So I have a problem: I run my own network behind my dads router. I use this so I can mess with whatever without fear of impacting the rest of the house's internet access. The flow from my cable modem goes:
Cable Modem-->Dad's router--->WAN on my pfsense router--->all my servers and such
I want to be able to forward ports whenever I need to, but I can't use my own public IP because my dad has an internet filtering system in place on his router, so I can't go outside of that without getting into trouble with him. Until now, I've just been asking him to do it whenever I need to forward a port forwarded, and he forwards the port to my pfsense routers internal IP. This has worked okay but I'm starting to want more opened for various things I'm doing, and I don't often have time to wait for him to get off work or whatever to forward it. I looked into setting my router as the DMZ in his, and it might work, but he has some concerns, and I don't know enough to answer these:
-Does this isolate my router from the rest of his network?
-Does this put my router outside his filtering system, or does it only mess with incoming traffic?
-Is it going to break anything on his side of things to set my router as the DMZ?
I'm PRETTY sure that I know the last two, but the first one I'm not sure about.
We have a little crappy netgear router at the moment, but if DD-WRT is better about this I might be able to talk him into switching to one of my spares with that on it. He wants my router to be completely isolated from the rest of his network, but stay behind his filter. He uses OpenDNS for the filter and has the router set up to take anything on port 53 and redirect it to OpenDNS, so I can't do anything to get out of it. If there's a way to do this on DD-WRT, I can probably get him to switch to that and just put mine on its own VLAN and as the DMZ, but again this is a little outside my comfort zone, and if I do this and it goes wrong I'll look like an idiot, so I wanted to see if you guys knew.
It shouldn't affect his network at all. All it will do is forward all traffic to your router without firewalling it.
It shouldn't make any difference to your filter either, essentially everything will work the same as it currently does except that incoming traffic will all go to your router.
Ideally you'd have internet - DMZ - trusted networks but I understand why you have to do it this way. You should be fine security wise, I'd recommend keeping anything which is internet facing on its own network that only allows access from your network not to your network. This way if something goes bad it can't do anything to the rest of your network.
The problem with your set up is that traffic from your network can get to your dad's unrestricted. So if a hacker was able to take control of one of your computers he could attack your dad's network. So something like what I described above will stop that or you could create firewall rules to restrict access between you and your dad's network to only the things you need.
But don't get paranoid about it, you have to remember that someone can only do anything if there is an exploitable service running which isn't firewalled. So the risk is pretty low.
This is a quick generalized view for a firewall. You have 4 color coded NICs. Red your incoming traffic, green DHCP out to a switch and wired user network, blue out to wifi router, orange "demilitarized zone" (DMZ) to your public servers. Any servers which are publicly accessible are separated from the rest of the network here to limit security breaches.
Ideally you should run any Web facing applications from a separate LAN, not through a DMZ passing on a network with security requirements.
Firstly DMZ can be broken out of (with a few neat tricks). Secondly, it will likely break the openDNS service as the DMZ acts as a catch all to every port. Plus you can use the pfsense box to bounce back into the initial LAN (if it is compromised).
A VLAN might help, but I doubt the net gear router is capable or even sufficient to do so.
Your best option is to move the pfsense box to being the main router.
DMZs are rather insecure.. have you considered a possible UPnP implementation of the port Forwarding. It can forward only the ports requested and leave you a lot less vulnerable to the outside internet. You see a DMZ setup on his network configured to your IP address would leave your PFsense router one less barrier of protection. Most people will cringe and say EHHH your stupid its still hard to get in. Thats not entirely true .. in fact most hacks come from an accidental port left open. So a Port Forwarding system that dynamically adjusts to the needed forwards is more secure for both your networks. If you can then resort to a DMZ... (demilitarized zone haha) which will open your IP address to every port (0-65535 UDP and TCP) which will also solve your issues... Also have you all considered flashing OpenWRT to it.. everything from VLAN to UPNP can be done.. its a wonderful interface when you use the bootstrap theme for LuCI
So if I set up a VLAN for my router on my dads, (using a DD WRT box for his router) and made firewall rules to isolate that VLAN from his network, then his network can't touch mine, and vice versa? Because that would be ideal, he's not worried about the security of my stuff as long as it can't possibly touch his.
That would be the best way of doing it. You could just make rules on your wan interface but if your network became compromised then it may be possible for them to access your pfsense box and change the rules. Having the rules on your dad's router will prevent your network from accessing his in the same way that randoms on the internet can't.
What I was trying to get at before was that the best way to set it up (I know you can't do it like this) is have the pfsense box as your main router, then have your network and your dad's network of separate vlans and also have another vlan for your servers and other Web facing things (this is a DMZ network). This way you can set up the firewall so that no ports from the internet are open to your private networks.
You set up the DMZ network as if it was the internet, so you can access the DMZ but the DMZ can't access you. This will mitigate the damage of some hacker taking control of your servers because they will be isolated to the DMZ network. I'm sure it's not 100% fool proof but it helps. But you really only have to worry about script kiddies and bots unless your big enough to get the attention of someone who really wants to do something for to you.
Okay, and for my dads sake, can I still use the OpenDNS filtering system with DD WRT? I know I can set it up to serve out those servers over DHCP but his current router has a firewall set up so that it redirects all outgoing DNS traffic to OpenDNS. He seems to think that his current system is exclusive to his router, but its just OpenDNS filtering, so I should be able to set it up the same as long as I can make it where it forces all the DNS to go to that server. Is this possible with DD WRT? (I'm running the micro generic build if that matters)
I'm not really sure. But if you set your dns server in pfsense to either your dad's router or opendns then it should work. If he wants he can make a firewall rule which will only allow dns traffic to open dns so that you can't just set your dns server to something else.
There's probably a way to do the same thing he currently does in dd-wrt or openwrt but I haven't really messed around with it much so I have no idea.
Is there a way I could set up pfSense to automatically forward ports over UPnP, so when I forward a port in my pfsense box it automatically uses UPnP and opens it on his router?
Thats a rather silly argument r00tz. His network will be no more exposed than his fathers network, or 90% of the rest of the worlds home network, as long as he uses his pFsense router is doing firewalling duties. Actually I lied, since he is using pFsense, if he runs snort it will still be BETTER protected than his fathers network
How exactly would I go about setting up Snort? I'd like to learn about it and implement it, but I have no idea where to even start. Also, will my 1.2ghz pfsense box be able to handle it? Its a little crappy 1.24Ghz VIA embedded ITX board with 512mb of DDR2 and an old SATA drive I had sitting around.
I can give you some details on setting up snort when I get home if you like, but it's pretty straight forward. Performance might be iffy though, especially with only 512mb of ram, snort really likes ram but it depends how many rules you run. If you use one of the preset rules and one of the lower performance modes then it might run okay, but you'd have to test it.
I've spent the majority of today trying to figure out how to answer this question.
The DMZ or the Demilitarized zone is a topographical space that exists between your ISP and your Outer Firewall.
The network that exists in that space tends to be a public IP block. As the devices exist OUTSIDE the network. Do you know if you can acquire a secondary Public IP? (usually not)
I'll contemplate the best physical topography and come up with the best case logical topology.
I have Mediacom residential service for my internet, and I MIGHT be able to talk them into a second IP, but I'm not sure. My dad really doesn't use his IP for any incoming traffic except his IP phone (he telecommutes for work so he has 1 port forwarded to the IP phone), I'm the only one who hosts anything. Plus if we had a second IP he still would put something in front of me to do his internet filter (its just forcing all my DNS traffic through OpenDNS, not anything running on the router itself) If we can figure out how to do this with one IP that would be AMAZING. Again, he doesn't care what I do with my stuff as long as I'm behind his filter, and I can't touch any of his local network.
If its secure enough, could I just set firewall rules in my pfsense box that block traffic to any IP on his network, and then set my pfSense machine as the DMZ? I'm not sure how safe that would be, and I don't know if it would make it where nothing can go over his gateway...sorry for my ignorance, I'm kind of lost at this point since I've never been given enough rights to play with something directly on a public IP...
Short answer to your question.... No, that isn't how DMZ works.
I'll have to draw up a few network arrangements to demonstrate a best practice scenario.
Okay, thanks so much! Let me know if you need any more info
What you want to do isn't really a DMZ, you're just using the DMZ setting on the router to forward all traffic to your router. Everything should work the same way the only difference is that you will only have to set up port forwarding on your router and not on both of them. It is no more or less secure than what you currently do. It would be better to have your router connected to the modem and then your dad's connected to yours but I know you have to do it this way so that you can do what you like without messing up his internet connection.
So to address the issue of exploited servers, can I create firewall rules in my pfSense box blocking access to the 192.168.1.0/24 network so that if something on my network were to "turn evil" so to speak it couldnt attack my dad? Or would such rules break the access to the gateway at 192.168.1.1?