DSL modem –> pfsense, use PPPoE-bridge, NAT or DMZ?



  • Hello all,

    I have an older Actiontec DSL modem (GT701), (single RJ45, no wireless, no switch) that I had been using for some time with just the default NAT enabled, DHCP offering IP, and a switch connected to the single RJ45 for multi-machine access.

    Now I have a pfsense firewall, handles DHCP for the LAN, WAN is only connection to the single RJ45 on the modem.

    Still running with the default rules until I get a few questions sorted out.

    1. what are the advantages to running PPPoE-bridge vs a DMZ where the only IP 'left bare' to the world is your properly-configured WAN port on the pfsense firewall?  any kind of security consideration for my actual DSL modem?

    I can see where those that have no option to bridge their modem could utilize DMZ, wasn't sure if there was a preferred option, if you have more than one to choose from.  :)

    I understand that pfsense can usually handle the authentication for PPPoE, but wouldn't this disable access to my DSL modem console?  That is actually my second question (I'm searching links on this forum relating to this right now):

    2. If I switch to PPPoE-bridge and let the pfsense box handle the authentication (I have the login/passwd from the telco), what is the best way to gain access to the modem's configuration later on?

    I'm certain there is at least one (prolly several) threads already created on this subject, apologies for not finding them yet.  :D



  • @renstyle:

    1. what are the advantages to running PPPoE-bridge vs a DMZ where the only IP 'left bare' to the world is your properly-configured WAN port on the pfsense firewall?  any kind of security consideration for my actual DSL modem?

    If I understand you correctly, with the term "DMZ" you're referring to the "exposed host" functionality implemented in most home routers, that simply does 1:1 NAT of all traffic to a single internal host.

    In that case you'd be doing double NAT. Some potential disadvantages would be that you'd be limited by the home router's capabilities (e.g. state table size, inability to tune session timeouts etc) and also you might experience issues with certain protocols/apps.

    In short, it's best to use the DSL modem in bridge mode.



  • Thanks for the quick reply.   ;)

    This modem gives you the concurrent ability to turn NAT on/off, independent of the DMZ options.  I did wonder how the DMZ would get its data tho, and your explanation on that front makes sense (that it just does double-NAT)…

    Just now found these links:

    http://wiki.m0n0.ch/wikka.php?wakka=AccessingModemOutsideFirewall
    http://forum.pfsense.org/index.php/topic,5727.0.html

    Showing that it can be a real hassle to get access to a bridged modem while still maintaining connection to the 'net.

    I can see in the majority of cases that an IP can still be set on the modem (one outside of your WAN or LAN subnets), then you can bridge it and authenticate with pfsense.

    Then if you really needed to get at the config on the modem, at the very least you could take a workstation with a static IP in the same subnet as the modem IP, connect direct (thus disconnecting the rest of the network) will allow you to get at your modem settings in a pinch?

    Not very elegant I realize, but after bridging I won't really need to check the status of the modem itself very often.  Did my logic make sense?

    For some reason I thought that bridging the modem precluded webconfig access, until it was master reset.  Thought of it as a universal convention, rather than something dependent on the type of hardware you are using...


Locked