How to setup a firewall between my ISP cable modem/router and my LAN?

My goal is to setup a firewall & Intrusion Prevention system using Snort. I have a spare pc available with at least 2 physical NIC's, which ran pfSense having a firewall with Snort, but this time I want to do the setup myself. So far I managed to install Debian 9 as a headless system with ssh login (and if really needed I could add a keyboard and screen temporary). I wanted to start with just a firewall, without Snort. How to I achieve the following: - is it possible to put the firewall just in between my IPS cable modem router and my LAN? The ISP router has DHCP/NAT enabled, which I can't turn off. - I want to achieve a "plug&play" firewall that I could just put in between, without turning it into a double NAT (which I had before using pfSense). I mean, if possible I don't want to have different networks, eg. a 192.168.x.x one and a for example 10.x.x.x one. - the firewall is headless, logging in via ssh Internet WAN | | ISP Cable Modem & Router with DCHP gateway 192.168.0.1 | | [eth0] Firewall [eth1] | ________ Wireless AP | / |_____ Switch__/_________ PC1 \ \________ ... I tried to setup a bridge on br0 (via /etc/network/interfaces) adding eth0 and eth1. The bridge had an IP address and it worked fine, where I could still connect to the internet from devices behind the switch via the AP. So I learned bridges don't care about IP addresses.... which doesn't sound good to build a firewall with eventually snort (IPS). I've read about iptables and using the "physical dev". Maybe I'm force to do double NAT and setup routing? The problem is I don't know enough to know what is best and how to go about it. Sure, I've googled (a lot) and found for example on aboutdebian.org articles about proxy/NAT and firewalling... but most articles asume you can have a modem only, but I can't turn off DCHP nor I can configure the range of it. It's always the full 255.255.255.0 range.