VERY N00b Questions on Setup
-
Hi all,
I've been searching to find answers, and have been mildly successful - I'm just looking for some more knowledgeable people to see if I've got this right.
I'm looking to setup a pfSense firewall/router setup for my home network. I'm a little familiar with FreeBSD, but not much - I've gained a bit of exposure through FreeNAS, as I have two boxes (main and backup, sync'd through ZFS Replication). The hardware I'll be using for pfSense is a Phenon X3 720 with 8GB RAM, 64GB SSD and NC360T dual interface (which is still incoming, should get it in the mail in a few days).
If I look at my current ISP-supplied router/AP/firewall all-in-one, I see the following :
Connection Type : DHCP;
Router IP Address (also used as gateway everywhere else, such as the FreeNAS installs) : 192.168.0.1;
DHCP Address Range : 192.168.0.100 to 199. Not that important, but this will lead to my first question below;
Primary/Secondary DNS servers : 0.0.0.0;So, my questions :
1 : I'm military, and will be moving a lot, and one of the benefits of using pfSense, to me, was the ability to keep my IP addressing scheme from house to house. Confirm I'm correct in this?
2. I'm assuming my ISP is supplying the DNS info somehow. So, does that mean I enter nothing in the DNS fields in the pfSense initial setup wizard?
3. I'm pretty darn sure I'll have to select DHCP as the connection type, but do I enter 192.168.0.1 as the LAN interface IP? As static? (I haven't yet had a chance to play with a box that has two interfaces.);
3.1. If I do that, all of my current IP addresses on the network (most important are the two FreeNAS boxes) will remain and functionality won't be affected, correct?
4. The overall plan for my network is something like this :
Internet -> Modem -> pfSense WAN Interface;
PfSense LAN Interface -> Switch -> A variety of computers, and also another switch (on another floor) -> my current ISP-supplied router, but used this time only as a wireless access point.Any glaring faults in this topology?
Thanks in advance!
-
Hi all,
I've been searching to find answers, and have been mildly successful - I'm just looking for some more knowledgeable people to see if I've got this right.
I'm looking to setup a pfSense firewall/router setup for my home network. I'm a little familiar with FreeBSD, but not much - I've gained a bit of exposure through FreeNAS, as I have two boxes (main and backup, sync'd through ZFS Replication). The hardware I'll be using for pfSense is a Phenon X3 720 with 8GB RAM, 64GB SSD and NC360T dual interface (which is still incoming, should get it in the mail in a few days).
If I look at my current ISP-supplied router/AP/firewall all-in-one, I see the following :
Connection Type : DHCP;
Router IP Address (also used as gateway everywhere else, such as the FreeNAS installs) : 192.168.0.1;
DHCP Address Range : 192.168.0.100 to 199. Not that important, but this will lead to my first question below;
Primary/Secondary DNS servers : 0.0.0.0;So, my questions :
1 : I'm military, and will be moving a lot, and one of the benefits of using pfSense, to me, was the ability to keep my IP addressing scheme from house to house. Confirm I'm correct in this?
Yes. Nobody cares what your IP networking scheme is behind your NAT router. The only reason you might consider changing it to something else is if you want to set up OpenVPN so you can get into your network from afar. The problem with 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/8 is there is a high probability that you will be connecting FROM a site that uses the same network numbering. That breaks things. Some random other choices:
10.107.238.0/24
172.30.104.0/24
192.168.99.0/242. I'm assuming my ISP is supplying the DNS info somehow. So, does that mean I enter nothing in the DNS fields in the pfSense initial setup wizard?
Yes. Over DHCP. If you want to just leave it, that's fine. If you want the firewall to use other DNS servers, enter them. Your local hosts get their DHCP servers from your DHCP server. If you just accept all the defaults, your hosts will use pfSense as their DNS server which, in turn, will use the ISPs DNS servers supplied by their DHCP. Should all work okay that way.
3. I'm pretty darn sure I'll have to select DHCP as the connection type, but do I enter 192.168.0.1 as the LAN interface IP? As static? (I haven't yet had a chance to play with a box that has two interfaces.);
Yes. 192.168.0.1 / 24 (See above, however)
3.1. If I do that, all of my current IP addresses on the network (most important are the two FreeNAS boxes) will remain and functionality won't be affected, correct?
Yes. Should be fine.
4. The overall plan for my network is something like this :
Internet -> Modem -> pfSense WAN Interface;
PfSense LAN Interface -> Switch -> A variety of computers, and also another switch (on another floor) -> my current ISP-supplied router, but used this time only as a wireless access point.Any glaring faults in this topology?
Thanks in advance!
-
3. I'm pretty darn sure I'll have to select DHCP as the connection type, but do I enter 192.168.0.1 as the LAN interface IP? As static? (I haven't yet had a chance to play with a box that has two interfaces.);
Yes. 192.168.0.1 / 24 (See above, however)
Isn't that WAN (And not LAN)?
3.1. If I do that, all of my current IP addresses on the network (most important are the two FreeNAS boxes) will remain and functionality won't be affected, correct?
Yes. Should be fine.
Shouldn't they be static?
-
Since you're going to be moving a lot that probably means ISP changes. For a more consistent DNS experience and avoiding ISP DNS redirection for not found domain names you may want to use other DNS.
Here's a couple DNS possibilities to consider.
-
Configure pfSense WAN to use a third party DNS that does not redirect incorrect / not found domain names to ad pages. Google DNS is one such service. 8.8.8.8 and 8.8.4.4
-
Use DNS Resolver without DNS Query Forwarding to bypass ISP DNS and query the root servers for the domain authoritative servers, which are then queried directly for the name resolution.
This way, with either of these two options, when you move, the DNS servers you use remains the same.
-
-
- Use DNS Resolver without DNS Query Forwarding to bypass ISP DNS and query the root servers for the domain authoritative servers, which are then queried directly for the name resolution.
Thanks :)
-
Many thanks to all!! Super informative answers, cheers. Couple follow -on questions, please :
Derelict (dude - an answer like that, that got 95% of my questions, in 15 minutes or so?? Mad props, good Sir), how presciently pertinent of you to mention VPN, as I was indeed planning that! (Thought that was beyond the scope of this humble thread.). So, I'll definitely keep this in mind - in fact, while waiting for my dual nic card, I'll go ahead and change my IP address topology now.
Mr. Jingles : could you please elaborate? I'm afraid I don't follow., on either point For reference, my freenas boxes are indeed static, but I have a feeling that's not what you were taking about…?
NOYB : Done, I'll use the Google DNS servers when setting up, or, when I get more comfortable with pfSense, your alternative approach. Either way, one less variable when moving.
Anybody got points about question four? Derelict, I saw your diagram in another thread on the wireless forum, where pfSense is plugged into one of the router's LAN ports. I guess what I'm asking is, can I stick a switch (two, actually) between the pfSense box and the wireless access point? My understanding is that I can indeed do that, but looking to validate.
I'd heard tons of great stuff about the pfSense community - those reports were dead accurate!
-
- seems rather sane … just remember to turn off dhcp on the 'isp-supplied-router' once you start using it as accesspoint.
-
Yes. A switch can be between any devices on the same subnet.
-
Many thanks to all!! Super informative answers, cheers. Couple follow -on questions, please :
Mr. Jingles : could you please elaborate? I'm afraid I don't follow., on either point For reference, my freenas boxes are indeed static, but I have a feeling that's not what you were taking about…?
For sure ;D
1. If your WAN is DHCP, you simply set it to DHCP. No need to put in a subnet (192.168.x.x). At least, my WAN2 is DHCP, I simply set DHCP on the interface setting and it gets its IP and the connection is up.
2. No misunderstanding here ( :P ): you set your boxes up as static in DHCP server (on MAC address), and you're done. Otherwise, once you connect a new tablet/smartphone/whatever, it gets mixed up as DHCP leases expire. I have all my hardware in LAN setup as static. I have a DHCP range only for new equipment, so it can connect initially. The minute it connects - I set it up static. -
Maybe the confusion was regarding configuring static DHCP leases vs. static IP address at the each client or server.
-
Maybe the confusion was regarding configuring static DHCP leases vs. static IP address at the each client or server.
More like WAN vs LAN, but I'm not even sure. To be honest, I'm even more confused now. =) I'll try to explain below the way I understand things, so please correct as required.
The WAN is where the Internet comes in. In my particular case, with my current ISP, the connection type is DHCP, which means my ISP will assign me (or, to be more specific, my "entry point", which I suppose is the modem) an IP address, dynamically.
Now - and here's the key part, I believe - this particular address has NOTHING to do with the addresses behind that entry point. Those addresses are my own network, and I can do whatever I please with those. If I check to see my public IP address, it's totally different than the routine 192.168.0.xxx scheme I have internally.
Am I correct so far?
If so, my understanding is that, with my current ISP, when setting up pfSense, I'd set WAN to DHCP, and LAN to static, so pfSense can act as the gateway for all the other machines on the network. I'd set the static according to the numbering scheme selected, reserve a block for static IP's, reserve another for dynamic addresses (I can set both of those in pfSense, right?), and off I go.
That's my understanding, and that's why Mr. Jingles' comments still don't make sense to me - sorry. =) (Not trying to be rude, or to sound ungrateful! Quite the opposite.) That being said, I totally understand the logic behind getting every hardware box a static IP address, and I'll probably do that too once I get everything up and running.
Thanks again in advance!
-
If I may jump in…..
The WAN is where the Internet comes in. In my particular case, with my current ISP, the connection type is DHCP, which means my ISP will assign me (or, to be more specific, my "entry point", which I suppose is the modem) an IP address, dynamically.
Now - and here's the key part, I believe - this particular address has NOTHING to do with the addresses behind that entry point. Those addresses are my own network, and I can do whatever I please with those. If I check to see my public IP address, it's totally different than the routine 192.168.0.xxx scheme I have internally.
Am I correct so far?
Bang on! The only addition I would make is to avoid 192.168.0.x, 192.168.1.x, and 10.0.0.x as your internal address ranges. But only because those particular ranges are already used by so many other off the shelf devices (routers, AP's etc.) that future VPN and interconnect scenarios can be more difficult than necessary if your internal LAN addresses happen to overlap one of these other devices.
If so, my understanding is that, with my current ISP, when setting up pfSense, I'd set WAN to DHCP, and LAN to static, so pfSense can act as the gateway for all the other machines on the network. I'd set the static according to the numbering scheme selected, reserve a block for static IP's, reserve another for dynamic addresses (I can set both of those in pfSense, right?), and off I go.
Again, dead on the money. The confusion (I'm guessing here) in the previous posts has more to do with which "DHCP" the various author's are referring to.
There's DHCP as it refers to the WAN interface which (as you described) is presented to your WAN interface by your ISP. Thus the WAN interface type is DHCP.
Then there's DHCP as it refers to the LAN interface which (again you described it well) is a service made available by your LAN interface. Your LAN interface NIC is actually (typically) a Static address within the subnet of that DHCP service so the LAN interface type is static. It becomes your responsibility to manage the DHCP server on your internal LAN subnet.
The confusion arises when we (I do it myself too…..) simply say "DHCP" or "Static address" or "Dynamic address" without enough context to be clear about what were describing.
BTW the comment about managing towards static addresses on your internal LAN is one of my best practices as well, for others - YMMV....
If that helps, glad I could.
If it doesn't feel free to ignore me ;) -
If that helps, glad I could.
If it doesn't feel free to ignore me ;)Not at all, good Sir! Very helpful indeed, quite grateful here. I guess I hadn't factored into my equation (that is, the one that attempts to figure out where the confusion arose in this thread!) that the LAN interface (or, more accurately, the pfSense machine itself, but we understand each other) is ALSO a DHCP server - to all the other machines on the network, that is.
But, OK, I'm now at the point where I have sufficient trust in my knowledge and understanding. =)
-
But, OK, I'm now at the point where I have sufficient trust in my knowledge and understanding. =)
Excellent, that's invariably the point at which I make my best mistakes - but learn the most ;)
Just kidding (except about learning)…
Welcome to pfSense, it's still one of the best open source tools I've found and has a community to match.
-
- seems rather sane … just remember to turn off dhcp on the 'isp-supplied-router' once you start using it as accesspoint.
So I've been thinking about this - why would I want to do that? (Not questioning, just inquiring, btw.) Wouldn't I want the wireless AP to hand out DHCP addresses to new wireless clients? Or would the pfSense machine still be the one to do that even through wireless?
-
Actually, disregard the above - found the answer with a bit of searching. For anybody happening on this thread via search in the future, here's an answer by phil.davis to another series of questions in the past. For reference, the "it" in the first sentence refers to a consumer router/AP :
Normally you just ignore the fact that it has a WAN port - put tape over it. Plug one of the LAN ports into your LAN switch. Switch off DHCP on the "WiFi router". Just have it offering WiFi, the DHCP will come from pfSense, through the LAN switch, through the WiFi device and delivered to WiFi clients.
So there it is, pfSense will indeed offer DHCP to WiFi clients. Which is why DHCP needs to be turned off on the AP.
-
If the AP WLAN is part of the same routed subnet then pfSense DHCP server will handle that. Turn off the AP DHCP server to avoid some clients getting possibly getting same address as another from pfSense DHCP. For simple straight forward home set up you are probably implementing only one DHCP server should be handing out addresses.
If AP WLAN is going to be its own routed subnet then leave it's DHCP server on.
-
Sorry, I did indeed intend (but nevertheless should have specified) for all WiFi clients to be on the same subnet as the pfSense DHCP server. In other word, everything in one subnet.
-
Sorry, I did indeed intend (but nevertheless should have specified) for all WiFi clients to be on the same subnet as the pfSense DHCP server. In other word, everything in one subnet.
Pretty much what I figured. So definitely only have one active DHCP server. Otherwise clients could end up with the same IP address if more than one DHCP server is assigning addresses in the same range.
-
I have a friend who runs an ISP. He provides Internet to a condo building in Downtown Atlanta somewhere. One of the issues he has run it to (and since solved) is end users plugging in their consumer router/firewalls "backwards" with the LAN side connected to the WAN. The built-in, on by default, DHCP server on these devices would take down the whole building.
So, to make a point…yes you only want one DHCP server enabled or your network will not work right, at all. Basically you'll DOS yourself.
Modern switch software allows you to lock down which port DHCP requests can be replied from to guard against this kind of problem.
