What exactly is the DMZ

The rules would work unless they were then able to access your pfsense box and change the rules. It would only affect traffic that was going to an address on your dad's network, if it's going to the internet then the rules wouldn't apply to it. It's not ideal but it would work. It would be better to have a firewall on your dad's side so there is no way for something on your network to access the configuration. This is why it would be better to have your router connected to the modem and his connected to you.

But if you keep all your web facing servers on a network which is isolated from the rest of your network then you should be fine. You'd want to set it up so that you can access your servers but they can't access your private network, or the pfsense firewall, or your dad's network.

But the point I was trying to make is that there is no difference between you forwarding each port twice or you forwarding all ports to your router and then only forwarding them once. Everything else will still work the same way as it currently is. Using the DMZ setting to forward traffic to your router will not expose your dad's network anymore than it currently is. So what I was saying about the firewall rules and stuff is unrelated to that and just a way you could mitigate any damage that could be caused.

Okay, thanks. I'll probably just set myself as the DMZ and call it a day until we come up with a more secure way. I don't have that many web facing servers anyway, just one apache server and a couple of game servers/other misc junk. They're all on obscure ports at the moment anyway so we should be fine. Thank you!

TL;DR : Read the whole damn thing, understanding the inner workings helps to better understand the device you are working with.

First things first:

Lets get some commonly misused terminology out of the way, as I'll probably start to confuse folk who have less networking experience.

IP Address = quad octet address scheme used by IP Version 4 (x.x.x.x)

PORT = A virtualisation identifier defining a service endpoint (PORT 22 == SSH)

NAT = Network Address Translation

PAT = Port Address Translation

DMZ = Demilitarized Zone

DMZ Host = A fancy way to forward all PORTs from your external network to an internal Host IP Address (Not a 1:1 NAT)

Most home and SOHO routers mislabel PAT as NAT and end up confusing everyone.

NAT is a 1:1 translation,   so <publicIP>:translate:<privateIP>, from the outside world you hit the public IP, the Router translates it and passes traffic to the specified internal address.

PAT is a 1:x translation, when a router acts as a gateway to many internal addresses

Port Forwarding/Port Mapping: is when you map a specific port or a range of ports from <Public IP> to any <internal IP>

DMZ: Demilitarized Zone: This network either physically or logically exposed to an "untrusted" network, usually the internet.

(Pulled directly from Wikipedia)

DMZ Host: Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device.

This last one, which I’ve never used as I don’t normally operate non-enterprise grade routers and such. PfSense operates more like an enterprise grade router and the idea of a DMZ Host is not “directly” supported. To put it plainly: DMZ Host is DMZ for dummies.

Now, onto the fun stuff.

In your circumstances, your dad’s consumer grade router will be fine to set up a DMZ Host and point it at your PfSense box. As long as the Port forwards remain in place on the external router for his VOIP setup, his network should remain unaffected.

To help visualize this:

Legend:
== Public IP network

--- Dad’s internal network

++ Your network

<> Devices

[],{},() Network identifiers

[INTERNET]==<ExternalRouter>---{Dad’s Network----<PfSense Box++(Your Network)>--}

This will be a bit funky because technically <Your Network> is being “PAT’d” to your <Dad’s Network>, which is being PAT’d to the internet.
This is sometimes called a “Double NAT” which is technically wrong, but it’s the common description. The more accurate term would be “Double Masquerading” or Double Masqing)
Even though all the external PORTs are being forwarded in this masquerade fashion, it can cause issues with some software.

To prevent any of your network hosts from accessing his network, you will want to set up firewall rules that allow your network to hit both the WAN IP Address on the PfSense box and the LAN IP Address on the External Router, and deny everything else on your dad’s network.
Firewall rules are read from the top down and stop when they match, so Allow both hosts, then deny the whole network.

WAN firewall rules of PfSense

• <public IP> Allow <Service Hosts> (specify each host and PORT individually)
• <LAN IP of External Router> Allow <Your Network>
• <WAN IP of PfSense router> Allow <Your Network>
• <DAD’s Network> Deny <Your Network>

LAN firewall rules of PfSense

• <Your Network> Allow <WAN IP of PfSense>
• <Your Network> Allow <LAN IP of External Router>
• <Your Network> Deny <DAD’s Network> 
• <Your Network> Allow <*> (everything else) 

These rules will allow your network to get to the internet and access the outside router, but will deny your network from getting to your Dad’s network, while also denying your Dad’s network from getting into yours.

If you run into any snags, or the firewall rules don't seem to do what you need, drop me a line, I'll see where it's broken.   I'm pretty sure it will work the way it is. 

Thank you so much. This actually makes a lot more sense now, I don't know how I missed the Wikipedia page but I ended up on some other article that did a horrible job explaining what a true DMZ is. I'll hopefully get a chance to try this later this week/weekend, I'll post back here if it works.

THANK YOU!!!

Mah brain.

it still hates networking.

THANK YOU QAIN YOU ARE A LIFESAVER

Those firewall rules did EXACTLY what I needed. I also added in a rule blocking access to the web admin interface on my dads router (just to satisfy my dad that nothing on my end will be able to exploit his stuff) and he's probably going to let me do it now. He's going to "look into it" more which really means he's going to check and make sure I actually know what I'm talking about.

I'll let you know how it works! Thank you so much!

One more random thing, if my friend has a site to site VPN to my network, then can we forward a port from his IP to an IP on my network? I'm just wondering if we can use some OpenVPN magic to make full use of the two public IPs we now have.

Again, THANK YOU SO MUCH you are a genius!

I'm glad it worked out.

As for Site to Site VPN, that's a fun setup. 

Short answer... Yes.. it's possible.  Not the most advisable thing to do, but it's possible.

When you get everything ready to go, let me know, we'll tackle the next step in your unorthodox setup. 

Well it looks like that plan fell through. My friend's dad is irritated at us for "slowing down his internet" (we have graphs that say otherwise, but we can't really argue with him) so the site to site VPN is probably going to get killed (yay).

I do have a question though....could you guys do a video on how to set up a DNS server (just a local one)? I've got one set up with BIND (actually a cluster of a few of them) using Webmin, and it works reasonably well, but I did have a heck of a time setting it up the first time. I would love to see a detailed tutorial on that, plus how some of the other DNS servers work...TinyDNS and the other ones who's names escape me...

Thanks again, PLEASE PLEASE PLEASE make more pfSense tutorials, things like Snort and web caching would be AWESOME!

My experience with web caching is that it really isn't worth the effort, not unless you have a lot of users. Because your browser already stores it's own cache you would probably see a reduction in performance rather than a gain as there would be added latency from it having to check if there's a new version. Not to mention that https traffic can't be cached, and you should be using https as much as possible.

I do have squid running on my pfsense box for my public wi-fi network, I use to to block sites, it wouldn't be too hard to get around it considering that it can't do anything with https traffic but my neighbours don't seem to be that smart, it totally stopped them from using youtube. Well, that and the federal police raided the house of the afghanis who were using my wi-fi to watch bollywood movies all day, turns out they were sending money to ISIS and building bombs or something.

Anyway, getting the cache set up is simple enough, just install squid, turn on transparent proxy and mess around with the cache settings to suit what you need. But like I said it really doesn't make much of a difference.

Snort on the other hand is pretty cool, but it can be a total pain in the arse to get it working properly. I just spent all morning with my internet cutting in and out and I only just now figured out it was snort blocking the gateway of my VPN. If you want to use snort be prepared to spend quite a bit of time tuning the rules so you don't get false positives all the time. When I was setting up my mail server I was doing it from my phone while I was in Indonesia, and snort kept locking me out, so I'd have to wait an hour for it to unblock me, then try to quickly figure out which rule was causing the problem and disable it before it blocked me again.

Anyway, I can help you out with snort if you want, not sure how well it will run on your specs though.

That would be great. Want me to just PM you my Steam name? (I have Skype too if that's better, whatever works)

I can't really change the processor in the box because its embedded, but I can upgrade the RAM to 1GB. I'd give it more but the board only has one DIMM slot. If it would be better, I do have plenty of spare computing power on my Proxmox server, if there's a way to offload some of the work onto there I can do that.

Thanks again!

Sure, send me your skype.

Snort likes RAM but I haven't really played around with the lower memory modes, so it may work fine. Set it up and run a few tests to see if there's a performance hit. You can run it on another system, but I'm not really sure how to then make it block the hosts in pfsense.