Separating modem and router in modem router combo

[CyDa SlumBummer]

I am trying to run my traffic through a firewall before going to my network. I don't have the money right now to buy my own modem or wireless router, so I am stuck making this work with the ISP modem/router combo. I want to have traffic go from the modem in the modem/router combo, then go to the firewall (separate box), then back to the modem/router combo to use it's wifi for the house. The firewall is an opnsense vm.

 

Is this even possible?

[IrishJ]

3 minutes ago, CyDa SlumBummer said:

I am trying to run my traffic through a firewall before going to my network. I don't have the money right now to buy my own modem or wireless router, so I am stuck making this work with the ISP modem/router combo. I want to have traffic go from the modem in the modem/router combo, then go to the firewall (separate box), then back to the modem/router combo to use it's wifi for the house. The firewall is an opnsense vm.

 

Is this even possible?

can you setup vlans on the isp router? if so yes, otherwise no I don't think so...

[Windows7ge]

You can set the Modem to Bridged Mode to disable the Router in it to allow the Firewall to perform all DHCP/Port Forwarding services but for the Combo to continue to act as an AP I don't believe this will work, no. You'd need to buy a stand-alone AP (or another router in AP mode) and plug it into the firewall.

[SpookyCitrus]

Modem/router combos are garbage(especially ISP provided), and they are not physically separated, in order to set up a physical firewall you have to hardwire from modem to firewall to router, most modem/router combos do not have the ability to do so as they are already internally connected. You could disable the router portion of the combo and set up a separate router or AP and use the combo as just a modem and that might work but you would have to buy another router or AP, I honestly recommend using it as it is until you can afford to replace both the modem and router, then worry about the firewall.

[Alex Atkin UK]

8 minutes ago, Windows7ge said:

You can set the Modem to Bridged Mode to disable the Router in it to allow the Firewall to perform all DHCP/Port Forwarding services but for the Combo to continue to act as an AP I don't believe this will work, no. You'd need to buy a stand-alone AP (or another router in AP mode) and plug it into the firewall.

Actually this can sometimes be done, if the router lets you bridge the modem to a specific ethernet port then Access Point should still function on the rest of the LAN ports.  Its certainly possible with most routers that can support OpenWRT and I've also done it on Zyxel routers.  Of course you need to know a little about networking to get it configured.

 

The wildcard here is ISP provided router, as they are often locked down compared to stock firmware, so might not allow you access to the necessary options.

[Windows7ge]

2 minutes ago, Alex Atkin UK said:

Actually this can sometimes be done, if the router lets you bridge the modem to a specific ethernet port then Access Point should still function on the rest of the LAN ports.  Its certainly possible with most routers that can support OpenWRT and I've also done it on Zyxel routers.  Of course you need to know a little about networking to get it configured.

 

The wildcard here is ISP provided router, as they are often locked down compared to stock firmware, so might not allow you access to the necessary options.

What has me thinking that it's not (at least in this instance) is when setting it to bridged mode the firewall will get the WAN IP. Even if he left the router enabled all the wired clients would have to deal with a double NAT and all the wireless clients wouldn't pass-though the firewall.

 

I agree if it's possible I don't think the specific hardware here is adequate. VLANs might enable one to rig something up but I haven't heard ISP provided equipment allowing this but then as you said OpenWRT. Unfortunately I have no experience with that.

[Alex Atkin UK]

Just now, Windows7ge said:

What has me thinking that it's not (at least in this instance) is when setting it to bridged mode the firewall will get the WAN IP. Even if he left the router enabled all the wired clients would have to deal with a double NAT and all the wireless clients wouldn't pass-though the firewall.

 

I agree if it's possible I don't think the specific hardware here is adequate. VLANs might enable one to rig something up but I haven't heard ISP provided equipment allowing this but then as you said OpenWRT. Unfortunately I have no experience with that.

You don't need VLANs as long as the ISP router lets you bridge the modem to a specific LAN port, the rest of the LAN ports will still be bridged to the WiFi.  (IF the router doesn't disable WiFi in bridge mode)

 

Basically the modems bridged port goes to the firewalls WAN port, one of the remaining LAN ports goes to the firewalls LAN port.  Its a bit messier with wires, but does the same thing you would with VLANs and a single cable.

[Windows7ge]

1 minute ago, Alex Atkin UK said:

You don't need VLANs as long as the ISP router lets you bridge the modem to a specific LAN port, the rest of the LAN ports will still be bridged to the WiFi.  (IF the router doesn't disable WiFi in bridge mode)

 

Basically the modems bridged port goes to the firewalls WAN port, one of the remaining LAN ports goes to the firewalls LAN port.  Its a bit messier with wires, but does the same thing you would with VLANs and a single cable.

Ah, alright I see what you mean. Makes sense. I take it though not all modem/routers behave in this way?

[Alex Atkin UK]

4 minutes ago, Windows7ge said:

Ah, alright I see what you mean. Makes sense. I take it though not all modem/routers behave in this way?

Indeed, but its some years since I've used an ISP provided router so I have no idea how common this functionality is now.  I know some ISPs have been known to use the Zyxel routers that DO allow this, I get the feeling its the nasty big US ISPs that still tend to lock things down.

 

We tend to have an insanely diverse selection of routers in the UK, but again the bigger the ISP, the more likely its locked down.

[Windows7ge]

5 minutes ago, Alex Atkin UK said:

I get the feeling its the nasty big US ISPs that still tend to lock things down.

Can confirm. In the US. New ISP router disabled NAT Lookback and I have not been able to find any setting at all to re-enable it. Would no surprise me if current modem/routers disabled all ports but port 1 and Wi-Fi for the user Router/firewall.

[CyDa SlumBummer]

It looks like I can enable bridge mode on mine. I will try to configure as recommended when I get home tonight. Thank you for the input. Hopefully I can get this to work because I need to do it for a university research project.

1 hour ago, CyDa SlumBummer said:

 

 

[mtz_federico]

You could man-in-the-middle a router, basically You would change the DHCP gateway so that all traffic goes through the firewall.

 

You could do this by connecting the wan and the lan to the modem/router, turn off dhcp on the combo, set a static ip on both ports in the firewall and enable dhcp on the firewall. make sure that the wan port has the correct gateway and that lan and wan are on different subnets.

[CyDa SlumBummer]

So I set static IPs, disabled DHCP, setup opnsense as the DHCP server and wireless connection went down. What I am thinking is that I need to set the modem to bridge mode to keep the modem from screwing everything up haha. I will see what happens tonight after the family goes to sleep.

 

Side note:

Waiting until late night when everyone is asleep makes this feel like I'm a mad scientist creating a monster. Makes it feel even more fun.