Return to Level1Techs.com

Pfsense behind ISP modem/router combo

pfsense
nat
#1

Howdy people :slight_smile:

I have been running pfsense for a few years, and really enjoyed the control and options it brings.

Until I moved, the ISP modem/router combo (at my old apartment) had been in bridge mode, and serving pfsense a public wan ip. No problems there.
But after moving, and recently switching ISP, I have been unable to get an public wan ip on pfsense, when the ISP router/modem is in bridge mode.
And my new ISP offer ZERO support for bridge mode. It is infuriating, especially since the ISP at my old apartment took care of everything. One call, they switched mode on the modem from their end. Everything worked.
But they sadly don’t offer their services where I live now anymore, hence why I switched ISP.

Since I’m unable to get a wan ip in bridge mode, I have (at least for now) settled to leave the ISP modem/router in normal mode, connected my pfsense router to it, and disabled: Block private networks and loopback addresses on the wan interface in pfsense.
So now pfsense has a wan ip of 192.168.x.xx.
It all works fine now, I’m getting the speeds I’m paying for, and my own network is up and running again after a long weekend of screaming at the ISP router…

But am I missing out on any security/performance/benefits, by pfsense not having the public wan ip? Since my entire network now is a subnet (I suppose)?
And are there any security risk by having disabled: Block private networks and loopback addresses, when it’s on a 192.168.x.xx (subnet?) ?

I’m not too strong on networking, so input is gladly accepted :slight_smile:

Edits for typesetting, typos etc. A lot of them.

0 Likes

#2

You’re being double NATted which is generally bad for P2P and gaming. If you aren’t having any problems then it’s fine, there aren’t any security concerns.

0 Likes

#3

Hm. I do game, but haven’t tested it yet. Are there any workaround being double NATted? Besides getting the ISP router to behave in bridge mode?

0 Likes

#4

Sure, you can tell your router not to route, just use it as a switch and AP. Obviously that is an undesirable scenario, much better to aggressively escalate to L3 support at your ISP and force them to put your modem in bridge mode.

0 Likes

#5

That is indeed undesirable.
I’ll call them again when the weekend arrives, and I have time to discuss with them.
I’ll post an update.

Thanks for the input :slight_smile:

0 Likes

#6

Can you buy and use your own modem? If you can, get rid of that combo unit they’re probably charging you a monthly rental fee for.

1 Like

#7

Worth doing just to save money, but it would still need to be provisioned as a bridge by his ISP.

0 Likes

#8

I don’t think so. I have found some docsis 3.1 modems, but the one my isp uses are loaded with a software version made for their network, by sagemcom.
But it greatly differs from isp to isp how good support they have. My previous (stofa) had great support, and took care of everything.
My new one (Yousee) don’t give a crap if you wan’t bridge mode. They even say they don’t support it. Which I think is bull. How can they not support all functions of the modem combo they provided?

The router/modem combo will switch to bridge mode no problem, and come with an activation prompt. But it never gets a public ip from Yousee.
They claim they can’t do anything, but I’m pretty sure they have do something on their end.

I haven’t seen modem rental on any bill before, from any isp I’ve had. I’m not sure if that’s an Murica thing. I’m located in Denmark.

But when i call them again in a few days, I’ll ask them if I can use my own modem. You never know :slight_smile:

Edit: damn typos…

0 Likes

#9

@Donk you haven’t posted an update. I was wondering if you had contacted a member of Level 3 support from your ISP? I have the same problem as you the combo unite from Cincinnati Bell doesn’t support Bridge Mode, so as it stands now I have to set up my network with double NATing which I am trying to avoid.

0 Likes

#10

I haven’t had time to call them yet.
But my holiday is around the corner, so I’ll call them then :slight_smile:

0 Likes

#11

I apologize if this has been put forward already ( no glasses and on laptop).

In short - I am guessing you’re on xDSL or any odd cable-setup, even outside my tiny country - few ISP’s locks to their HW.

Even if your ISP and their HW does not do bridge-mode - there might be a “dmz” mode that you can use to file down the complexity (any performance improvements - N/A).

Sure, there will be overhead - you can always measure it in different ways, but it’s doable - I do the same thing at my parents due to exchange of DSL-modems all the time - this means that their “infrastructure” never changes, only the ISP “lovelyness”.

On to your questions -
Performance hit - a tiny bit, you’re adding a routing-layer and whatever performance-hits that “modem” is adding by not utilizing a bridge, unknown…
Security - well, N/A - it’s only as good as you’ve set it up :wink:
Benefits - nah, added complexity - but you’re safekeeping your stuffs on “your” side. So, that’s a good thing.

0 Likes