I'm adding a firewall to my home network.

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
I recently set up a FreeNAS box and installed Plex, Sonarr, Nzbget jails. I'm now wanting to update my home network by adding a firewall/router (Untangle).

This will be my first time using a firewall, and I'm curious if there will be any pitfalls to watch out for? Especially with existing jail IPs and FreeNas IP. Those IPs are currently reserved in my Eero router.

Assuming I need to place my current router into bridge mode?
Are there any overarching recommended procedures for introducing the new hardware?

My current network:
Cable modem
- Eero router
--Netgear switch
--- Eero APs
--- Sonos
--- TVs
 

melloa

Wizard
Joined
May 22, 2016
Messages
1,749
Assuming I need to place my current router into bridge mode?

Not necessarily. Mine doesn't have that option, so my pfSense WAN is on its DMZ.

Those IPs are currently reserved in my Eero router.

Assuming you will replace the Eero with the new firewall/router, I'd setup the same subnet and allocate the same IPs, so no extra configuration would be needed.

I'm now wanting to update my home network by adding a firewall/router (Untangle).

I have tested it, but can't comment on it. Maybe other users are using it and can?
 

thepixelgeek

Patron
Joined
Jan 21, 2016
Messages
271
Assuming you will replace the Eero with the new firewall/router
Yes, eventually it will be replaced. However, at first, I would use the wifi mesh capabilities of Eero until I add a new PoE switch and Unifi APs.

I'd setup the same subnet and allocate the same IPs, so no extra configuration would be needed.
Perhaps overthinking this, but wondering if it's better to install firewall os, allocate IPs, and then hook it up to the modem. Or, do I just connect it to the modem and go through setup/config steps.

Wondering about the best tactical way to introduce new FW hardware.

Thanks for the reply!
 

melloa

Wizard
Joined
May 22, 2016
Messages
1,749
Yes, eventually it will be replaced. However, at first, I would use the wifi mesh capabilities of Eero until I add a new PoE switch and Unifi APs.

Not familiar with Eero. At home I use Unify APs connected to my regular switch. As I run ~100 m cables, my PoE switch won't power them, so I use an injector instead. If you can configure those APs to work with another router, injectors could be an cheaper options.

Perhaps overthinking this, but wondering if it's better to install firewall os, allocate IPs, and then hook it up to the modem. Or, do I just connect it to the modem and go through setup/config steps.

Well ... test as above with one host connected to the new N/W and uplink to the existing after all is working. Again, if setup the same subnet, all will be easier.
 

John Doe

Guru
Joined
Aug 16, 2011
Messages
635
go for it!

i have pfsense since a year and i really like it!

my setup varies:
ISP modem/router - pfsense- LAN with VMs and ddwrt router/accesspoint for Wifi

my intention was, that the ISP can still maintain the provided router/modem without checking what is behind. also for guests, i turn on the wifi on the ISP router, so that they can use the www without getting in touch with my hardware.

one more point, if you mess up your firewall and lock yourself out, just pull out the lan cable from your firewall and put it in your lan port from ISP router, so that you can use google to look for a solution.

I assume you could do the same with your Eero.

Personally I would not use ISP router for DMZ and pass it to pfsense wan port.
You never know what security issues are in the software. So i think it is better to have several barriers of protection with different software. in that case ISP provided router with the firewall ISP maintains and pfsense firewall.

a recommendation to start:
1.) Separate networks, be it with vlan tags or subnets. e.g. I use 192.168.10.* for all virtualized stuff, 192.168.5.* for all physical stuff etc.
2.) get a list of ip addresses and subnet masks
3.) make sure DHCP is not spreading out ip addresses, limit the range!
4.) draw a topology of your network

after setting it up and not touching it for a few month, i forgot my setup and I struggled to find in again. the hints above might save a lot of time during problem finding.

ps. there are tools available to do it automatically. like on kali. can also recommend to get a kali live usb stick and a laptop. scan your network before (to get the 4 points) and after setting up your firewall, to make sure it is working as expected.
 

melloa

Wizard
Joined
May 22, 2016
Messages
1,749

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
However, at first, I would use the wifi mesh capabilities of Eero until I add a new PoE switch and Unifi APs.
Set up your pfsense to get it's IP from your modem. Most likely it will be via DHCP unless you have a static public IP. If you don't know what that is then you likely don't have one. Before you disconnect your Eero disable the DHCP server on it and give it a static IP outside the DHCP range you set in pfsense and leave the wireless on. Remove the cable from the WAN port and move it to a LAN port on the Eero and you just converted it to a wireless access point. That way pfsense will be able to manage any wireless devices that connect to the Eero and assign them an IP address.
 
Last edited:
Top