Hardware purchase advice please
-
So if I have a CMD prompt which I've seen where you pick WAN, LAN etc.
What is the difference between VGA and non-VGA versions specifically?
I thought CMD prompt was what VGA was?The VGA images are useful only for boards with a vga adapter. There are boards like most boards of the Alix series from PC Engines which do not have a VGA adapter. You cannot use them with a VGA image. You need the non-VGA images instead and you get your console via serial line.
Peter
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
Yes. I'm using a VGA image for my Jetway NF99FL-525 as well. However, I've decided to go with the corresponding AMD64 2G image:
pfSense-2.0.3-RELEASE-2g-amd64-nanobsd_vga.img.gz.Peter
-
Are you able to run 64-bit pfSense on Jetway NF99FL-525? On the 525 Atom CPU? I wasn't aware it's 64-bit capable.
-
ok cool. so with the jetway board I have would you say I have the correct image?
Sounds like it to me.
Yes. I'm using a VGA image for my Jetway NF99FL-525 as well. However, I've decided to go with the corresponding AMD64 2G image:
pfSense-2.0.3-RELEASE-2g-amd64-nanobsd_vga.img.gz.Peter
Is there a reason you went 64bit and are there any advantages?
Thanks
-
I'd be interested to hear your reasoning too because my advice would be to always use the 32bit image unless you really need 64bit. You can use more than 4GB of RAM but the Atom can't so no advantage there. There may be some performance advantage for specific tasks but it's so negligible you'd need some careful testing to see it. Mostly the 32bit image is better tested, especially on an Atom.
Steve
-
I'd be interested to hear your reasoning too because my advice would be to always use the 32bit image unless you really need 64bit. You can use more than 4GB of RAM but the Atom can't so no advantage there. There may be some performance advantage for specific tasks but it's so negligible you'd need some careful testing to see it. Mostly the 32bit image is better tested, especially on an Atom.
Steve
I've once had two reasons:
1.) My system has 4 GiB RAM.
2.) I wanted to test the AMD64 version.The AMD64 image runs very stable over months without any problems. It has turned out, however, that my pfSense installation newer uses >= 3.3 GiB. That's why I could have gone with the 32 bit image without any disadvantages :).
Peter
EDIT: Do you think there are significantly more i386 installations than AMD64? If so, I agree with you that the feedback from those users may make pfSense i386 more stable. Furthermore, many older Atoms were 32bit systems. Do you know about other reasons why the i386 image may be more stable?
-
The last time the question was asked I believe the figures showed more 32bit installs by some way. I imagine that more and more people are using 64bit though. I can't find it now. :-
Of course the more people who use 64bit the quicker an bugs will be found and squashed. ;)I don't know what the figures are for FreeBSD, would be interesting to find out.
Steve
-
At least for a few years, there will probably be more i386 installs. I'm not sure if we have a way to track that accurately though.
The reason i386 is still more common is because of embedded devices, i.e. ALIX and its cousins, and re-purposed old machines that aren't 64-bit.
As the hardware in that area catches up and becomes 64-bit capable, only then would I expect it to be more common.
That said, it is definitely picking up from what I've seen with customers. New server-grade hardware and VMs are almost always using amd64 now.
-
Got it all up and running…
Well almost...
I've got WAN and LAN working.
But when I set up opt1, opt2, opt3.
They don't seem to do anything.
I can't pull up the web panel.Do I need to set a firewall rule?
I did the set up via the CMD setup
-
Do I need to set a firewall rule?
Yes.
By default only the LAN interface has rules in place to allow access to anything. You will have to add appropriate rules to the additional interfaces.Steve
-
Another reason for i386 images are that not all motherboards are capable of housing over 4GB of RAM. Typical installs of 4GB is way more that sufficient for pfSense and some resource hungry packages.
When I first started using pfSense, Snort was the killer and would hog up almost 80% of the 4GB RAM. The package now has gone through several cycles of fine tuning and refinements. It barely takes 20% of my 4GB RAM. With Snort, Squid, Dans, pfBlocker and OpenVPN all combined my RAM usage hovers around 35% and steadily increases by 2% everyday. pfSense reloads the cache after some days and memory usage drops down. So not even 2GB of RAM is being used.
Hats off to the developers who have made such a fine UTM product.
-
All I want to do is set up each LAN port like any other simple setup for a home network.
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination ---> tick NOT then select "Any".
Place a description and SAVE?Then Services ---> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?From the Googling I've done,,, does this look correct?
thanks
-
Hmm, a few problems there I think. ;)
All I want to do is set up each LAN port like any other simple setup for a home network.
Do you mean like a SOHO router with 4 LAN ports?
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?The usual way this would be set up is that each interface is a separate subnet. So for example you could use:
LAN is 192.168.1.1/24 (the default configuration)
OPT1 is 192.168.2.1/24
OPT2 is 192.168.3.1/24
OPT3 is 192.168.4.1/24If your WAN interface is using a private IP, like 192.168.1.2 as you say above, then you would have to choose something else because the WAN interface must use a different subnet.
Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination –-> tick NOT then select "Any".
Place a description and SAVE?If you want to allow traffic from devices connected to OPT2 out to the internet or to other interfaces you need a rule more like:
Pass
OPT2
Protocol: any
Source: any
Destination: anyThis is a very permissive rule though.
A rule that has destination 'NOT any' will never match traffic. ;)Then Services –-> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?The IP range would be different because OPT2 is not the same subnet as LAN. So for the above example it could be 192.168..3.10 - 192.168.3.254
That would leave 192.168.3.2 - 192.168.3.9 for any static IP assignments you wanted to use.Steve
-
Hi Steve,
I'm used to DD-WRT. So I guess allot of the settings are kept simple since all ports on a 4 port router
like the Asus N16 is done automatically.That is pretty much as simple as I wish to keep it.
So I'd go..
192.168.2.1
192.168.3.1rather than
192.168.1.2
192.168.1.3
?Thing is… with any commercial router no matter which of the 4 ports I connect to.
They are all given ips on the same like 192.168.1.*
not 192.168.*.2So all my devices on my Asus with DD-WRT was like 192.168.1.101, 192.168.1.102 etc
Hmm, a few problems there I think. ;)
All I want to do is set up each LAN port like any other simple setup for a home network.
Do you mean like a SOHO router with 4 LAN ports?
So… when I go to Opt1 ENABLE...then set to STATIC, leaving all else default then I come to Static IP address.
Is this not the same as WAN which in my case is 192.168.1.2 ? for all LAN ports?
Or do they have to be set like 192.168.1.2, 192.168.1.3 etc? which does not make sense.
Actually subnet is showing as 192.168.1.0 so maybe that is right?The usual way this would be set up is that each interface is a separate subnet. So for example you could use:
LAN is 192.168.1.1/24 (the default configuration)
OPT1 is 192.168.2.1/24
OPT2 is 192.168.3.1/24
OPT3 is 192.168.4.1/24If your WAN interface is using a private IP, like 192.168.1.2 as you say above, then you would have to choose something else because the WAN interface must use a different subnet.
Then I go to Firewall.. set to..
Pass.
Opt2
ANY
Destination –-> tick NOT then select "Any".
Place a description and SAVE?If you want to allow traffic from devices connected to OPT2 out to the internet or to other interfaces you need a rule more like:
Pass
OPT2
Protocol: any
Source: any
Destination: anyThis is a very permissive rule though.
A rule that has destination 'NOT any' will never match traffic. ;)Then Services –-> DHCP Server...
Select Opt2.
Port range same as LAN ? 192.168.1.10 - 192.168.1.245
then SAVE?The IP range would be different because OPT2 is not the same subnet as LAN. So for the above example it could be 192.168..3.10 - 192.168.3.254
That would leave 192.168.3.2 - 192.168.3.9 for any static IP assignments you wanted to use.Steve
-
I thought you might say something like that.
Most SOHO routers, such as the Asus N16, are in fact a two port router with a 4 port switch (5 if you count the internal one) on the same board.
With your setup you have 5 completely independent interfaces which allows you much better control over different network segments. Each interface can have different firewall rules. This is a far more powerful configuration but is also more complex to setup.
The problem is that if you are just substituting this for the N16 then you might have issues with devices not seeing each other.
It is possible to setup the interfaces to behave exactly like they would on the N16 by bridging them together.
http://doc.pfsense.org/index.php/Interface_Bridges
Due to the fact that traffic still has to be moved between each interface in software this will not be as fast as a real switch. Probably not what you wanted to hear. :-\Anyway I'm sure we can come to a configuration that meets your requirements. I think you said earlier that you wanted to remove as many devices as possible. What devices are you actually connecting?
Steve
-
Hi Steve,
Ok, so if I have different IPs hooked up to the LAN interfaces like.
192.168.1.2
192.168.2.2Etc (reason I'm using ..*.2 is because the dd wrt I would connect purely for wireless needs.
And that uses 192.168.1.1. I probably should change this to 192.168.6.2So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In the house the following is what is connected.
2 full size pcs.
Netgear NAS
2 networked laser printers.
The 3 below are networked via home plugs…
1 plasma tv
1 Mini ITX home theatre pc.
Ps3Wifi.
Nintendo 3ds
2 laptops
iPad -
So what I think I'm going to do is…
Set up pfsense so it reflects...
192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcLeave the dd wrt 192.168.1.1
Sounds good thus far?
-
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
-
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
So what your saying is anything on 192.168.1.2 won't be able to communicate with anything on 192.168.2.2?
And so on without bridging them?In general they will be able to communicate, as long as you have allowed it with firewall rules. Just as your desktop PC can talk to a random web server in a completely different IP range, pfSense will route the traffic between it's different interfaces.
However some software will not work across subnets, specifically often media server/client programs. Things that use DLNA or equivalent protocols to automatically find servers often only look locally. Some clients do not even allow for manual entry of the server address (a massive oversight IMHO!). It is possible to extend the reach of some of these using the IGMP proxy between two interfaces but this is a bit hit-and-miss. If you're not using this feature you may not have any trouble.192.168.2.1 wan (main)
Then do the rest 192.168.3.1 etcDo you mean WAN here? What is your WAN connection? The fact that it's a private address implies you have some upstream router.
Steve
At the moment I have WAN: 192.168.1.0 (from what I can see)
LAN1: 192.168.1.1
LAN2: 192.168.2.1
LAN3: 192.168.3.1
LAN4: 192.168.4.1I've added the same firewall rule that pfsense automatically added to LAN1 and copied to all other LANs after I enabled them.
I've also in DHCP Server,
LAN1: 192.168.1.10 - 192.168.1.245
LAN2: 192.168.2.10 - 192.168.2.245
LAN3: 192.168.3.10 - 192.168.3.245
LAN4: 192.168.4.10 - 192.168.4.245And changed nothing else. Which is the same as what was already set for LAN1 from what I can see.
I can access the internet from all 4 LAN ports now.
But as you'd said… If I use a switch and hook everything up I'm having success them all seeing each other at the moment.
But when I connected the NAS drive to another LAN port i.e LAN2 on pfsense. The NAS drive was not accessible from windows
even after rebooting the NAS.So Windows was 192.168.1.1 range and NAS was 192.168.2.1 range.
How is this fixable?
