PfSense separate and distinct from the main router
-
Hi all,
I'd like to deploy pfsense in a home lab/live environment for my personal tinkering and use. My roommate works from home and internet is crucial, so I want to keep the current Linksys wireless router operational and separate from pfsense.
I plan to virtualize pfsense in a VM box (with other VMs, Windows Server domain controller, file server, etc). If there's an internet issue while I'm away, I want my roommate to be able to restart the Linksys easily, no need to touch/reboot my VM box. I don't want to double NAT or have pfsense be affected by the wireless router at all.
POSSIBLE SOLUTIONS:
-
Put the VM box with pfsense behind the Linksys' DMZ. In this scenario would pfsense be 100% unaffected by the Linksys?
-
Put the Linksys behind the pfsense using DMZ, but this may disrupt his connection upon my many reboots when tinkering pfsense.
-
Separately connect both the VM box and Linksys directly to the cable modem via a switch. I may need to pay monthly for multiple public IPs, rather not pay $.
Any suggestions or comments?
-
-
Why would playing with pfSense in a DMZ cause you to frequently reboot your main router?
-
Are you referring to solution #2? Because I love to tinker, and may need to reboot pfsense a lot (or revert to a snapshot in the VM b/c I screwed up settings). If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?
@KOM:
Why would playing with pfSense in a DMZ cause you to frequently reboot your main router?
-
In order of preference I would go 3, 1, 2.
-
If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?
Sorry, I meant if you had settled on #1.
-
Thanks, I'll look into putting pfsense on DMZ. Any downsides to this approach you can think of?
@KOM:
If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?
Sorry, I meant if you had settled on #1.
-
Upon further reading, I don't think my ISP (Time Warner non-business account in NYC) would give static or multiple IPs. Oh well.
In order of preference I would go 3, 1, 2.
-
Then I guess you're stuck with a double NAT.
-
At least with a "DMZ" you shouldn't have to put port forwards in the upstream router. Keep in mind that any port forwards on the upstream won't make it to pfSense.
-
Since I'm reading that pfsense on a VM as the main firewall may be a security risk, I'm thinking just buy/build a cheap pfsense box so he can restart it to his heart's delight while I'm not home.
-
I'm thinking just buy/build a cheap pfsense box so he can restart it to his heart's delight while I'm not home.
Probably the best solution suggested so far.
You might even find with a properly configured pfSense box as your main router, you're not restarting the router all the time to get your internet back.
At minimum you should be able to figure out why you need to restart ( and maybe solve it….)
