Double PfSense routers help (best options)

Hello everyone. Long time youtube channel viewer and sub, first time forum poster. I was looking for some help or direction to a video or post if it already exists. First some background. I sold my home and moved back in with the parents right before the world ended (unrelated to the quarantine). Now I find myself and my network all bunched up in my bedroom upstairs which is fine. I like having everything around me. We added a MoCA adapter to get more reliable internet upstairs. There was just a cheap Netgear N repeater before and my sister suffered. I had experience with MoCA towards the end of my cable career for 11 years. So far, so good, internet access is great now but I really want to separate my stuff on the network. So the issue is I am close to finishing my new, custom Plex server and with my stepfather’s current network settings, my current Windows based Plex server is not able to be view outside on WAN. I did ask about opening a port which I know ultimately needs to be done but I could sense his apprehension (both from the potential vulnerability in his network as well as not knowing what exactly what I need done and how to do it in his pfSense). He and I don’t always see eye to eye on certain things [he hates updating anything because everything is working, despite potential serious security issues] and I’m hesitant to press the issue until I have a plan. He was open to it and said we can talk about it. He’s fairly tech savvy and a good programmer but I think he knows just enough when it comes to certain things like networking. I’m not a network engineer by any means, I have no formal education. He was able to put together a pfSense router after he was impressed with mine. He wasn’t aware of things like MoCA and pfSense before I introduced them to him.

So with that context, my little network includes my currently un-powered pfSense box, a WD EX4100 (24TB) NAS and PR4100 (48TB) NAS, a Win 10 HTPC (current Plex server), my new [empty] 80TB dedicated unRAID Plex server, FireTV stick 4K (with ethernet adapter), a single Silicon Dust HDHomeRun Connect Quatro OTA tuner, all fed from my 24P switch connected to the first port of the MoCA adapter plus misc wireless devices (smart plugs, Echo Dot, Harmony Hub, and LED light controller). Plus there’s my Unifi LR AC AP (off the 2nd port of the Translite TL-MC84 MoCA adapter). What I’d like to do is boot my pfSense box up and feed that from the MoCA adapter. I know it’s not ideal but would love to isolate my stuff that way he can set me up on a VLAN so I can have my own path out to the world. That’s where I need help. What’s the best way to configure a double NAT pfSense situation on purpose and not just for making a tutorial video (private IP for WAN IP). I don’t have a smart switch and know that’s probably the simplest solution, I really would like to have my pfSense running so I can play and learn without disturbing the rest of the network as my stepfather is now working from home and my mother will soon be returning to working from home. I want to be able to look up and have control of my own device IPs and be able to set my own statics. I want to have a good plan before asking to open up a port for me again. It really is a strange feeling to not being in control of certain network aspects. This living situation isn’t permanent but I wanna be comfortable without getting too comfortable if that makes sense. I just want my things to work like they did at my old house until it comes time to move out. Thank you in advance for any advice.

My recommendation would be for your stepdad to setup a DMZ (dedicated VLAN) for the outside interface of your pfsense. Then you setup a remote access VPN (OpenVPN) on your pfSense since that would get you access to all your devices outside of the local network. He would be able to ensure none of your devices can reach anything on his network, but your devices can still reach the internet. The last thing he would need to do is port forward UDP 1194 (I believe this is what OpenVPN requires) or whatever port/traffic type. You should probably setup DDNS too so it is easy to jump on even if the public IP changes.

Wow. Thanks for taking the time to come up with a solution. I will look into this as an option. It’s more than I had before.

So I was thinking and researching a bit more. The DMZ was the key answer I needed to ultimately get what I wanted but the OpenVPN part was tripping me up a little because I would already have access to my pfSense because it’s in my network cabinet in my room upstairs along with all my other devices. I would just need it put on my stepdad’s DMZ. It got me wanting to see if I could find a small managed switch to simplfy things (I technically wanted to keep my AP on his network because its feeding upstairs for my sister. He has his own exact same model downstairs but it’s on his controller. Really confusing I know. I just copied his settings and broadcasting with my controller. Part of the not seeing eye to eye. He hasn’t updated anything Ubiquity since he first installed it, controller or AP… SMH). The switch would allow the VLAN off the MoCA device without also putting the AP on the DMZ too. I actually need to look more into the MoCA adapter we have. They may support VLAN already, slim chance, but still. We only bought it because the other MoCA 2.5 ones we watched a review on were sold out on Amazon. I didn’t play with them at all when we got 'em. Stepdad set 'em up and gave me the upstairs one when he was done setting it up.

The first place I went to look for switches was Ubiquity. Lo and behold they have the USW Flex Mini. I even watched Tom’s review back in April but completely forgot about it’s existence. I was trying to avoid a costly or bulky managed switch even though it would solve my problem but for $29, It’s freakin’ perfect! I’ll happily pay the $30 and let him manage it. So the big picture. I’ll put the USW Flex Mini off the upstairs MoCA adapter. I’ll have my stepdad set me up a VLAN for my pfSense on one port and branch my stuff off my 24P switch off my pfSense. I’ll then either keep my upstairs AP on the 2nd MoCA port or move it to the switch but still on his network, it doesn’t really matter too much. I wasn’t too worried about my wifi stuff, mostly just my wired stuff. We did discuss him buying my AP from me when I first moved in but it fizzled out because he wanted to turn an old Raspberry Pi into a full time UniFi controller but that got put on the back burner as more important things came up or he was missing something, I forget. So we kinda have just been controlling our own APs. I pretty much mange the upstairs network LOL.

Awesome. I got the help I was looking for, Thanks!