I’m actually brighter than I’m about to sound by asking what is basically an elementary question, but I’m pressed for time, super-stressed and just can’t focus. Thanks in advance.
I got a new security system installed recently and the tech says it “must have full access to the WAN and can’t be behind a firewall”.
The truncated version of my network diagram is:
FiOS ONT—>pfSense box—>Switch
I do have static and the installer told me he needs the following to get the box online:
◦ The required Static IP
◦ The required Subnet Mask
◦ The required Default Gateway
◦ The required DNS Server
What would be your preferred method to accomplish this?
…tech says it “must have full access to the WAN and can’t be behind a firewall”.
Not a completely correct statement by the tech. Yes, it likely needs WAN access. Yes, it can and should be behind a firewall.
◦ The required Static IP
If possible, leave the security system in DHCP mode and configure a static DHCP reservation in pfSense DHCP Server for the security system MAC address. Just make sure the static IP address reservation is outside of the normal DHCP address pool range. The advantage of using DHCP static reservations and leaving the client in DHCP mode is the client will automatically retrieve the reserved IP, gateway, netmask, and DNS info.
◦ The required Subnet Mask
Likely 255.255.255.0
◦ The required Default Gateway
The LAN IP address of your pfSense firewall. 192.168.1.1 if you use the pfSense default.
◦ The required DNS Server
If you enabled DNS Resolver in pfSense, it will be the LAN IP address of your pfSense firewall. 192.168.1.1 if you use the pfSense default. Or you can simply use a public DNS server. (e.g.Google public DNS 8.8.8.8 or 8.8.4.4)
Q1: Does the security system have a cloud service and mobile app for remote access? If so, it is likely that the security system will connect to a cloud service for remote access and monitoring without port forwarding. If port forward is required, then the FIOS Gateway will need to be in IP passthrough mode so your pfSense firewall receives a public IP address. Enabling IP passthrough mode, may disable the built in Wifi radios in your ISPs gateway, thus you will need to connect separate WiFi APs to your switch. The risks of enabling port forward can be somewhat mitigated with firewall rules that restrict access to CIDR block(s) of addresses, or simply use VPN for remote access.
Thank you for this write-up! I’ll set it up exactly as you’ve described. The system does have a cloud service with a mobile account. As for a FiOS gateway, I actually have the ONT connected directly to my pfSense box, so the ONT is already a passthrough. I have separate AP’s connected to the switch.
Can I enquire where did you get those icons/images to make you drawing? I like them very much and would like to use them eventually.
Thx!
