PFSense and Modem\Modem Mode Security

Xentrk

Part of the Furniture
Hi,

I'm posting here because I will be setting up PFSense soon and I will need a modem or router which provides a modem mode. What I'm concerned about is security of such modem/router with modem mode. I know that by default a router is secure but a modem is like DMZ so whatever you hook up to it, it will be revealed to the WAN side, correct me if I'm wrong.

Therefore, when I connect my PFSense box to such device, it will be vulnerable to attacks etc.
Is there any way I can secure my PFSense or Modem to limit/eliminate such attacks ?
Are there any tips you guys can give me in terms of security ?

Thanks
You should be okay. I have done this for myself and other people. It is referred to as Bridge mode.

Once you place the modem/router into bridge mode, it no longer has a WAN IP address that can be scanned for vulnerability by those with ill intent on the WWW. The ISP can still ping it on their end though.
 

CaptainSTX

Part of the Furniture
Hi,

I'm posting here because I will be setting up PFSense soon and I will need a modem or router which provides a modem mode. What I'm concerned about is security of such modem/router with modem mode. I know that by default a router is secure but a modem is like DMZ so whatever you hook up to it, it will be revealed to the WAN side, correct me if I'm wrong.

Therefore, when I connect my PFSense box to such device, it will be vulnerable to attacks etc.
Is there any way I can secure my PFSense or Modem to limit/eliminate such attacks ?
Are there any tips you guys can give me in terms of security ?

Thanks
The biggest thing you need to do to protect your LAN from WAN side attacks is not allow administrative access to the router from the WAN including SSH, Telnet, etc. unless you run a VPN connection to your router and run a VPN server on the router.
 

sfx2000

Part of the Furniture
I don't really like exposing anything online. Does that mean when I hook up PFSense to the modem and let's say decide to have local FTP server, would that be exposed to WAN side as PFSense is connected directly to the modem ?
You probably need to take some time to understand what you are asking - pfSense does not have an FTP server - you can port forward an internal server if you want... if you do, you need to secure that ftp server outside of pfSense

pfSense is not going to "protect" your modem...
 

abailey

Very Senior Member
Your network protection is your firewall/router. If that is pfSense then everything on your LAN side is protected. I assume you hook it up like Internet-> Modem -> pfSense WAN.
So even if your modem somehow became compromised, all your network behind pfSense is still protected.
 

Xentrk

Part of the Furniture
If bridge mode doesn't have a WAN IP then how do I get a public IP ? I'm a bit confused here. I can get ADSL Router and put it in Modem mode but how do I still remain secure while using such mode ? I have heard that Modems are insanely insecure and expose computers connected to them via WAN so by looking at it, it would mean that when I connect my PFSense to it, it would expose all of its local ports to WAN ?
You get the public IP from the Router. The routers is where you configure the user name and password and other information required by your ISP. I did a web search and saw some modems had security issues back in 2009. Have not heard of any recent concerns.

Also, doesn't Bridge Mode use PPPoE ?
What is the difference between Bridge Mode and Modem Mode ? I know what Bridge Mode generally is as it passes on the conection to the hooked up device which it is connected to but I'm not sure in this case.
Bridge Mode turns it into a modem. It just passes the connection onto the router. The PPPoE config is made on the Router. Bridge Mode feature turns off the routing capabilities while leaving the modem capabilities on. Then, you may connect and use your own router.

Bridge Mode and Modem Mode are probably synonymous. The term used may differ depending on the manufacturer.

I know what you said but wouldn't modem expose LAN side to the WAN anyway or is there a port forwarding required to do so ?
No special configurations or port forwarding is required. All of the security settings are made on the Router. I think a switch box may be a good analogy. The modem/router placed in Bridge mode is just passing the signal onto the Router.
 

CaptainSTX

Part of the Furniture
Correct a modem just connects you the public network. The name really says it all.

Modem is short for modulator demodulator. In the old days the modem's function was to take an analog signal transmitted over a telephone line and convert it to digital and then take the digital signal from your computer and convert it back to analog. Different technology today as networks are no longer analog but in general the device serves the same purpose.
 

Xentrk

Part of the Furniture
Shouldn't be there a firewall connected between PFSense box and Modem ? I hear that a lot of people implement this practice with PFSense but no one recommended it on here ? I guess it might be a bit difficult to do it for a beginner and securing that PFSense box itself is faster and more beneficial for a home users ?
I’ve not heard of that before. pfSense performs both the routing and firewall duties. So not sure why that is necessary. Perhaps there are some special requirements in an enterprise or medium sized business where additional network segregation is required.

https://www.netgate.com/solutions/pfsense/
 

degrub

Very Senior Member
That is what a correctly configured pfSense box is doing.
Otherwise, turn your modem/router back into router mode and have it drop al unsolicited packets and turn off WAN access.
 

abailey

Very Senior Member
Shouldn't be there a firewall connected between PFSense box and Modem ? I hear that a lot of people implement this practice with PFSense but no one recommended it on here ? I guess it might be a bit difficult to do it for a beginner and securing that PFSense box itself is faster and more beneficial for a home users ?
I have never heard of this. Even businesses that i know of that use pfSense don't do this. Not sure what the point would be. pfSense is mainly a firewall. If someone did not want to use it for a firewall why would you use it at all? I guess maybe as a standard router, but there are better router software's out there for purely routing.
 

sfx2000

Part of the Furniture
pfSense is mainly a firewall. If someone did not want to use it for a firewall why would you use it at all? I guess maybe as a standard router, but there are better router software's out there for purely routing.
pfSense can be the edgerouter/gateway, or it can be an internal router...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top