Newbie questions

Gblenn

@ldl If you have as many as 4 ports on each server, it will of be much simpler and no need to fiddle with VLAN's.

Still, consider removing the ISP router and connecting the Asus directly, as a first step. Then when you feel confident using pfsense, you replace the Asus and move that over to the LAN side of pfsense (only using LAN ports and disabling DHCP).

In your current setup, the Proxmox machine with pfsense VM should have one port connected to the Netgear switch, which will be your WAN for pfsense. All other ports on that Proxmox as well as the other machine, should be conncted to the Cisco switch which will palce all VM's entirely in the pfsense "domain".

So the topology you are looking at for starters is:
Fiber to Ethernet (media converter) > Asus router > ISP router (using only LAN ports) > Netgear switch > WAN pfsense LAN > Cisco switch > all other server ports:

ldl

@Gblenn Again, apologises in the delay.

Okay thanks for the information, I've also been looking at alternative ISP purely on the cost and higher up/download speeds, one in particular says they would use a direct RJ45 connection, but I personally want to keep the fiber lead.

Out of curiosity, would it be beneficial in my requirements to use the upstream gateway?

Cheers.

Gblenn

@ldl said in Newbie questions:

@Gblenn Again, apologises in the delay.

Okay thanks for the information, I've also been looking at alternative ISP purely on the cost and higher up/download speeds, one in particular says they would use a direct RJ45 connection, but I personally want to keep the fiber lead.

Out of curiosity, would it be beneficial in my requirements to use the upstream gateway?

Cheers.

When you say, "use the upstream gateway", do you mean the ISP provided router?

I have never found any benefit in using the ISP's equipment. Although my current ISP have actually provided a quite powerful Zyxel device capable of 10Gig on the LAN side, and wifi 6. But it still ended up in it's box in storage...
Instead I'm using TPLink Omada gear, for both switching and wifi and it's so much simpler having just one interface to work with. And then I have pfsense as my gateway/firewall.

It's mainly the functionality that will be lacking when using the ISP equipment, or even the Asus router you have. Which is why you would want to move towards having pfsense as your "entrypoint" and bring your fiber directly into it (perhaps via a media converter). A 1Gbit model will start at around 20USD and a 2.5GBit perhaps 2 - 3 times that.
When I said "for starters", I meant that you run with the topology you have, until you feel you want to use pfsense the way it's intended. Your Asus router can then be used as your wifi AP, perhaps together with your ISP router in some other location in the home to add wifi coverage.

Since you already have fiber to your home, perhaps the ISP you talked to mean that they will provide a media converter which is what my current ISP did when I had 1Gbit. I got one of these super devices: https://www.amazon.com/s?k=media+converter+1gb&crid=3I07NTVFKVYZU&sprefix=media+converter+1g%2Caps%2C157&ref=nb_sb_ss_ts-doa-p_1_18

And there is no harm in using that of course. But perhaps you want to keep building and experimenting with your pfsense machine and then you can always put an SFP/SFP+ card in it. Which then gives you the possibility to plug the fiber module directly into the WAN port for pfsense.

ldl

@Gblenn

Apologises again in the delay.

I was referring to the pfSense's upstream gateway, as I'm currently experimenting quite a lot with this, trying to get to what I need to achieve.

I will at some point be changing out my Asus router for something more suitable to my needs, as its outdated as well.

According to the response I got on their forums (yeah, they have a forum, I've never known one to have one xD), it'll be connected via ONT, and then terminated in an RJ45.

I've not come across this before, so if I do go for this ISP, then maybe it'll be better, though they claim to have 2x faster speed than my current ISP (An ISP that brags to be the best in the UK)

Thanks for the feedback again as well.

Gblenn

@ldl Ok, so it's like I mentioned, this other ISP will terminate with what I referred to as a media converter, the ONT. It is then entirely up to you what you decide to use as a router/firewall.

And you have already built two Proxmox servers, with multi NIC's, and you have pfsense up and running as a VM. Given this, I'd say you are ready to change out your Asus router already, and replace it with pfsense.

To simplify things I'd make sure to clone the MAC address of the ISP router to the WAN interface of pfsese before connecting to the ONT. If you change ISP, you just change the MAC to what the new router you get from them has. It's written on the back of the device, and you can likely find it in the UI. Or you can connect it's WAN port your pfsense LAN and find it in the list of DHCP Leases in pfsense, where you can easily copy paste it.

For Proxmox, you should look into IOMMU (pass thru), to have the necessary NICs completely handed over to pfsense. Availability of this functionality depends on the generation HW you have (CPU/motherboard). But it will give the best performance and control from a pfsense perspective.

With pfsense and your cisco switch you have all the possibilities to continue playing around with VLAN's and all sorts of fun stuff. If your Asus router supports VLAN, you can start creating multiple isolated wifi networks, for guests, IoT stuff etc. But if not, it will still be able to serve as a wifi AP, as long as you remember to use LAN ports only, set a different IP compared to the pfsense UI, and turn off DHCP.

ldl

@Gblenn said in Newbie questions:

@ldl Ok, so it's like I mentioned, this other ISP will terminate with what I referred to as a media converter, the ONT. It is then entirely up to you what you decide to use as a router/firewall.

And you have already built two Proxmox servers, with multi NIC's, and you have pfsense up and running as a VM. Given this, I'd say you are ready to change out your Asus router already, and replace it with pfsense.

To simplify things I'd make sure to clone the MAC address of the ISP router to the WAN interface of pfsese before connecting to the ONT. If you change ISP, you just change the MAC to what the new router you get from them has. It's written on the back of the device, and you can likely find it in the UI. Or you can connect it's WAN port your pfsense LAN and find it in the list of DHCP Leases in pfsense, where you can easily copy paste it.

For Proxmox, you should look into IOMMU (pass thru), to have the necessary NICs completely handed over to pfsense. Availability of this functionality depends on the generation HW you have (CPU/motherboard). But it will give the best performance and control from a pfsense perspective.

With pfsense and your cisco switch you have all the possibilities to continue playing around with VLAN's and all sorts of fun stuff. If your Asus router supports VLAN, you can start creating multiple isolated wifi networks, for guests, IoT stuff etc. But if not, it will still be able to serve as a wifi AP, as long as you remember to use LAN ports only, set a different IP compared to the pfsense UI, and turn off DHCP.

I forgot to mention, that this ISP I will be switching to near the end of next month (as I have to give 30 days notice to my current ISP), is that they give me the option at a cost per month to use one of their routers, or I can use my own, so there will be no MAC issues, which is good.

I will be upgrading my router sometime next month as well, because currently my WAN port on my router only has a max output of 1Gb, which tbf, at the time, for me is enough as I was only able to get up to 1Gb download and 100Mb Upload from my current ISP, but this new ISP offers 2.5Gb for both up/download, as well as offering IPv6, which is something else I want to get familiar with.

Right now I'm just looking at a 2.5Gb WAN for a router and 1Gb for the LANs, I've found two that I will decide on the next month.
It's also obviously good to update my current router, as it no longer has firmware updates available.

On to the subject though of pfSense, I ran into this weird issue two days ago, where for some reason, when I reset my servers, pfSense was no longer able to communicate to the network, it was able to ping out to the internet (8.8.8.8), just not on the intranet/network, I resolved that by setting the interfaces, though I'm having to use 23 mask on my router and wanting to use 25 mask on pfSense, if I recall though, they all need to be on the same mask, as the course I'm currently on leading towards Cyber Security, covered CompTIA, and the networking side of things, yeah it is indeed something fun to get into, I'm learning quite a lot, but on this course, I could have swear they said I need to set the mask to the same one across the board, unless they just meant on those servers trying to communicate with each other, but how I see it, if this setup is correct, obviously for the router itself, when I set it to 23 mask, it's able to talk to the IP range that my servers are on, whereas, I'm guessing if it's on the 25 mask, that my servers are on, then it'll be limited to the range it's currently set on, do correct me if I'm wrong on this.

Sorry for all this hassle, I also set up routes as well from my Asus router to allow communications between the devices, as well, the devices on the 172.16.1.x range don't appear on the routers connected devices which is on the 172.16.0.x range, I'm guessing I need to mess around with SNMP or something for this?

A Former User

@ldl said in Newbie questions:

I could have swear they said I need to set the mask to the same one across the board

If I were you, I would take their advice. Do not "split" subnets. That's not how it is supposed to be done. Set your subnet mask to /24 and have multiple subnets with that mask. Use routing to move traffic from one subnet to another. subnets.

ldl

@kjk54 Yeah mate, this is what I thought originally, I had just a year to cram all this knowledge, being Network, Security, Modern Desktop, Hardware/Software (I know a bit regarding hardware and software anyway) etc, but yeah, I do recall hearing this, just found it weird though did kind of make sense with the mask being lower with access to the IP ranges given by the router after setting it.
That said, I set up routes both ways, and it was having issues connecting to them with the same mask across the board, thinking it was a firewall issue, I temporarily disabled it to rule out that issue, next would have been checking bridged connections, but that led to some complications, though probably a rookie error on me that is.

Gblenn

@ldl said in Newbie questions:

I will be upgrading my router sometime next month as well, because currently my WAN port on my router only has a max output of 1Gb, which tbf, at the time, for me is enough as I was only able to get up to 1Gb download and 100Mb Upload from my current ISP, but this new ISP offers 2.5Gb for both up/download, as well as offering IPv6, which is something else I want to get familiar with.

Right now I'm just looking at a 2.5Gb WAN for a router and 1Gb for the LANs, I've found two that I will decide on the next month.
It's also obviously good to update my current router, as it no longer has firmware updates available.

Do you mean you are shopping for NIC's to use in pfsense? Or are you thinking of replacing the Asus router with something newer?
I don't really see a point of having multiple routers, in fact it just complicates things. Make pfsense your main router and upgrade it with a multi NIC card, with either two or four 2.5G ports. Later on you can upgrade your PC and your switches to accomodate 2.5G. Many or most new PC's, motherboards and Laptops come with 2.5G ethernet today. Don't limit yourself on your LAN side, especially when you are paying for 2.5G internet...

ldl

@Gblenn Replacing my asus router with something newer, as the Asus one is outdated (the main reason), sure still works but yeah.

Another reason as to why I want to replace it, is that if I'm going to use my own router, then other people in my house will obviously be on the same line, so I want to accommodate them as well, because currently, they're not on my router as that's in another room, they're on the ISP router, when I switch over to the newer ISP then that will change and all devices (being wired) will be connected to the router, so with my current router I have it only has the capability for 1Gb on WAN, the routers I've been looking at support 2.5Gb WAN which then has 1Gb on the LANs, I'm not looking to utilise all that connection speed on to one device alone, I simply want to guarantee 1Gb speed to my servers, as with this setup I have, I'm hosting a good few gaming servers for closed sessions of friends.

Sure that most likely wouldn't use up 1Gb, but it'd be nice to have that speed on it.

I'm also currently only getting low speeds to what I'm currently paying for as well (screenshot below) on Cat7

That also said, my PC, servers and switches only go up to 1Gb.

If this ISP offered lower speed if that was possible, say 1.5Gb, then I'd go for that instead, that said, it's only a £10 difference from the next package down, I also have the option to downgrade in the future.

I will be considering upgrading the NICs and switches in the future however if I feel the need for more than 1Gb

Gblenn

@ldl said in Newbie questions:

@Gblenn Replacing my asus router with something newer, as the Asus one is outdated (the main reason), sure still works but yeah.

Another reason as to why I want to replace it, is that if I'm going to use my own router, then other people in my house will obviously be on the same line, so I want to accommodate them as well, because currently, they're not on my router as that's in another room, they're on the ISP router,

I get that the it's outdated, and of course you should try to do 2.5G on the WAN. That all makes sense, but you should only have one router in use.
And it seems to me like you are using your routers as a way to connect peoples devices so they can get out on the internet. But that's what switches are for, and they are way cheaper per port.

I will be considering upgrading the NICs and switches in the future however if I feel the need for more than 1Gb

What's the cost of these routers you are looking at?
I'm guessing you could get a 2.5Gbit dual NIC card (to upgrade pfsense with) plus one or two managed Netgear or TPLink switches for the same price.

And if you want to segment your network to separate users from each other, use VLANs. You have your Cisco switch, and if you add more VLAN capable switches you have full control. And your dumb Netgear can still be used for extra ports towards users or devices that all belong to the same VLAN.

But you do all of this having pfsense as your one and only router, connected to the ISP ONT. And you can still use the Asus and even the old ISP router as wifi AP's. But then they are no longer routers they are just semi smart switches with wifi.