Pfsense setup question CGNAT

Crossy2

Hi,

NooB here.

I have a short question on the best way to setup a pfsense sg1100 with cgnat?

My ISP gives me a Cgnat ip address in the 100.72 range and it’s router is set to hand out ip addresses in the 192.168.1.0/24 range.

What is the best way to setup the pfsense?

I am not looking for port forwarding etc just trying to make my network a lot more secure.

I was thinking of using the ip address for my lan of 10.15.15.0/24

TiA

Bob.Dig

@Crossy2 said in Pfsense setup question CGNAT:

just trying to make my network a lot more secure.

How?

It should work with no problem in a double-NAT scenario, pfSense behind your ISP router. Might be even triple-NAT with CGNAT.

Crossy2

@Bob-Dig said in Pfsense setup question CGNAT:

@Crossy2 said in Pfsense setup question CGNAT:

just trying to make my network a lot more secure.

How?

What do you mean by that?

Edit. : i want the pfsense to handle the security of my lan instead of the provided router by the ISP.

viragomann

@Crossy2
Simply set the WAN as IPv4 DHCP client.
On the LAN you can use any private IP range you want.

By default pfSense doesn't allow any incoming traffic on WAN, but allows any outbound on LAN. You can limit the LAN traffic to certain ports or destination IPs if you want.
A good advice is to install the pfBlockerNG package and let it block access to some bad sites.

Crossy2

@viragomann

Thx.

Wouldn’t it be better to disable the DHCP on the ISP router and only have DHCP running on the pfsense.

So I would give pfsense a static ip on the wan. Or?

viragomann

@Crossy2
You can do this though. However, the ISP router can only provide DNS to devices which are connected to it. So if I understand it correctly, this is only pfSense WAN.
And since you only need the WAN for upstream traffic, it also works well with a dynamic IP.

For the LAN you have to enable the DHCP server on pfSense.

SteveITS

@Crossy2 said in Pfsense setup question CGNAT:

Wouldn’t it be better to disable the DHCP on the ISP router and only have DHCP running on the pfsense.

So I would give pfsense a static ip on the wan. Or?

Doesn’t really matter if you’re not port forwarding.

Crossy2

Thx guys.

But I always heard having 2 DHCP servers running is a bad thing.

I would use the Google DNS or Cloudflare instead of the ISP one

No port forwarding is not in the planning as the ISP doesn’t give out public ip’s anymore and even bridge mode is not easy with them. We are more then happy to have fiber from them where we live as the alternative is 4/5G.

I just want my network a bit more secure especially when in the coming months we will get Solar and the inverters connect to the WWW for updates etc and I want them separated (isolated) from our devices (Vlans??)

viragomann

@Crossy2 said in Pfsense setup question CGNAT:

But I always heard having 2 DHCP servers running is a bad thing.

This concerns multiple DHCP on the same L2 network, but your WAN and LAN are 2 separated L2.

Crossy2

@viragomann

Aha that explains it. Thx

NollipfSense

@Crossy2 said in Pfsense setup question CGNAT:

I would use the Google DNS or Cloudflare instead of the ISP one

I have this setup currently except I use pfSense itself for DNS. BTW, can confirm that triple NAT works too.

Dobby_

@Crossy2 said in Pfsense setup question CGNAT:

But I always heard having 2 DHCP servers running is a bad thing.

If you have behind the ISP router a NAS or other
devices and you want to reach them from devices behind the pfSense firewall (LAN) then it is perhaps
causing errors.

Crossy2

@Dobby_

Do you mean the NAS being in the DMZ?

My ultimate goal but (I think) it’s not doable because I’m behind CGNAT would to use Wireguard to access my NAS which is inside of my LAN.
(That is something for the future)

Dobby_

@Crossy2 said in Pfsense setup question CGNAT:

Do you mean the NAS being in the DMZ?

DMZ types

• "pseudo" DMZ
  Exposed Host, non real and only in some cases
• Real DMZ (clean dmz)
  Bastion host, dual homed router or firewall combination: Internet > Router > DMZ > Firewall
• non real DMZ (dirty dmz)
  DMZ Port at the router or firewall

DMZ port types (routers or firewall)

• A real dedicated DMZ port
  A single port, with its own switch chip,
  no other data will running over, only for
  that port made and able to use
• A non real dedicated DMZ port
  Many port will be connected to one and the same switch chip and all their data runs together over that switch chip but the port can configured
  as a DMZ port
• A DMZ port
  One LAN port will be used as a DMZ port only with another IP range and port will be opened
  to the internet and back into that pseudo DMZ

My ultimate goal but (I think) it’s not doable because I’m behind CGNAT would to use Wireguard to access my NAS which is inside of my LAN.

You will need a so called jump host else where
in the internet placed, perhaps at a hoster.
You will be able to reach that host from everywhere and it is connected to your home
network, so CGNAT is not anymore the problem.

In the DMZ you will be able to reach your NAS from the outsite (over the internet) and from the
inside of your LAN. If you are VPN at home, the
NAS will be "safe" and in normal all such devices will be placed inside of a DMZ, so if you are now
opening ports at the second router or firewall,
you will be opening your LAN too, but this
should be secured by the second router or firewall!

For sure everybody can do what he want or is able to realize, but how much more and often
you will be setting up special work arounds you
will be ending at one day up with more problems
then you will own.

Crossy2

@Dobby_

Thx, food for thought.

This is something for the distant future, let me first try to make my home network a bit more secure.

This whole coming exercise is also because we are getting solar in the next weeks and the inverters do need to be connected to the WWW (Via WiFi). And I don’t want them to snoop around in my LAN read PC, NAS etc, but I would still like to be able to manage them.

So
inverter -> WWW oke
Inverter -> LAN not oke
Main PC -> Inverter oke

Dobby_

@Crossy2 said in Pfsense setup question CGNAT:

This is something for the distant future, let me first try to make my home network a bit more secure.

Ok forget that the CGNAT exists! It is only well to know for you if you want VPN in over the internet!

This whole coming exercise is also because we are getting solar in the next weeks and the inverters do need to be connected to the WWW (Via WiFi).

For sure that is ok.

And I don’t want them to snoop around in my > LAN read PC, NAS etc, but I would still like to be able to manage them.

Ok, and you must use the router from your ISP?
Or can you also take a modem in front of your
pfSense? Make things more easy for you.

So
inverter -> WWW oke

Set the inverter inside the dmz (between the )
ISP router and the pfSense. Now it could be having a connect to the internet with ease
and you could over VPN connect to it.

The pfSense is then securing your entire LAN.
Because it is behind the IPS router!

Inverter -> LAN not oke

If you open now ports at the pfSense WAN
it is not so secured as you may want it!

Main PC -> Inverter oke

If the inverter is in the DMZ between the both routers you can connect from the PC in the LAN
to it (routes) and from the outside (internet) you
could connect too, to that inverter as I see it right.

Crossy2

@Dobby_ said in Pfsense setup question CGNAT:

If the inverter is in the DMZ between the both routers you can connect from the PC in the LAN
to it (routes) and from the outside (internet) you
could connect too, to that inverter as I see it right.

I could connect an WAP to the ISP Router and have the Inverters connect to that because they only connect via Wifi. That would be an easy solution and I have a Spare router available.

The Inverters can then go out separate from my Network but I am not able to reach them remotely (on the road) but that is for now a total NON issue. Brilliant idea! Thx

So for my Understanding plug the WAP into a Lan port on the ISP Router so it gets an IP from the ISP Router and then it's in DMZ? Correct?

Do you have a link for me to read up about on creating those routes from the PfSense to the WAP in the DMZ?

Re: ISP Router

The router from ISP I must use. It's fiber and they don't want
A) set the Router in Bridge Mode
B) give me the PPoE username and Pwd.
It's one of those ZTE Routers.

SteveITS

@Crossy2 To connect from your LAN through a router in the pfSense WAN to your inverter you don’t need anything on pfSense. Just a port forward on that other router. IPv4 only if possible in case your ISP adds IPv6 someday, so the Internet can’t connect to it; or else limit the port forward to your pfSense WAN IP.

Crossy2

@SteveITS

So for my understanding, to access the WAP (Wireless Access point) which is connected to a port of my Router ISP and I want to connect to the WAP from the LAN side I don’t need to do anything but still need to open a port ?

Which ports do I HAVE to open? 80? To reach the management interface for example.

SteveITS

@Crossy2 if your pfSense WAN and AP are both connected to the ISP LAN then your pfSense LAN can talk to it and other devices “out there” because pfSense will NAT the request to that network. I thought you were using a router, perhaps that was a different thread.