John Galea's Blog

My blog on Gadgets and the like

Pfsense bridge mode

Up until this point my Pfsense setup has used double NAT, which kept my router, an SmartRG 505N in the loop. This provided an easy fall back to allow people that were having issues with Pfsense to bypass it. At this point I’m ready to move on and commit to having Pfsense permanently in the loop. So to review, my router was up front, it connect to the DSL cable and then passes to the 192.168.1.x range. That in turn feeds pfsense which then feeds back end clients to the 192.168.2.x range, thus the double NAT comment. So in bridge mode the 192.168.1.x network is removed (well more accurately hidden). To do this we will take a number of steps.

1) Backup and save the current modem configuration, and backup and save the current Pfsense configuration. In the event this goes badly I can fall back … Also review the PPOE settings that currently existing on your modem. Look at things like the PPOE username, as well as things like your MTU. Print them or screen shot them. Once deleted your SOL.
2) Put the modem into bridge mode. I found a great article for how to do this.
3) Now on Pfsense the work begins … Change the WAN interface to PPOE and will enter your isp logon information you found in step 1. Also use the MTU your ISP had setup also noted in step 1. You can see if Pfsense is able to logon to your ISP DSL in the system logs. At this point your modem seems invisible. It’s not. Adding another network cable and assigning it a 192.168.1.x and you regain access to the modem if needed. Next step will show you a way to fix that permanently. On Pfsense you may need to repoint the incoming NATs as well as things like VPN servers to the new WAN net, I had to. Also check your DNS settings and make sure none of them are pointing at the old router (for me that was 192.168.1.1).
4) Last but not least you want to be able to get at your router when needed. The router is still configured to the original IP address 192.168.1.1. So to connect to it simply add an additional interface, put it on static ip, assign it a 192.168.1.x IP address. You should now be able to ping it from your Pfsense box. Now to add the ability to see it from the network you need only add an outbound NAT to the 192.168.1.x subnet. This was reasonably well documented in this article.

In all this took me under an hour. Now what are the benefits? A number, your router is no longer out their vulnerable on the net. Instead Pfsense, along with Snort are. This gives you intrusion prevention at the true peripheral of your network. The main negative is there’s no easy fall back 🙂 In for a pound …

August 16, 2018 - Posted by | Uncategorized

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: