Am I headed down the right path with home firewall/router



  • I'm new to pfSense, but have lurked around, finally registered and have built
    a working box with latest 2.1.5 release.
    I've managed (mostly by luck) to do this:
    FIBER > ONT > COAX > MI424WR rev I > STATIC LAN PORT DMZ > pfSense WAN >
    pfSense LAN > 16port gigabit switch > 12 home devices.

    I know that double NAT is NOT good. I'm working on it…

    I have a coax (moca) line from the ONT and recently discovered a guide for turning the
    router (MI424WR rev.I) into a MOCA bridge. I must keep the coax so my STBs retain
    connection for their channel guides and VOD needs. This will allow me to get directly
    connected to ISP  8)

    Here comes the question. Assuming I get the router properly configured into a MOCA bridge,
    will I need to release pfsense's WAN connection provided by the router, BEFORE shutting
    everything down? I wont have GUI access until the pfsense box gets it's new
    connection from the ISP. Am I thinking correctly? Help :-\ Please :-[



  • Don't you have access to pfSense LAN side of things?

    You can normally configure the router from a LAN connection as well as the WAN side.
    As far as getting/setting a new WAN connection, you shouldn't have to shut down pfSense.
    You may have to reboot the router to enable bridge mode (definitely recommended) but you can release/renew the WAN interface or change it's type from Static to DHCP all from the Web-Gui.

    The WAN interface doesn't have to be up for the LAN interface to give you an IP via the DHCP server.  You just won't have Internet access until WAN comes up.

    Maybe I'm missing something in your setup, but I think this should be pretty straightforward - give it a go  ;)



  • @divsys:

    Don't you have access to pfSense LAN side of things?

    Yes I do, been mucking about in the GUI all day today under 192.168.x.1

    You may have to reboot the router to enable bridge mode (definitely recommended) but you can release/renew the WAN interface or change it's type from Static to DHCP all from the Web-Gui.

    It was sheer accident by not configuring the WAN IP, I just gave the LAN
    a 192.168.x.1 IP and the router/ISP did it's thing and gave me internet when the
    router renewed the lease.

    The WAN interface doesn't have to be up for the LAN interface to give you an IP via the DHCP server.  You just won't have Internet access until WAN comes up.

    The lack of internet connection has had me tearing my hair out for two days >:(
    The network has functioned through the switch since the beginning, but the lack of
    internet was the puzzle.

    I WILL give this a go tomorrow after work, thanks for the encouragement ;)



  • No problem, keep at and let us know how it's going.  If we can, someone will jump in with a suggestion or two….

    Welcome to pfSense  :)



  • @divsys:

    No problem, keep at and let us know how it's going.  If we can, someone will jump in with a suggestion or two….

    Welcome to pfSense  :)

    Thanks for that! I have managed to get my ISP to change my connection from MOCA
    to ethernet. All this took was a phone call. Now my network looks like this…

    ONT > pfSense WAN

    pfSense LAN > 16 port switch > desktops, server, printer

    wireless AP
                                                    ^
                                                    ^
              pfSense OPT1 > WAN port MI424WR revD. > Coax LAN > Verizon STB

    I'm curious as to how effective my new firewall is compared to a consumer grade router, any suggestions regarding testing? programs, websites?



  • Pfsense is far better.

    The FIOS routers were particularly annoying to me.

    They don't like static IPs on the LAN and they are always remaking the port forward tables into broken configs spontaneously.

    Total junk.

    You have done well.


  • Netgate Administrator

    What sort of testing did you have mind?
    All incoming connections are blocked by default. That's not going to be much different to any soho router, unless your isp has put some back door in!  ;) You can test that at a site like SheildsUp: https://www.grc.com/shieldsup
    Where pfSense (in default form) really beats any soho router is configurability. Also very large numbers of connections are possible such as multiple torrents.
    There are many things!

    Steve



  • Some time ago (years) I called the FIOS guys and the person on the phone started telling me all the names of all the devices I had running on my LAN…
    That was my 1st heads up to dump the provided hardware.

    Later there were many more reasons to dump most common routers that I realized.



  • @stephenw10:

    What sort of testing did you have mind?

    Don't have any idea, that's why I asked

    All incoming connections are blocked by default. That's not going to be much different to any soho router, unless your isp has put some back door in!  ;) You can test that at a site like SheildsUp

    Been there and ran their probe, passed that with flying colors.

    There are many things!

    SheildsUp Up was a great suggestion, what else would there be?


  • Netgate

    You could just trust that unless it's open on Firewall Rules/WAN or Floating, that it's closed.

    Other than that you could hire a professional pen-testing company or get an external VM and man nmap. See Also: http://www.metasploit.com/


  • Netgate Administrator

    Things that you might test on a router could include maximum pps/bps and number of connections/firewall states. To do that, and produce meaningful numbers, you would have to set up test machines on each side of the firewall.
    An easier to acheive number might be cpu usage per Mb throughput. Most people looking for numbers are doing so because they want to know if a particular combination of hardware will max out their wan bandwidth.

    Steve



  • Most people looking for numbers are doing so because they want to know if a particular combination of hardware will max out their wan bandwidth.

    Since almost all the rug rats have flown the nest, that will never happen now  ;)

    Thanks for the responses y'all.
    It sounds as though I don't have much to worry about any more.

    Since I am a hobby "builder" for the most part, I was more or less curious about other sites
    that could possibly exist and do what shields up does.

    I was getting kinda bored with just building windows machines and have had a blast
    with my recent experiences building first a freenas server, and now a firewall router.

    The members at these sites are just so helpful and generous with their time that
    it makes all this possible for me and I am extending a hearty thank you to all of you.

    Dave