Pfsense Router Connected to ADSL2+ Router DHCP & NAT Questions



  • Hello everyone,
    I am trying to setup my Pfsense behind my ADSL2+ router, and have a few questions about the steps.

    Should I keep NAT enabled on my ADSL router to obtain a IP address from my ISP, while disabling DHCP, and letting the Pfsense do all of the IP addressing, firewall, etc? Is this considered bridged mode and are there any security risks of other people being able to access the LAN? Would I have to port forward anything from my ADSL router to my Pfsense?

    Sorry for all of the questions, but I am trying to get a better understanding of the different protocols and procedures in the IT world. Thanks for taking the time to read this and I appreciate any advice you can give me on any of these questions.



  • I am trying to setup my Pfsense behind my ADSL2+ router, and have a few questions about the steps.

    You are able to go two different ways now:

    • setting the Router into the so called bridged mode
    • setting up a so called dual NAT or router cascade

    Should I keep NAT enabled on my ADSL router to obtain a IP address from my ISP,
    while disabling DHCP, and letting the Pfsense do all of the IP addressing, firewall, etc?

    If there is a modus you are able to set the router in, a so called bridge modus, that the router
    is only acting as a ordinary modem without NAT. This is not the same as you deactivating the
    NAT function manually by your self!!! Please beware of doing this.

    Is this considered bridged mode and are there any security risks of other people being able to access the LAN?

    Setting the router to the bridged mode and let the router acting as a pure modem makes it easier
    for you to set up the pfSense, but on the other side it is not really hard to set up also a router cascade
    with dual NAT.

    Would I have to port forward anything from my ADSL router to my Pfsense?

    Either with which method you will go, you don´t do port forwarding at all.

    Sorry for all of the questions, but I am trying to get a better understanding of the different protocols and procedures in the IT world.

    In older times you will need often a external modem, and at today´s routers came mostly with
    an internal one integrated in the whole router. A pure modem in front of the pfSense would be
    mostly the best bet for you to realize it really good.

    1st method the "bridged mode":
    Search in the router menu or settings for a place where you will be able to set up the bridged mode
    or let the router act as a pure modem. Or have a quick look into the router manual for this option.

    2nd method Dual NAT or router cascade:

    1 Router with modem:
    Network: - 192.168.1.0/24 (255.255.255.0)
    IP Adress: - 192.168.1.1/24
    DNS 1: ISP Provider or (OpenDNS account)
    DNS 2: ISP Provider or (OpenDNS account)
    DHCP: off

    2 pfSense behind this router:
    WAN Port static IP address: 192.168.1.2/24
    WAN setup Gateway: 192.168.1.1/24
    DNS 1:192.168.1.1/24
    LAN network: 192.168.178.0/24 (255.255.255.0)
    Gateway IP address: 192.168.178.1/24
    DNS 1: 192.168.1.1/24
    DNS 2: blank
    DHCP: on



  • @BlueKobold:

    If there is a modus you are able to set the router in, a so called bridge modus, that the router
    is only acting as a ordinary modem without NAT. This is not the same as you deactivating the
    NAT function manually by your self!!! Please beware of doing this.

    Thank you BlueKobold for you help! My goal is to only have my ADSL router act as a modem and setup bridge mode, but would I have any trouble when my ISP changes my outside IP address if NAT and DHCP are on the pfsense router?



  • My goal is to only have my ADSL router act as a modem and setup bridge mode,

    So it would be better to know if the router is offering this mode!
    What router exactly is it that you have in usage?

    but would I have any trouble when my ISP changes my outside IP address

    If the router is only acting as a modem, the dynamic IP address is taken by the pfSense
    about the DHCP function at the WAN port. No problems should be there, perhaps your ISP
    is controlling the MAC address from the routers WAN port! Could this perhaps be?

    if NAT and DHCP are on the pfsense router?

    • DHCP activated at the WAN Port is fetching the public dynamic IP address for the WAN Port
    • DHCP activated in the LAN gives all internal network clients a valid IP address for the LAN or VLAN inside


  • The router is a D-Link DSL-2730B Bootloader (CFE) Version 1.0.37-106.5. When I look at my WAN options I have: 
    Select DSL Link Type (EoA is for PPPoE, IPoE, and Bridge.)
    EoA
    PPPoA
    IPoA

    Since bridge isn't listed am I unable to do this method?

    Thanks for explaining how the router handles public and private DHCP!



  • Found some links to this D-Link router model:
    bridge mode

    From the manual:
    _Section 3: Set up Internet Connection
    The available Protocol modes are: PPPoE, PPPoA,Dynamic IP, Static IP, and Bridge

    QUICK SETUP –BRIDGE MODE CONFIGURATION
    If you are instructed to change the VPI or VCI numbers, type in the correct setting in the available entry fields.
    The Internet connection cannot function if these values are incorrect. Select the specific Connection Type from
    the drop-down menu. The available connection and encapsulation types are LLC and VC-Mux.
    Click Next to go to the last Setup Wizard window_



  • @BlueKobold:

    Found some links to this D-Link router model:
    bridge mode

    From the manual:
    _Section 3: Set up Internet Connection
    The available Protocol modes are: PPPoE, PPPoA,Dynamic IP, Static IP, and Bridge

    QUICK SETUP –BRIDGE MODE CONFIGURATION
    If you are instructed to change the VPI or VCI numbers, type in the correct setting in the available entry fields.
    The Internet connection cannot function if these values are incorrect. Select the specific Connection Type from
    the drop-down menu. The available connection and encapsulation types are LLC and VC-Mux.
    Click Next to go to the last Setup Wizard window_

    Thanks so much for taking the time to look into my problem. I will look into the VPI and VCI numbers for Costa Rica and see if I am able to turn the ISP router into bridge mode. I was able to do your second method with having pfsense LAN on a different subnet. If I am unable to make the ISP router go into bridge mode at least I can resort to this method. Thanks again!