Router recommendations requested



  • I need to retire my modem/router combo gateway and am wondering if I should go ahead and buy a new router/modem or if I can use my pfSense firewall to do the job.

    My current home Ethernet network consists of the gateway - pfSense box - Netgear GS105E managed switch - 2 FreeBSD boxes. The gateway is performing DHCP. My pfSense box is a Dell PC with a 2.66GHz P4 and 2GB RAM.

    The gateways my ISP supports, the Netgear 7550 and Pace 4111N, aren't very well thought of by the people who use them and they don't seem to last long either. My pfSense box has 2 NIC's but neither of them have a modem input. I do have a wireless card installed on it but am not using it, so I do have a slot available.

    I'm leaning toward eliminating the gateway from the equation and using the pfSense box to face the net if it's not too difficult to accomplish but am not sure just what I'll need to do it.  If it's going to be a pain I can afford to buy another gateway to replace the old one but any hardware I buy will have to come from Staples, Best Buy, etc. as I don't do online shopping. If I do have to go that route I don't want to buy junk that's going to be nothing but trouble but don't need anything extravagant either.

    I'm really not sure what would be the best path forward and would appreciate some input from people more experienced in this area than I am.

    TIA



  • There doesn't seem to be much support in FreeBSD/pfSense for Cable Modem cards or ADSL cards and such cards, when they can be found, are pretty expensive. Therefore I think the best option is to use an appropriate modem (not modem/router combination) as first preference then use modem/router in "Bridge" modem (non-routing) as second preference.

    pfsense systems can generally hold much more RAM than commodity modem/routers so can hold many more firewall state entries and consequently support many more concurrent "connections" than devices with a small fixed RAM size.



  • Thanks for answering, wallabybob. I can pick up a Netgear modem for approximately $50US and will probably go with that.



  • @wallabybob:

    Therefore I think the best option is to use an appropriate modem (not modem/router combination) as first preference then use modem/router in "Bridge" modem (non-routing) as second preference.

    What are the benefits of running the modem/router in bridge mode?

    I've always ran my router with the 172.16.0.1 range, with it performing DHCP, and the pfSense box using 192.168.1.1 range. That's just the way it ended up when I first installed pfSense and everything has been working fine up to this point so I never saw the benefit in bridging the router. Is that what they refer to as Double NAT?

    I still haven't found a modem/router I like to replace my old one. The Netgear DM111P I was looking at reportedly runs hot and has a short lifespan. An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.  ::)



  • @mr_bobo:

    What are the benefits of running the modem/router in bridge mode?

    The benefits are that this allows the modem to pass through all traffic to be handled by pfsense, pfsense will also be handling the public ip assigned by your provider, if possible run the modem in bridge mode as pfsense is way more superior at handling services than offered on the modem/router combo.

    I've always ran my router with the 172.16.0.1 range, with it performing DHCP, and the pfSense box using 192.168.1.1 range. That's just the way it ended up when I first installed pfSense and everything has been working fine up to this point so I never saw the benefit in bridging the router. Is that what they refer to as Double NAT?

    Yes, more info here http://www.practicallynetworked.com/networking/fixing_double_nat.htm

    I still haven't found a modem/router I like to replace my old one. The Netgear DM111P I was looking at reportedly runs hot and has a short lifespan. An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.  ::)

    I bought a pair of used Vodafone branded DM111P's about 2 years ago for about £5 each on ebay, flashed them with Netgears own firmware, they have been fine holding up a small but complex dual wan network, they do get a bit warm but placed somewhere nice and cool, they perform very well and I can max them out to what my line allows (13Mb~), I think they are capable of 24Mb.

    There are a few 3rd party firmwares available for some Netgears if you want to go down that route and you can pick up a used one off ebay.



  • @mr_bobo:

    An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.

    Unless "states" in "45 states" means something very different than "states" in "88 states" this "modem" was doing a lot more than being a "modem". (The "45 states" suggests it was also acting as firewall/NAT router.)



  • @wallabybob:

    @mr_bobo:

    An Actiontec modem I was researching advised not to run over 45 states at once and I had 88 states showing in pftop while I was reading about it.

    Unless "states" in "45 states" means something very different than "states" in "88 states" this "modem" was doing a lot more than being a "modem". (The "45 states" suggests it was also acting as firewall/NAT router.)

    I was wrong about the terminology used in the Actiontec manual pdf. It states "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

    Thanks for the other info, I may go ahead and buy a DM111P. I don't need to access my computers remotely so my current double NAT setup hasn't been a problem of any sort, in fact I prefer them not being available in that manner, but I'll try bridging the router and see how it goes.


  • Netgate Administrator

    @mr_bobo:

    What are the benefits of running the modem/router in bridge mode?

    @mr_bobo:

    "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

    This pretty much answers your question!
    45 states is nothing if you have several computers behind it. Putting the modem into bridge mode negates this restriction because the modem device does not have to do NAT.
    pfSense is in a different league in terms of firewall states because, as previously stated, it can have far more RAM. My home box, which has 512MB, is currently showing 114/48000 states.

    Steve



  • @stephenw10:

    @mr_bobo:

    What are the benefits of running the modem/router in bridge mode?

    @mr_bobo:

    "The modem is capable of 254 connections, but it is recommended to have no more than 45. As you increase the number of connections, you decrease the available speed for each computer."

    This pretty much answers your question!
    45 states is nothing if you have several computers behind it. Putting the modem into bridge mode negates this restriction because the modem device does not have to do NAT.
    pfSense is in a different league in terms of firewall states because, as previously stated, it can have far more RAM. My home box, which has 512MB, is currently showing 114/48000 states.

    Steve

    My pfSense box has a 2.66GHz P4 and 2GB RAM, and I have great faith in the OpenBSD pf firewall, so there's no doubt in my mind it's more capable of handling networking and firewall duties than a commercial router. It's just that I haven't had any kind of a problem with the router dropping connections or delivering the speeds I get with my DSL package with my current double NAT setup, and my pfSense box has worked flawlessly since I fired it up, so I haven't seen the point in changing anything before now.  I've never ran this one in bridged mode so I was just curious whether or not it was worth doing so.

    The problem is that I'm using the 2Wire gateway I bought when I first got DSL over 10 years ago.  The recent pfSense exploit prompted me to check into my router security, and sure enough, it's vulnerable to a directory transversal exploit. The exploit is several years old, so there's no point in freaking out about it at this juncture, but I need to find a modem that seems like a suitable replacement and don't want to make the wrong decision.

    The modems/gateways AT&T supports all seem like more trouble than they're worth, not to mention they backdoor all their branded equipment so they can remote administer them, and the fact that they neglected to advise their customers the router they sold them had a vulnerability or push a firmware update to fix it either, so I don't want to get into that situation again.

    I do appreciate the advise you guys have provided. :)


  • Netgate Administrator

    Actually I have totally misread the quote from the modem documentaion.  :-[
    What they are actually saying is that it supports up to 254 [b]clients behind it but they recomend no more than 45. This is also a restriction that pfSense does not have, you can have a very large subnet on your LAN with a huge number of clients. It's unlikely you'd ever want that on a home setup though.
    The state table size comments I made still hold true though.

    Steve



  • @stephenw10:

    Actually I have totally misread the quote from the modem documentaion.  :-[
    What they are actually saying is that it supports up to 254 [b]clients behind it but they recomend no more than 45. This is also a restriction that pfSense does not have, you can have a very large subnet on your LAN with a huge number of clients. It's unlikely you'd ever want that on a home setup though.
    The state table size comments I made still hold true though.

    Steve

    Don't feel bad, I misread it the first time too.

    I went ahead and got a Netgear N300 modem/router from Walmart. It wasn't really what I wanted but I had to make a decision and it seemed like a better quality piece of equipment than the DM111P and I had to take what I could get locally since I don't use credit cards. I have it set up now and it's running cool.

    Edit: I set it up in double NAT mode like I've been running it the past several months. I don't play online games or need remote access to my machines and prefer running it like this.



  • I went ahead and put the Netgear in bridged mode and am going to run it like this. I don't think it handles traffic as well as my 2wire did in a double NAT configuration.

    My Up/Down speeds are virtually the same but pages and even small images seemed to take forevah to load with the Netgear before I bridged it. Much longer than they did with the 2wire or with it bridged.

    The N300 doesn't perform SPI either so at least I can rest easy knowing pfSense is handling the firewall duties.


  • Netgate Administrator

    @mr_bobo:

    The N300 doesn't perform SPI

    Just for information… ;)
    I would be very surprised if that was true. The Netgear is probably running am embedded Linux of some description and using IP tables. That is a stateful firewall. Though you haven't said exactly which model so I suppose it might be possible.

    Anyway it's not relevant if you're running it bridged.

    Steve



  • @stephenw10:

    @mr_bobo:

    The N300 doesn't perform SPI

    Just for information… ;)
    I would be very surprised if that was true. The Netgear is probably running am embedded Linux of some description and using IP tables. That is a stateful firewall. Though you haven't said exactly which model so I suppose it might be possible.

    It's the DGN2200v3 N300 Modem Router and states it has IDS and DoS protection. The N600 Modem Router specifies it does SPI and DoS protection. I believe it is running a Linux distro but with the exception of when I ran the Shields-Up scan against it at grc.com, which it classified as a null scan, everything else it logged for the 4 days I ran it before bridging was classified as a DoS attack: ACK Scan.

    
    [DoS attack: ACK Scan] from source: 66.219.34.171:80, Wednesday, January 16,2013 10:42:06     
    [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 10:21:57     
    [DoS attack: ACK Scan] from source: 67.213.209.173:6000, Wednesday, January 16,2013 09:48:56     
    [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:37:03     
    [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:26:21     
    [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 09:17:18     
    [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:15:49     
    [DoS attack: ACK Scan] from source: 42.121.96.154:80, Wednesday, January 16,2013 09:13:56     
    [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 08:50:48     
    [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 08:47:46     
    [DoS attack: ACK Scan] from source: 42.121.96.154:1025, Wednesday, January 16,2013 07:37:28     
    [DoS attack: ACK Scan] from source: 91.212.124.132:29000, Wednesday, January 16,2013 06:56:47  
    [DoS attack: ACK Scan] from source: 63.247.91.154:22, Tuesday, January 15,2013 13:52:18      
    
    

    I have serious doubts it was logging everything it blocked due to the large number of varied log entries I had with pfSense within an hour of setting it to do the firewall duties. It may well be doing SPI, and I run the pf firewall on my computers so I wasn't worried, but it didn't instill any confidence in me for it as far is it being a firewall beyond doing NAT.


Locked