Adding firewall between WAN and ER8411 - will this work?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Adding firewall between WAN and ER8411 - will this work?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Adding firewall between WAN and ER8411 - will this work?
Adding firewall between WAN and ER8411 - will this work?
2023-12-06 17:36:48 - last edited 2023-12-08 16:11:29
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.1.1

Based on feedback from TP-Link and the community I want to add a firewall in between the Omada managed ER8411 and the modem so I can get true DPI with full IPS/IDS functionality. I am thinking about a netgate (pfsense) solution. I would like to leave the management of vlans, etc. to the ER8411 to be managed through the controller and basically use the Netgate as a firewall only to add the DPI IPS/ADS features I want (in my case torrent blocking and possibly other layer 7 functionality).

 

It would look like this:

 

Modem => WAN on Netgate Firewall (IPS/IDS here) => WAN on ER84111 (get DHCP from netgate on WAN, otherwise omada managed) => controller, etc. (everything else is Omada)

 

I don't want to replace the ER8411 as it runs my PPSK, etc. and I like the way I can do that with the controller software and the cloud management.

 

1. Will this work?

2. What ports does Omada cloud need open on the netgate to function - possibly irrelevant if bridged mode is the solution?

3. Any thoughts or conerns (experience doing this would be awesome).

4. My research so far indicates this may be something that requires a bridged mode setup in pfsense which it does support with ids/ips using suricata...

 

Thanks!

  0      
  0      
#1
Options
1 Accepted Solution
Re:Adding firewall between WAN and ER8411 - will this work?-Solution
2023-12-07 03:07:13 - last edited 2023-12-08 16:11:29

Hi @OrangeStreet 

Thanks for posting in our business forum.

My view,

1. Yes. You can connect ER8411 to the modem. But set some LAN parameters to route them to the pfsense. Routing is forwarded to the pfsense so it will take care of the traffic.

Or you can stick to your diagram. It's like an additional router/firewall that takes care of the traffic.

Similar to pi-hole or DNS servers they also support DHCP. Can take replace the DHCP server but they cannot take over the gateway.

Think you can let the pfsense process the DPI-related stuff and then give the rest traffic to the ER8411.

Client > pfsense > ER8411 > ISP. The process is like this.

2. Search for omada controller port

3. Only worries me about the double-NAT. So, adding a side pfsense is my idea.

4. Kinda similar to my idea?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
1 Reply
Re:Adding firewall between WAN and ER8411 - will this work?-Solution
2023-12-07 03:07:13 - last edited 2023-12-08 16:11:29

Hi @OrangeStreet 

Thanks for posting in our business forum.

My view,

1. Yes. You can connect ER8411 to the modem. But set some LAN parameters to route them to the pfsense. Routing is forwarded to the pfsense so it will take care of the traffic.

Or you can stick to your diagram. It's like an additional router/firewall that takes care of the traffic.

Similar to pi-hole or DNS servers they also support DHCP. Can take replace the DHCP server but they cannot take over the gateway.

Think you can let the pfsense process the DPI-related stuff and then give the rest traffic to the ER8411.

Client > pfsense > ER8411 > ISP. The process is like this.

2. Search for omada controller port

3. Only worries me about the double-NAT. So, adding a side pfsense is my idea.

4. Kinda similar to my idea?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options