TL;DR : Read the whole damn thing, understanding the inner workings helps to better understand the device you are working with.
First things first:
Lets get some commonly misused terminology out of the way, as I'll probably start to confuse folk who have less networking experience.
IP Address = quad octet address scheme used by IP Version 4 (x.x.x.x)
PORT = A virtualisation identifier defining a service endpoint (PORT 22 == SSH)
NAT = Network Address Translation
PAT = Port Address Translation
DMZ = Demilitarized Zone
DMZ Host = A fancy way to forward all PORTs from your external network to an internal Host IP Address (Not a 1:1 NAT)
Most home and SOHO routers mislabel PAT as NAT and end up confusing everyone.
NAT is a 1:1 translation, so <publicIP>:translate:<privateIP>, from the outside world you hit the public IP, the Router translates it and passes traffic to the specified internal address.
PAT is a 1:x translation, when a router acts as a gateway to many internal addresses
Port Forwarding/Port Mapping: is when you map a specific port or a range of ports from <Public IP> to any <internal IP>
DMZ: Demilitarized Zone: This network either physically or logically exposed to an "untrusted" network, usually the internet.
(Pulled directly from Wikipedia)
DMZ Host: Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device.
This last one, which I’ve never used as I don’t normally operate non-enterprise grade routers and such. PfSense operates more like an enterprise grade router and the idea of a DMZ Host is not “directly” supported. To put it plainly: DMZ Host is DMZ for dummies.
Now, onto the fun stuff.
In your circumstances, your dad’s consumer grade router will be fine to set up a DMZ Host and point it at your PfSense box. As long as the Port forwards remain in place on the external router for his VOIP setup, his network should remain unaffected.
To help visualize this:
Legend:
== Public IP network
--- Dad’s internal network
++ Your network
<> Devices
[],{},() Network identifiers
[INTERNET]==<ExternalRouter>---{Dad’s Network----<PfSense Box++(Your Network)>--}
This will be a bit funky because technically <Your Network> is being “PAT’d” to your <Dad’s Network>, which is being PAT’d to the internet.
This is sometimes called a “Double NAT” which is technically wrong, but it’s the common description. The more accurate term would be “Double Masquerading” or Double Masqing)
Even though all the external PORTs are being forwarded in this masquerade fashion, it can cause issues with some software.
To prevent any of your network hosts from accessing his network, you will want to set up firewall rules that allow your network to hit both the WAN IP Address on the PfSense box and the LAN IP Address on the External Router, and deny everything else on your dad’s network.
Firewall rules are read from the top down and stop when they match, so Allow both hosts, then deny the whole network.
WAN firewall rules of PfSense
- <public IP> Allow <Service Hosts> (specify each host and PORT individually)
- <LAN IP of External Router> Allow <Your Network>
- <WAN IP of PfSense router> Allow <Your Network>
- <DAD’s Network> Deny <Your Network>
LAN firewall rules of PfSense
- <Your Network> Allow <WAN IP of PfSense>
- <Your Network> Allow <LAN IP of External Router>
- <Your Network> Deny <DAD’s Network>
- <Your Network> Allow <*> (everything else)
These rules will allow your network to get to the internet and access the outside router, but will deny your network from getting to your Dad’s network, while also denying your Dad’s network from getting into yours.
If you run into any snags, or the firewall rules don't seem to do what you need, drop me a line, I'll see where it's broken. I'm pretty sure it will work the way it is.