• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Home ISP Router - Best Practices

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
4 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jkellier
    last edited by Jan 29, 2014, 11:48 PM

    Hi,
    I'm looking at installing a PFSense box in the not too distant future and I’m getting confused about the security features of the ADSL modem getting in the way.

    The configuration I’m looking at is [ADSL Modem > PFSense Box > Switch > All Devices including a Wireless Access Point]

    I'm wondering does the standard ISP router configuration matter.

    Should I disable the firewall?

    Should I enable bridge mode (No idea what this is, heard it mentioned)?

    I don’t want to be in a position where i need to configure port forwarding on the ISP router and the pfsense box.

    The router I currently have is a Cisco EPC3925

    Any help or direction to relevant posts / blogs is much appreciated :)

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by Jan 30, 2014, 2:43 AM

      Should I enable bridge mode (No idea what this is, heard it mentioned)?

      That makes the ISP device change from being a router into just a "modem" and passing the ISP-allocated IP address through to pfSense. Typically the ISP will have some method of PPPoE login, and so with the ISP device being a "modem" you configure your login details in pfSense.

      Should I disable the firewall?

      Setting the ISP device to bridge mode effectively disables its firewall anyway.

      I don’t want to be in a position where i need to configure port forwarding on the ISP router and the pfsense box.

      Yes, if you are offering services on pfSense (OpenVPN server…) or on system behind pfSense, then having the ISP device in bridge mode means you don't have to mess with it to forward ports.

      The other option is that many cheap ISP devices have a "DMZ" setting (that is not actually DMZ) that forwards all incoming traffic to a fixed ISP-device-LAN-side private IP. You can send that to pfSense WAN - then all the nasty internet-sourced traffic comes straight through to pfSense, where you can filter and log whatever you like. This option does mean that both ISP device and pfSense are doing NAT - some higher-level protocols that don't play nicely with NAT anyway can be double-trouble with double-NAT.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • P
        pagaille
        last edited by Jan 30, 2014, 9:54 AM

        @jkellier:

        I'm wondering does the standard ISP router configuration matter.

        I believe that all the settings on the ISP's router can be ignored once you login to your ISP from the pfsense box using whatever method like PPPoE, which doesn't require any configuration.

        At least this is how it works on my side. I never even bother to enter my login and password into the box or configure anything. It acts a simple modem passing packets from one port to another.

        Matthieu

        1 Reply Last reply Reply Quote 0
        • J
          jkellier
          last edited by Jan 30, 2014, 6:57 PM

          @Phil.Davis & pagaille

          Thanks for answering my questions guys, it turns out I do have a bridge mode option on the modem ;D

          All thats left now is build :)

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received