Shooperman
New Around Here
Greetings all!
I am looking for advice or a least to be pointed in the direction of the things I need to research more!
Situation:
My apartment building provides internet access as part of the rent. Each unit has a single RJ45 jack in the main room and each tenant is expected to sort out their network from there. This is generally great, except that there is no segregation of the network between units (i.e. I can "see" every device in the building, including casting to other units' smart TVs, etc.) This situation gives me an ulcer.
My wife and I have had several discussions about getting our own internet and not using the buildings. She usually talks me out of it due to cost. She finally broke down the other day when someone started casting a movie to her google home hub.
Before I go down the route of shelling out an additional $100+ a month for similar home internet, I was hoping to work a little magic on my home network.
Story so far:
For a long time, I ran an ASUS RT-N66U (merlin) in router mode and everything was "okay". Over time, I noticed a lot of weird slowdowns, disconnects, etc. esp. when gaming online or using a VPN service. This led me down the rabbit hole of reading about NAT, double NAT, NATs role in firewall rules, as well as basic DHCP. My RT-N66U is now running in bridge mode, which has effectively made it a "dumb" switch.
I am a software developer by profession and hobby, so technology (in general) isn't foreign to me. Unfortunately, I am definitely lacking when it comes to networking. Everything I know I've picked up over the years either through tinkering at home or listening attentively to the sysops folks at the office.
A little while ago, I was considering building a custom "router" for my home network. This was going to be a combination of a Protectli network appliance w/ pfsense, 2 Ubiquiti hotspots (dmz and internal), and a switch. I have the protectli/pfsense device, one of the Ubiquiti devices, and the switch already.
Ideas / hopes / dreams:
Ideally, I'd like to set up the pfsense firewall to effectively segregate my apartment from the rest of the units in the building. I'd also like to either mitigate the issues with or completely remove double NAT from the setup.
pfsense has DHCP relay and I can turn off its NAT. I was hoping to have the device relay DHCP to and let NAT be handled by the building's equipment. This is where I am at the end of my understanding. I believe that I'd just turn off pfsense's NAT and DHCP server, then turn on DHCP relay to proxy requests upstream.
(Side note: One of the articles I read (below) mentioned static ips and ports but that was a pfsense specific security feature and not a bypass for double NAT.)
Really crude diagram:
Where "Building Equipment" handles DHCP / NAT and pfsense just blocks "everyone else" from seeing anything but "everyone else"
Articles posts that have given me hope!:
(apologies for linking offsite)
Update:
I forgot to mention: "building equipment" would be plugged into the WAN interface on my pfsense setup. All of my internal devices would be plugged in via LAN. The alternative causes competing DHCP and takes out the building internet (I can get fined for that! hah)
I am looking for advice or a least to be pointed in the direction of the things I need to research more!
Situation:
My apartment building provides internet access as part of the rent. Each unit has a single RJ45 jack in the main room and each tenant is expected to sort out their network from there. This is generally great, except that there is no segregation of the network between units (i.e. I can "see" every device in the building, including casting to other units' smart TVs, etc.) This situation gives me an ulcer.
My wife and I have had several discussions about getting our own internet and not using the buildings. She usually talks me out of it due to cost. She finally broke down the other day when someone started casting a movie to her google home hub.
Before I go down the route of shelling out an additional $100+ a month for similar home internet, I was hoping to work a little magic on my home network.
Story so far:
For a long time, I ran an ASUS RT-N66U (merlin) in router mode and everything was "okay". Over time, I noticed a lot of weird slowdowns, disconnects, etc. esp. when gaming online or using a VPN service. This led me down the rabbit hole of reading about NAT, double NAT, NATs role in firewall rules, as well as basic DHCP. My RT-N66U is now running in bridge mode, which has effectively made it a "dumb" switch.
I am a software developer by profession and hobby, so technology (in general) isn't foreign to me. Unfortunately, I am definitely lacking when it comes to networking. Everything I know I've picked up over the years either through tinkering at home or listening attentively to the sysops folks at the office.
A little while ago, I was considering building a custom "router" for my home network. This was going to be a combination of a Protectli network appliance w/ pfsense, 2 Ubiquiti hotspots (dmz and internal), and a switch. I have the protectli/pfsense device, one of the Ubiquiti devices, and the switch already.
Ideas / hopes / dreams:
Ideally, I'd like to set up the pfsense firewall to effectively segregate my apartment from the rest of the units in the building. I'd also like to either mitigate the issues with or completely remove double NAT from the setup.
pfsense has DHCP relay and I can turn off its NAT. I was hoping to have the device relay DHCP to and let NAT be handled by the building's equipment. This is where I am at the end of my understanding. I believe that I'd just turn off pfsense's NAT and DHCP server, then turn on DHCP relay to proxy requests upstream.
(Side note: One of the articles I read (below) mentioned static ips and ports but that was a pfsense specific security feature and not a bypass for double NAT.)
Really crude diagram:
Where "Building Equipment" handles DHCP / NAT and pfsense just blocks "everyone else" from seeing anything but "everyone else"
Articles posts that have given me hope!:
(apologies for linking offsite)
Update:
I forgot to mention: "building equipment" would be plugged into the WAN interface on my pfsense setup. All of my internal devices would be plugged in via LAN. The alternative causes competing DHCP and takes out the building internet (I can get fined for that! hah)
Last edited: