PF Sense Setup
-
The cert error when connecting to pfSense is expected because it's a self signed cert.
The second error looks like that site actually has an expired cert.Steve
-
Congrats again! Way to stick with it.
There’s some stuff that has to be right for DHCP6 to work so not surprised if its not working right off the bat.
Look at you… network topology expert!
Yes when the bulk is setup in a way that its as easy or straightforward as possible it is WAY easier to tweak things later on.
I don’t use DNSSEC by the way. Would at least be worth asking someone who would know, not me, if DNSSEC is triggering those alerts. I have several devices I have to tell Firefox its gonna be okay, go ahead and access the device. Only do so for stuff on my own network. I’d never do that if I was accessing a web site.
The firewall log tells you what is knocking on your door.
There are several packages which can tell you all sorts of stuff about your PFSense box, clients, usage, etc.
You ready to tackle DHCP6?
The Netgate doc is clear and easy to follow. The only thing is some ISP’s you have to pick some of the misc. options which are not on the step by step.
Edit: There’s a ton of video tutorials fro DHCP6 and pfsense too.
-
@stephenw10 Thank you!
-
@jsmiddleton4 Thanks! Not ready to tackle DHCP 6 yet. Id like to get plugins installed and some things configured first so I can actually see whats on my network and what devices are pulling bandwidth. Then tackle DHCP 6. I'll check out the firewall log.
-
-
It looks to me the only way to see if you can use your existing MoCA wireless extender is get another Ethernet to MoCA adapter, hook em up and see.
-
@jsmiddleton4 yeah i gave up on that extender. i just setup another AP instead.
Did you mean ntopng plugin or pfBlocker-NG Package plugin? -
Pf blocker Dev version.
It’d drive nuts so I’d probably order an adapter off Amazon, if didn’t work, send it back.
Reads like all the MoCA stuff is automatic. Only set up is for wireless options.
There are MoCA pairs that are designed to use a coax run like yours. Not too expensive but still there’s a cost.
If you can run Ethernet cabling always a better idea.
-
It’ll be better when you run into issues now to post a dedicated thread. As you WILL run into issues.
Glad to help with getting the hardware sorted and I’m confident in that regards. With PFSense stuff though, others will have to help. I’ve got some of it down but just skimming the surface myself.
If you ever want to update your 3020 much of it can be easily. Only goofy thing Dell did with it is the power supply connections on the motherboard.
-
@jsmiddleton4 I might look into the MoCA wireless extender, we'll see how a few weeks go with this setup. Currently, everything seems to be going pretty smoothly (even though some of my Unifi APs are no longer supported, they still hold up okay). Though my head is screaming security issue throw them away since they aren't supported for updates & patches anymore. Though, I would through them out eventually if they got too out of dated id put them in a lab environment.
I'll look into the PF Blocker Dev version. I installed a handful of plugins lastnight (bandwidthd, darkstat, ntopng, status traffic controls, etc.) I really like ntopng so far! I def. need to understand it more and dig deeper with it. So much to learn w/all of this but its a good thing.
Yes, I will post in a new/deticated thread if i run into issues. Thanks for the heads up on the 3020 update info, i'll keep that in mind. Right now I just have a 64gb ssd in the 3020 running pf sense. Figured thats good enough for pf sense as long as it has 2 NIC connections (which we know it does lol).
-
You're doing great.
Its probably very unlikely anyone is gonna to find your AP's and hack through them into the dark web.....
Possible sure. Likely?
There's several Wifi6 AX POE AP's now with 2.5gb ports. 2.5gb is becoming more and more common. I wouldn't buy an AP that isn't just for future protection. Prices are coming down too.
With POE injectors you don't need a fancy POE switch either.
Given every thing you've done so far really, IPV6 should be no problem. Then you've got all that setup stuff done. There's only a couple of settings that you have to play with, like prefix delegation, pool size, range for the RA stuff in the DHCP6 Server. While it isn't critical it does belong in the "setup" set of stuff.
-
I think this is still under the “Setup” category.
To eliminate the need for a switch right away coming off the PFSense box I have serveral NIC’s in my PFSense box. It is that first switch.
That is the main reason I like the 390’s or 3010’s, multiple PCE-E slots. You can do so on the 3020 as well.
Some folks do so and make each NIC a separate “network” or VLAN kind of thing.
Me I bridge them so PFSense looks at all of the NIC’s as one thing, like a switch. Or like the Ethernet ports on the typical router.
1gb NIC’s are cheapo.
I use 2.5gb and even those are getting more reasonable.
You can even use dual port NIC’s. Pop in 3 of them, use the built in LAN port as the WAN, and you have a 6 port router.
Bridge mode is very easy to setup.
There’s no practical difference between coming off one Ethernet port and then to a switch. For my setting it is an office space and had to make sure there wasn’t the clutter of wires to this, wires to that, etc.
If power goes out the switch is one less device I have to plug into the UPS. PFSense box stays on, switch stays on.
I actually have a dual port 2.5gb Intel based NIC coming from BHPhoto for a new PFSense box build using a 3010. Doing so with my grandson who wants to learn. His favorite part is the disassembly phase however. Which we’ll do first to clean and sort the used 3010 box.
-
@jsmiddleton4 said in PF Sense Setup:
His favorite part is the disassembly phase
Awesome that he shows an interest at all though.
-
Gave him a Snap Circuit kit, one of the big ones, for Christmas. He’s building electronic projects non-stop. He’s only 7.
-
@jsmiddleton4 Thank you. I appreciate that! You are right, probably no one is going to hack into my APs but being in IT for years, I also know how us IT nerds are, so its more I want to just be aware. I cant be aware of everything nor will i know how everything works but the more I know about my network and what looks right/doesnt the better off i'll be. Its all fun and learning for me especially now that im in more of a project management role instead of IT i actually WANT to work on these types of projects and learn for fun.
Let alone, watching Mr. Robot did not help in the 'people are hacking you' thoughts. lol.
DHCP6 will come down the road. My next goal is setting the plugins up and watching everything. I am curious because i just got alerted that im over my data cap again!
Something is def. off since its not every month. Ive already got a good idea of whats on my network but i've been running ip scanner for a few months now and just noticed a few more things that im gonna double-check.
Good information to note in regards to the NICs etc.
