Split modem and router into separate units for better setup.
Split modem and router into separate units for better setup.
I'm trying to route traffic through a firewall before connecting to my network. Right now I don't have funds for a new modem or router, so I'm using the ISP's equipment instead. I need traffic from the modem in the combo, then through the firewall (which is an OPNsense VM), and finally back to the combo for Wi-Fi access. Is this feasible?
You can switch the Modem to Bridged Mode to turn off the Router inside it, enabling the Firewall to handle DHCP and port forwarding. However, this won’t let the Combo function as an AP. You’d need a separate standalone AP or another router in AP mode and connect it to the firewall.
Setting up a physical firewall requires connecting the modem directly to the firewall and then to the router. Most bundled modem/router packages don’t support this configuration because they’re already linked internally. You might remove the router part and use a separate one, but that means purchasing another device. For now, stick with the package unless you can afford replacing both components.
In some cases, it works if the router permits connecting the modem to a particular Ethernet port. This allows the Access Point to operate on other LAN ports. It’s feasible with many routers running OpenWRT, and I’ve also managed this on Zyxel devices. You’ll need basic networking knowledge to set it up. The key point is the ISP router, since they’re typically more restricted than standard firmware, which could limit your access to certain settings.
I've been wondering why, in this case, the firewall isn't receiving the WAN IP when it's switched to bridged mode. Even though the router was left on and all wired clients faced double NAT, and wireless clients couldn't pass through the firewall. I'm not sure if it's feasible; I think the hardware here might not be sufficient. VLANs could help set things up, but I haven't heard of ISPs offering equipment for this. Also, I don't have much experience with OpenWRT.
You don't have to use VLANs if the ISP router allows you to connect the modem to a particular LAN port. The other LAN ports will still be linked to WiFi. (If the router blocks WiFi in bridge mode) In short, the modems connect through the bridges to the firewall's WAN port, while one of the remaining LAN ports goes to the firewall's LAN port. It gets a bit more tangled with cables, but it works similarly to using VLANs and one cable.
Indeed, but its some years since I've used an ISP provided router so I have no idea how common this functionality is now. I know some ISPs have been known to use the Zyxel routers that DO allow this, I get the feeling its the nasty big US ISPs that still tend to lock things down. We tend to have an insanely diverse selection of routers in the UK, but again the bigger the ISP, the more likely its locked down.