currently, "what's my ip" is saying I am on : 223.205.xxx.xx the WAN info my (ISP) router gives: 100.72.xx.xx
Edit: Ps: The ISP provides a DDNS service and also in the ISP router I can setup No-IP (DDNS)
Edit2: Added the word ISP to the router.
-
Ok well yes 100.72.x.x is CGNAT.. Does your isp allow fowarding traffic to this IP? If not your never going to get inbound traffic - ie to your nas or anything else.
The 223.205.x.x address is the actual public address they are natting your 100.72 address to.. For you to be able to see inbound traffic from the public internet they would have to forward ports from that 223 address to your 100.72 address.
Do they do that? If they do, seems odd that they would be using cgnat in the first place. Unless they have some portal or something where you could request ports to forward to your cgnat IP..
-
Yes they do!!
They have that portal in place (link here: https://fiber.3bb.co.th/en/%E0%B8%8A%E0%B9%88%E0%B8%A7%E0%B8%A2%E0%B9%80%E0%B8%AB%E0%B8%A5%E0%B8%B7%E0%B8%AD/3bb-ddns/ ) in which you can forward 10 ports (for me in the range 34xxx)
I can post you a screenshot to the actual portal but I doubt you can understand much as it's in Thai
As I am just investigating (nothing bought yet) I just wanna do it the right way from the start that is why I am looking for advice on this!
Thx
-
Well - if you can get traffic to your isp router, and you can either forward it there. Or you can put your future pfsense in the "dmz" of the isp router then sure you can do what you want. No matter what the IPs are.. example
public IP -- isp (100.64/10) cgnat - isp router - 192.168.1/24 - pfsense - 10.0.0/24 -nas
Then sure you can get traffic that hits this public IP to get to your nas on port X..
edit: I personally would not suggest you open your nas to the public.. If you want to access your nas while remote its better to vpn into your network.. This is much more secure setup.
-
Thx. Yes Port forwarding I can do on the ISP Router no problem, I already tested that. Port forwarded on the ISP router which got handled by the ASUS and got sent to a Sample Webserver on a PI! Works great.
That VPN setup I will get back to in the future as that's my ideal goal! But better take it step by step!
Another question if I may.
Are the any caveats (read: precautions) I have to look out for when putting the pfsense in the DMZ? (edit 2: Any reading material ???)
Thx, really appreciated!
Edit: First step for me is to incorporate the pfsense in the network and let it handle DHCP / Firewall etc before going to the step of opening up the network to the outside world)
-
@iammike said in Some questions please:
I have to look out for when putting the pfsense in the DMZ?
No.. Its no different than if it was exposed to the public internet.. All the isp router dmz is a really a big port forward off all traffic that hits its wan.
Out of the box pfsense blocks all unsolicited inbound traffic to its wan..
edit: The point of the dmz thing on the isp router, is so you don't have to setup port forwards on it.. Because you will be controlling what gets to your actual devices via port forwards on pfsense.
-
This post is deleted! -
Update:
Pfsense ordered coming in the next week or so.
I went again to my provider and asked about the DDNS, and they made me a better offer.
I now (in the next couple of days) have 1 (Public) IP Address and thus get rid of CG-NAT. And because of a promotion they are having I am getting an increase in speed from 100/100 -> 300/300, 1 Static Ip address all for the same monthly fee as before.
-
Yep, you can often get a better deal if you call your provider occasionally and see what they have to offer. I have done that several times with both my cable services and cell phone.
-
Thx yes indeed, but we only live less then 1 year at this address, and normally they don't change promotions here until that year has past. But now the contract for the "new" one is 2 years.
Oke now for something completely different
I am thinking of setting the Netgate 1100 (which I ordered) like this.
ISP Modem network
192.168.1.1ISP Modem DMZ
192.168.1.2Pfsense wan
192.168.1.2Pfsense lan
10.0.0.1Would this work in my case?
TiA
-
Makes no difference what rfc1918 space you use.. As long as your wan and lan do not overlap.
I sure hope you don't plan on using 10.0.0.0/8 as your mask for your lan ;) I would assume /24 is more than enough for your devices.
Also just clarification on terminology.. The isp "network" would not be 192.168.1.1, that is a host address. 192.168.1.0/mask would be a network.
With your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
-
@johnpoz said in Some questions please:
Thanks for the clarification. Yes will use 10.0.0.0/24 for my LANWith your new deal with your isp - is there a way to get rid of the double nat, and just put your isp device in bridge mode, so you get your shiny new public IP directly on pfsense wan?
Unfortunately NO, I asked but it was a BIG NO-NO (why, no idea they wouldn't give me an explanation), but I will try and ask again in a couple of weeks, also will "pester" their Phone Support
