The Xfinity gateway has two modes. Gateway mode, has WiFi enabled and passes out IP addresses to an internal network using it's built in DHCP server. You can put a pfsense firewall on the internal network, but it won't protect other things on the internal network, just whatever you put on the pfsense LAN port. This configuration is called a double nat. It works, but there are some caveats to this configuration, and you aren't protecting everything.
If you put the gateway in Bridge mode, the pfsense firewall WAN port will get the external IP address, the gateway will just be a pass-thru device, and WiFi on it will be disabled (well...not really, it just won't broadcast it SSID, public hotspot and the security system radio will still broadcast). The firewall now controls everything on the LAN network. You'll need an Ethernet WiFi router. Put it on the LAN side network somewhere. Use DHCP forwarding on the router to pass requests to the pfsense firewall.
If you do that, then using an Xfinity gateway becomes pointless so you're better off with just a cheap cable modem you aren't paying $14/month for -- well, unless you are using their security system.
I'll add, it's probably a good idea to try out pfsense just hooked up to the gateway in "gateway mode" for a test. Put a couple devices on the LAN side, and check out the features and logging. Try a few add-ons. Try out some traffic shaping and bandwidth limiters, plus creating firewall rules and assigning IP addresses to devices. When you get comfortable with the admin part, then it's pretty easy to just cut over into production and you won't have any down time.
If you have a static address, you don't need to play with anything. The only thing you need is under firewall: "Disable Firewall for True Static IP Subnet Only" And set security to Default low. Setup PFSense Wan with Static IP, Subnet, and gateway. gateway / modem will pass it through to PFSense. Also, with the newer Edge service (business) they may have to disable it on their end. PFSense didn't like it on my side, sites kept timing out.
Used it on many modems, and gateways. Mind you this is STATIC only. DHCP not the same
flatlander3
Problem Solver
•
1.5K Messages
2 years ago
The Xfinity gateway has two modes. Gateway mode, has WiFi enabled and passes out IP addresses to an internal network using it's built in DHCP server. You can put a pfsense firewall on the internal network, but it won't protect other things on the internal network, just whatever you put on the pfsense LAN port. This configuration is called a double nat. It works, but there are some caveats to this configuration, and you aren't protecting everything.
If you put the gateway in Bridge mode, the pfsense firewall WAN port will get the external IP address, the gateway will just be a pass-thru device, and WiFi on it will be disabled (well...not really, it just won't broadcast it SSID, public hotspot and the security system radio will still broadcast). The firewall now controls everything on the LAN network. You'll need an Ethernet WiFi router. Put it on the LAN side network somewhere. Use DHCP forwarding on the router to pass requests to the pfsense firewall.
If you do that, then using an Xfinity gateway becomes pointless so you're better off with just a cheap cable modem you aren't paying $14/month for -- well, unless you are using their security system.
(edited)
0
flatlander3
Problem Solver
•
1.5K Messages
2 years ago
I'll add, it's probably a good idea to try out pfsense just hooked up to the gateway in "gateway mode" for a test. Put a couple devices on the LAN side, and check out the features and logging. Try a few add-ons. Try out some traffic shaping and bandwidth limiters, plus creating firewall rules and assigning IP addresses to devices. When you get comfortable with the admin part, then it's pretty easy to just cut over into production and you won't have any down time.
0
Cire3
New Poster
•
3 Messages
2 years ago
If you have a static address, you don't need to play with anything. The only thing you need is under firewall: "Disable Firewall for True Static IP Subnet Only" And set security to Default low. Setup PFSense Wan with Static IP, Subnet, and gateway. gateway / modem will pass it through to PFSense. Also, with the newer Edge service (business) they may have to disable it on their end. PFSense didn't like it on my side, sites kept timing out.
Used it on many modems, and gateways. Mind you this is STATIC only. DHCP not the same
Good luck !
0
0
EG
Expert
•
110.1K Messages
2 years ago
The original poster has not returned. 5-month-old dead thread is now being closed...
0
0