Pfsense Interface setup

Gnome said:
Just FYI, you should actually be creating the PPPoE session with PfSense. Not your ADSL router.

It really is a bad idea to have your router establish the PPPoE session.
Your router ends doing NAT, managing your DNS servers (as provided by the ISP), the router is another hop to get to your gateway (provided by the ISP).
Your security is worse because your ADSL router is exposed to the open internet (even if it blocks all ports, you really should have PfSense be the device exposed to the internet). For that same reason it makes managing open ports much harder.
Any attacks made on your public IP hits the ADSL router first, which is just sad.

I can list more points but I think I've mentioned most of the reasons.

#JustSaying
Click to expand...

Dunno if I agree on you with that one. If the ADSL modem is blocking everything as it should to itself and passing all traffic from itself directly to the pfsense, the network is more secure not less.
If a malicious person breaks through the modem, they still need to get through the pfsense firewall. At which point they may just abandon the attempt to get into the network because of the layers or complexity.

The casual black hats (i.e. script kiddies) you get out there are in it for the quick wins. The easy to break setups that fall to scripts/apps someone else wrote. Having 2 layers of "firewall" is already more than most of them are willing to spend time on.

The only advantage to putting the pfsense on the frontline is that you would then see the direct traffic threats, instead of the inbound NAT traffic from the router.
That and some performance gains in the 5-10ms range for being processed by 2 routers/firewalls.

There are arguments to both sides and I'm guessing its just up to personal preference because either stance is valid.
 
DMNknight said:
Dunno if I agree on you with that one. If the ADSL modem is blocking everything as it should to itself and passing all traffic from itself directly to the pfsense, the network is more secure not less.
Click to expand...
They have complete access to the ADSL router at that point. (and credentials, etc.)
This gives them the ability to:
Inspect any traffic passing from you to the internet (complete packet capture)
This allows arbitrary man in the middle attacks.
Because this is possible, they control:
A) All DNS servers (all traffic is no longer secure, including HTTPs traffic in a variety of situations)
- In fact if you download a browser in a compromised situation, all traffic including the most secure HTTPs imaginable should be assumed to be man in the middle at that point.

B) All NTP servers (again, serious problem, you no longer have guaranteed accurate time, which is a problem for timing related attacks in some situations)
C) All HTTP traffic is man in the middle (oh yippee, they can redirect you to their own HTTPs green lock web-sites without you even being aware of it)
D) They control your IP and any traffic you send and receive
E) OSs like PfSense become far weaker when you control the traffic it can see for a variety of reasons.

I'm not a network expert so there are probably a lot more here I can think up if I had time, but these are the worst initially at least.

This is not possible on the open internet because they would need to control key pieces of infrastructure.
But it breaks down when someone controls your gateway to the internet.

DMNknight said:
There are arguments to both sides and I'm guessing its just up to personal preference because either stance is valid.
Click to expand...
Double firewall does not mean double security.
This is a weakest link situation.

#JustSaying, decide for yourself
 
Last edited:
Completely agreed.

It all holds true even with the pfsense router/firewall being on the perimeter rather than the modem. The gamble is, which one is more or less likely to have a vulnerability to exploit.
 
DMNknight said:
Completely agreed.

It all holds true even with the pfsense router/firewall being on the perimeter rather than the modem. The gamble is, which one is more or less likely to have a vulnerability to exploit.
Click to expand...
Exactly my point.

Considering the PfSense track record thus far (BEAST, POODLE, BREACH, etc. were all dealt with within a day of the problem being made public).
I'd rather put my egg in that basket.

But most of all, I want my PfSense router to deal with the heavy lifting.
Rather my ADSL router/modem part is dumb.
Packet inspection, NAT, firewall, etc. all takes processing power, memory, etc.
My ADSL router never needed a reboot when it had no part to play expect to forward packets.
 
Firmware on generic consumer routers is normally terrible with hardly any updates after the release of the product. I'd pick pfSense any day of the week.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X