Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Am I headed down the right path with home firewall/router

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    12 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BigDave
      last edited by

      I'm new to pfSense, but have lurked around, finally registered and have built
      a working box with latest 2.1.5 release.
      I've managed (mostly by luck) to do this:
      FIBER > ONT > COAX > MI424WR rev I > STATIC LAN PORT DMZ > pfSense WAN >
      pfSense LAN > 16port gigabit switch > 12 home devices.

      I know that double NAT is NOT good. I'm working on it…

      I have a coax (moca) line from the ONT and recently discovered a guide for turning the
      router (MI424WR rev.I) into a MOCA bridge. I must keep the coax so my STBs retain
      connection for their channel guides and VOD needs. This will allow me to get directly
      connected to ISP  8)

      Here comes the question. Assuming I get the router properly configured into a MOCA bridge,
      will I need to release pfsense's WAN connection provided by the router, BEFORE shutting
      everything down? I wont have GUI access until the pfsense box gets it's new
      connection from the ISP. Am I thinking correctly? Help :-\ Please :-[

      2.2.5-RELEASE (amd64) on 120GB SSD | AMD Athlon™ 64 X2 Dual Core Processor 4600+ | 8GB DDR3-1066

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Don't you have access to pfSense LAN side of things?

        You can normally configure the router from a LAN connection as well as the WAN side.
        As far as getting/setting a new WAN connection, you shouldn't have to shut down pfSense.
        You may have to reboot the router to enable bridge mode (definitely recommended) but you can release/renew the WAN interface or change it's type from Static to DHCP all from the Web-Gui.

        The WAN interface doesn't have to be up for the LAN interface to give you an IP via the DHCP server.  You just won't have Internet access until WAN comes up.

        Maybe I'm missing something in your setup, but I think this should be pretty straightforward - give it a go  ;)

        -jfp

        1 Reply Last reply Reply Quote 0
        • B
          BigDave
          last edited by

          @divsys:

          Don't you have access to pfSense LAN side of things?

          Yes I do, been mucking about in the GUI all day today under 192.168.x.1

          You may have to reboot the router to enable bridge mode (definitely recommended) but you can release/renew the WAN interface or change it's type from Static to DHCP all from the Web-Gui.

          It was sheer accident by not configuring the WAN IP, I just gave the LAN
          a 192.168.x.1 IP and the router/ISP did it's thing and gave me internet when the
          router renewed the lease.

          The WAN interface doesn't have to be up for the LAN interface to give you an IP via the DHCP server.  You just won't have Internet access until WAN comes up.

          The lack of internet connection has had me tearing my hair out for two days >:(
          The network has functioned through the switch since the beginning, but the lack of
          internet was the puzzle.

          I WILL give this a go tomorrow after work, thanks for the encouragement ;)

          2.2.5-RELEASE (amd64) on 120GB SSD | AMD Athlon™ 64 X2 Dual Core Processor 4600+ | 8GB DDR3-1066

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            No problem, keep at and let us know how it's going.  If we can, someone will jump in with a suggestion or two….

            Welcome to pfSense  :)

            -jfp

            1 Reply Last reply Reply Quote 0
            • B
              BigDave
              last edited by

              @divsys:

              No problem, keep at and let us know how it's going.  If we can, someone will jump in with a suggestion or two….

              Welcome to pfSense  :)

              Thanks for that! I have managed to get my ISP to change my connection from MOCA
              to ethernet. All this took was a phone call. Now my network looks like this…

              ONT > pfSense WAN

              pfSense LAN > 16 port switch > desktops, server, printer

              wireless AP
                                                              ^
                                                              ^
                        pfSense OPT1 > WAN port MI424WR revD. > Coax LAN > Verizon STB

              I'm curious as to how effective my new firewall is compared to a consumer grade router, any suggestions regarding testing? programs, websites?

              2.2.5-RELEASE (amd64) on 120GB SSD | AMD Athlon™ 64 X2 Dual Core Processor 4600+ | 8GB DDR3-1066

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Pfsense is far better.

                The FIOS routers were particularly annoying to me.

                They don't like static IPs on the LAN and they are always remaking the port forward tables into broken configs spontaneously.

                Total junk.

                You have done well.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  What sort of testing did you have mind?
                  All incoming connections are blocked by default. That's not going to be much different to any soho router, unless your isp has put some back door in!  ;) You can test that at a site like SheildsUp: https://www.grc.com/shieldsup
                  Where pfSense (in default form) really beats any soho router is configurability. Also very large numbers of connections are possible such as multiple torrents.
                  There are many things!

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    Some time ago (years) I called the FIOS guys and the person on the phone started telling me all the names of all the devices I had running on my LAN…
                    That was my 1st heads up to dump the provided hardware.

                    Later there were many more reasons to dump most common routers that I realized.

                    1 Reply Last reply Reply Quote 0
                    • B
                      BigDave
                      last edited by

                      @stephenw10:

                      What sort of testing did you have mind?

                      Don't have any idea, that's why I asked

                      All incoming connections are blocked by default. That's not going to be much different to any soho router, unless your isp has put some back door in!  ;) You can test that at a site like SheildsUp

                      Been there and ran their probe, passed that with flying colors.

                      There are many things!

                      SheildsUp Up was a great suggestion, what else would there be?

                      2.2.5-RELEASE (amd64) on 120GB SSD | AMD Athlon™ 64 X2 Dual Core Processor 4600+ | 8GB DDR3-1066

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        You could just trust that unless it's open on Firewall Rules/WAN or Floating, that it's closed.

                        Other than that you could hire a professional pen-testing company or get an external VM and man nmap. See Also: http://www.metasploit.com/

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Things that you might test on a router could include maximum pps/bps and number of connections/firewall states. To do that, and produce meaningful numbers, you would have to set up test machines on each side of the firewall.
                          An easier to acheive number might be cpu usage per Mb throughput. Most people looking for numbers are doing so because they want to know if a particular combination of hardware will max out their wan bandwidth.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • B
                            BigDave
                            last edited by

                            Most people looking for numbers are doing so because they want to know if a particular combination of hardware will max out their wan bandwidth.

                            Since almost all the rug rats have flown the nest, that will never happen now  ;)

                            Thanks for the responses y'all.
                            It sounds as though I don't have much to worry about any more.

                            Since I am a hobby "builder" for the most part, I was more or less curious about other sites
                            that could possibly exist and do what shields up does.

                            I was getting kinda bored with just building windows machines and have had a blast
                            with my recent experiences building first a freenas server, and now a firewall router.

                            The members at these sites are just so helpful and generous with their time that
                            it makes all this possible for me and I am extending a hearty thank you to all of you.

                            Dave

                            2.2.5-RELEASE (amd64) on 120GB SSD | AMD Athlon™ 64 X2 Dual Core Processor 4600+ | 8GB DDR3-1066

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.