# Need a hand placing my FreeBSD firewall behind *another* router



## horseflesh (Feb 25, 2022)

For years I have had cable internet with a static IP, which I fed into my FreeBSD box for NAT/firewall duties. 

I've changed ISPs and their hardware is quite different. I'm not sure how to configure things so that my FreeBSD box can remain the gateway on my network. 

I appear to be forced to use *their* router, so my static IP *has* to be on their box. It has LAN ports and can do DHCP (with reservations). 

So, I can hook my devices up to this thing, but I cannot give my FreeBSD box a public static IP like I am used to. 

Should I configure my FBSD box to NOT be a gateway, and just give it a LAN IP on the router's subnet? 

That's a router behind a router, which seems nuts. 

Any ideas?


----------



## D-FENS (Feb 25, 2022)

Not at all. You can simply connect your NAT to your ISP's router and continue using it with minimal configuration changes. It would implement a NAT inside a NAT but this should not be any problem - hopping one additional gateway is not "nuts", this is how the Internet works.
Either configure your FreeBSD box to use DHCP and set a MAC-IP address maping in the ISP router's configuration, or just configure the box with a static IP address inside the router's subnet. I prefer the former.

In case you have exposed a DMZ host or forward ports to internal servers, you need to do it in two places - on the ISP's router and on your FreeBSD gateway.
I have been using a similar setup, no issues there.

Of course, you could design a more elaborate/efficient solution, introduce VLANs etc. if you want to invest more effort, that's up to you.


----------



## horseflesh (Feb 25, 2022)

Beautiful, thank you. Looks easy enough to set up a DHCP reservation on the ISP router, so I will go that route. 

Since I posted I did find what appears to be a DMZ setting in the ISP router, so I guess if I set that up as well I won't have to forward every port of interest in the ISP router GUI.


----------



## D-FENS (Feb 25, 2022)

horseflesh said:


> Beautiful, thank you. Looks easy enough to set up a DHCP reservation on the ISP router, so I will go that route.
> 
> Since I posted I did find what appears to be a DMZ setting in the ISP router, so I guess if I set that up as well I won't have to forward every port of interest in the ISP router GUI.


Yeah, that's probably the easiest way to get started without any hassle. As your box act as NAT and firewall, simply pass it through to the outside world and you're good to go.
Only one disadvantage I could think of - now you have one more device consuming power. Apart from that, it should be just fine.


----------



## horseflesh (Feb 25, 2022)

I'm all set now, thanks again D-FENS .

One unfortunate thing is that I can't actually make use of a DMZ feature. I think it has to do with my VOIP service, they said that their router _had _to handle public IP for VOIP routing... I can't pass it through to another device. So, I do have to do port forwarding on their router too. Too bad. But... it's working now and I have time to look for a more elegant solution.


----------



## sko (Feb 25, 2022)

horseflesh said:


> I appear to be forced to use *their* router, so my static IP *has* to be on their box.


Depends on where you live. Within the EU this requirement would be illegal (directive 2008/63/EG)

As for VOIP: If you actually want to use it, you only need the SIP-Login data for your account, then just configure it on any SIP device you want to use behind your router/firewall. Again: within the EU the ISP is required to give you this login information.
You can also easily pass through SIP/VoIP through the FreeBSD router and put their router behind it just for SIP/VoIP. That's what I've set up several times for friends that still use some sort of "landline phone service" (I've been routing all my phone numbers to my SIM card for >10 years now...). In fact that's the normal setup for any SIP phone system - you don't place those open on the internet but behind a firewall and/or router(s). SIP/VoIP (with some minor caveats) is perfectly fine with that - worst case would be the need to configure a STUN server, which all ISPs usually offer anyways. (or just dump their included service and go for a proper SIP-provider that doesn't impose artificial restrictions)

However, double-NATing although ugly and not recommended "usually works" for most home requirements. Although it might add considerable buffering and delays which might affect things like online games.
If you are running services at home that need to be accessible from the outside, it usually gets ugly with multiple port forwards and you might loose some filtering capabilities on your router (or at least have to refine/adjust them). remember to add the ISP routers internal subnet to the list of external prefixes in your PF config, or it will handle everything as local connections and probably pass just anything in both directions.

In short: try to rip out the ISPs plasticrouter and use your own box. If you are back on ancient DSL now, either put their router in passthrough mode or just get a simple vDSL-modem Which can be used with pppoed() (e.g. the ALLNET BM100 vdsl2 works well; we have to run it at one branch where there is still only crappy DSL from telekom service available...)


----------



## covacat (Feb 25, 2022)

most of these ISP provided boxes can be configured in bridge mode but often the ISP custom 'fimware' hides the option from the web interface of the device
ISPs dont like to support the bridge mode and if the do they do it for windows only
I had various DSL, DOCSIS, ONT devices and all had the capability
they usually run the VOIP and other admin/monitoring stuff on RFC 1918 on their WAN


----------

