On the firewall I would set up NAT and block all unnecessary traffic until the layer 7 (have a proxy function). If you configure it like this, it will be easier to put an IDS between the router and firewall and the traffic analysis will be easier. This also allows you to put a host "on the Internet" behind the router, but in front of the firewall.
EdgeRouter - Destination NAT – Ubiquiti Networks Support Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > Add New Rule. Description: https Action: Accept Protocol: TCP Destination > Port: 443 Destination > Address: 192.168.1.10. NOTE:NAT rules are consulted before firewall policies are applied. This is the reason why the firewall rule above matches on the post-translated port and How to Enable Your Wireless Router's Built-in Firewall Nov 15, 2019
pfSense: A Guide to NAT, Firewall Rules and some
Apr 27, 2020 Windows Firewall, NAT and Routers – BulletProof FTP Server Please look into the documentation that came with your hard-based NAT/Firewall router for information on opening firewall-ports. Step-by-Step Directions. Step #1.1: BPFTP Server - NAT/Firewall Configuration Step #1.2: BPFTP Server - Use DNS for PASV Step #1.3: BPFTP Server - Use Static IP for PASV Step #1.4: BPFTP Server - Configure Data-Ports
Nov 28, 2016
What is the difference between the NAT, Routed, and