combine fios g1100 with separate netgate 2100

leakin · Jun 28, 2023, 10:50 PM

I'm new to pfsense and routers; I live in the apartment above our business with an existing Fios g1100 network. There's only 1 public ip provided.
I'd like to use the Fios connection to create a separate network using my netgate 2100 appliance for a home network.
I want to disturb the fios setup as little as possible so as not to impact the business. Seems possible from internet searching, but I'm not having success.

Any help much appreciated...

SteveITS · Jun 29, 2023, 1:40 AM

@leakin Do you need inbound connections?

The correct way would be to have a router handle the public IP (is this yours or the ISP?), and NAT to its LAN side. Then have a router for the business and a third for home. Then they would be separated but be able to connect out to the Internet.

leakin · Jun 29, 2023, 1:40 AM

@SteveITS
Thanks for the reply, but I'm too new to this to digest what you mean...

I don't think I need inbound connections if you mean access the home network FROM the internet, just trying to browse from inside.. baby steps
the public ip is from Verizon, the g1100 is already routing on the business side, and is working (192.168.1.1).
I'm trying to use the 2100 to create a home network (172.16.1.1) without interfering with the work side...
I'll try learning about NAT, but I'm pretty much a network dummy now.

thanks again

SteveITS · Jun 29, 2023, 1:57 AM

@leakin You can use the 2100 for your home, and isolate your home from the work network. However that doesn't really isolate your work network from home. A PC in the home network can connect to a PC in the work network, because the 2100 router will route a request from 172.16.1.1 to 192.168.1.1 because it knows how to get to 192.168.1.1.

I mentioned 3 routers but you can actually do this with only the 2100. (brain fade, sorry) Use this to isolate one of the ports so you have two internal interfaces, LAN-WORK and LAN-HOME:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html
The 2100 WAN connects to your Internet.

edit:
2100 WAN: public IP
2100 LAN-WORK: 192.168.1.1
2100 LAN-HOME: 172.16.1.1

Firewall rules on LAN-HOME:
block LAN-HOME Net to LAN-WORK Net
allow LAN-HOME to any

(repeat for LAN-WORK)

leakin · Jun 29, 2023, 2:12 AM

thanks for this; you've given me something to chew on...

before I start hacking, just to clarify, home accessing work is ok, just rather not the opposite.
and I've got a g100 lan port feeding the 2100 wan port; the 2100 wan interface is defined as static using the public ip address from work. does that sound right?

many thanks!

SteveITS · Jun 29, 2023, 2:53 AM

@leakin OK, I was imagining an infected home PC getting to the work network. If it's not a concern then you just need to use the 2100 in your home.

You can't use the public IP from work on the 2100 if it's already in use on the g1100. Just set the 2100 WAN to DHCP (the default) and make sure the 2100's LAN network is a different IP address range than work, which it sounds like it is already from your examples. So it should all just work if you plug it in.

leakin · Jun 29, 2023, 4:12 AM

@SteveITS
well I can't thank you enough, I've been making no progress for days, and now I've got a basic configuration running.
baby took his first step!

big round of applause...

SteveITS · Jun 29, 2023, 5:07 PM

@leakin