Adding firewall between WAN and ER8411 - will this work?
Based on feedback from TP-Link and the community I want to add a firewall in between the Omada managed ER8411 and the modem so I can get true DPI with full IPS/IDS functionality. I am thinking about a netgate (pfsense) solution. I would like to leave the management of vlans, etc. to the ER8411 to be managed through the controller and basically use the Netgate as a firewall only to add the DPI IPS/ADS features I want (in my case torrent blocking and possibly other layer 7 functionality).
It would look like this:
Modem => WAN on Netgate Firewall (IPS/IDS here) => WAN on ER84111 (get DHCP from netgate on WAN, otherwise omada managed) => controller, etc. (everything else is Omada)
I don't want to replace the ER8411 as it runs my PPSK, etc. and I like the way I can do that with the controller software and the cloud management.
1. Will this work?
2. What ports does Omada cloud need open on the netgate to function - possibly irrelevant if bridged mode is the solution?
3. Any thoughts or conerns (experience doing this would be awesome).
4. My research so far indicates this may be something that requires a bridged mode setup in pfsense which it does support with ids/ips using suricata...
Thanks!
Thanks for posting in our business forum.
My view,
1. Yes. You can connect ER8411 to the modem. But set some LAN parameters to route them to the pfsense. Routing is forwarded to the pfsense so it will take care of the traffic.
Or you can stick to your diagram. It's like an additional router/firewall that takes care of the traffic.
Similar to pi-hole or DNS servers they also support DHCP. Can take replace the DHCP server but they cannot take over the gateway.
Think you can let the pfsense process the DPI-related stuff and then give the rest traffic to the ER8411.
Client > pfsense > ER8411 > ISP. The process is like this.
2. Search for omada controller port
3. Only worries me about the double-NAT. So, adding a side pfsense is my idea.
4. Kinda similar to my idea?
Thanks for posting in our business forum.
My view,
1. Yes. You can connect ER8411 to the modem. But set some LAN parameters to route them to the pfsense. Routing is forwarded to the pfsense so it will take care of the traffic.
Or you can stick to your diagram. It's like an additional router/firewall that takes care of the traffic.
Similar to pi-hole or DNS servers they also support DHCP. Can take replace the DHCP server but they cannot take over the gateway.
Think you can let the pfsense process the DPI-related stuff and then give the rest traffic to the ER8411.
Client > pfsense > ER8411 > ISP. The process is like this.
2. Search for omada controller port
3. Only worries me about the double-NAT. So, adding a side pfsense is my idea.
4. Kinda similar to my idea?