Should I use a stand-alone router or use pfSense as a firewall+router.+ more Q's
-
Hello folks,
Firstly, I'm a newbie to networking in general, and pfSense (firewalls) in particular, so please excuse me if my questions seem dump and very basic. I'm hoping to learn (from you experts), as I go along. I am reading/referring to a pfSense book, whilst also reading posts on this forum…but that will take me quite some time to finish.
In the meantime, I do have some questions on my very first pfSense build/installation, and I'd appreciate any and all feedback, suggestions etc, to help me accomplish what I'm trying to achieve.
To start off, I've provided an illustration of my network in the attached picture file named "MyNetworkSetup.jpg:
Note that my pfSense computer currently has 2 NICs (one on-board, and the other a PCI card). I also have one more free PCI slot, and one free PCIe slot. The WAN side cable is connected to the on-board NIC, and the LAN cable is connected to the PCI card, and on the other end to my Linksys E1000 router.
Question #1: is this a correct/acceptable implementation of pfSense? Could I do it differently (perhaps better)?
Question #2: Would it be advisable to do away with the router, and instead use the pfSense box (with a wireless PCIe card) to do the wireless routing? If doing so, I do realize that I would then be without the hardwired connections to the 2 computers and shared laser printer. If using a wireless card within the pfSense box is an option, I was thinking of going with a “TP-LINK N900 Wireless Dual-Band PCI-E Network Adapter Card (TL-WDN4800)”. Does anyone have any thoughts/suggestions on this card?
Question #3: Contrary to the above, if having/using a router with pfSense is better than using a wireless card within the pfSense box to perform the wireless routing, would it help to replace my main/primary DD-WRT-based Linksys E1000 router with an OpenWRT-based “TP-LINK 300Mbps Wireless N Gigabit Router (TL-WR1043ND)” router? Will this help in any way...other than getting gigabit wired ports vs fast ethernet ports?
Question #4: By implementing a pfSense firewall in-between my ISP modem and router are all my wireless devices protected i.e. are they all behind the firewall, and no hacker/war-dialer is then able to easily hack into my network using one of my many wireless SSIDs? I cannot seem to understand/visualize the fact that my wireless network is protected behind a firewall, since I can easily see the broadcasted SSIDs. I am most concerned about the RasPBX box, since I don’t want anyone hacking into that puppy and making free calls (for them), and me having to foot the bill. I was reading somewhere that it would be wise to keep a VOIP server (such as my RasPBX installation) on a separate network. Is that true, and what do I need to do in order to achieve that?
Question #5: I would also like to setup a DMZ, in order to have a Raspberry Pi-based web server hosting one or more of my websites. Would I need to have an additional NIC added to the pfSense box to accomplish this…or can I use a VLAN to get this done? The “StarTech 1-Port 10/100/1000Mbps PCI Ethernet Card - Model #: ST1000BT32” NIC that I currently have is capable of doing VLANs.
Question #6: Similar to the question above, I would also like to have a “Guest Network” setup, so that friends and non-family members can use that network, instead of my main network. Would I be doing this as well by means of a VLAN?
Question #7: Is there any reason for me to invest in a gigabit switch, and use it somehow/somewhere in my setup, to help achieve something or the other?
Question #8: In my current setup, the Linksys router is assigning the client IP addresses, and it's in the range of 192.168.1.2 to 192.168.1.254. Would it be better to disable the DHCP server in DD-WRT and have pfSense assign the IPs in a range of 10.x.x.x? Is there any benefit to doing that, or something different (from what I currently have)?
I have attached 4 other images as follows:
-
"pfSenseSetupScreen.jpg": shows how my interfaces have been setup/assigned
-
"Main Router - AP - Linksys E1000.png": shows the settings of DD-WRT on my primary router (Linksys E-1000)
-
"LAN 10.png": shows the result of an "Advanced IP Scanner" search on IP addresses in the range 10.0.0.1 to 10.0.0.254 (and lists only the pfSense firewall, and my primary router)
-
"LAN 192.png": shows the result of an "Advanced IP Scanner" search on IP addresses in the range 192.168.1.1 to 192.168.1.254 (and lists all of the clients - including client-bridged routers - to which the primary router has assigned an IP address)
Thanks guys....this will be a great start for me (if I can get the help, and answers to all of these questions).
Gerard
 -
-
#1 what port of your Linksys is pfSense connected to?
#2 can be done, some people have had issues with wireless cards in pfSense so tend to go for a more robust wireless access point (WAP) instead. I personally am using my old D-Link router as an access point (DHCP off, connected to my gigabit switch using a LAN port on the router).
Like this (VERY simplified):
#3 see above.
#4 wireless is never truly secure, if you want security you go full wired and have not wireless at all. Thankfully this has become easier with power line adapters and MOCA bridges, however, better to run CAT5/6 cabling if you own your residence and plan to be there for a long time.
#5 DMZ is not required, simply create NAT and firewall rules to allow the traffic on the correct ports in and only to that device. If you want it to be physically separate from the rest of your network getting a multiport NIC is an excellent option, also VERY cheap used on eBay. I got my quad port NIC cheaper than I got my dual port NICs. Plus if the Pi is near the computer running pfSense you can power it off the computer's USB port.
#6 see above
#7 if you move a lot of large files around on your network (I certainly do, I sometimes move about a 1TB between computers) then Gigabit will be a blessing for your wired devices. I got a 24 port Gigabit switch to increase my networking performance and to not have nested switches. Nested switches are technically a bad idea, but in a home environment you don't typically see much degradation as you're typically not moving max throughput between switches too often.
#8 two DHCP servers is a bad thing on a single network
-
Wow! Thanks METDeath, for your very detailed reply….much appreciated!
#1 - pfSense is connected (physically) to the WAN port of my Linksys...but in DD-WRT I have assigned that (WAN) port as another one of the regular ports (not sure if that makes a difference or not).
#2 - Okay...I'll try using a wireless card (which I've already ordered) and see how it goes. Worst case, I'll just return it and continue using my Linksys router (though it only has fast Ethernet ports). Do you have any recommendations for a good/reasonably priced gigabit switch?
#4 - I do own my residence (for 15 years now, and perhaps at least a few more to come)....and I would love to be able to run CAT5 cabling. The only problem is I don't know how to go about doing it i.e. how do I get the cables to run in-wall (across floors and rooms) without ripping out all the drywall!
#5 - I'm gonna have to take some time to digest this one i.e. NAT and firewall rules are quite a bit ahead of my current knowledge/skillset....but I'll keep it in mind and start learning up on it.Which multiport NIC would you suggest...a 4 port HP one perhaps? That's a great idea about powering the Pi using a computer USB port...I didn't think of that one before. Does a computer USB port provide 2 amps of power...b'coz I do have quite a few things connected to the Pi?
#8 - I guess I'm gonna have to switch off DHCP on the Linksys router then. Is it possible to switch off DHCP on the pfSense box...and if yes, is it a good/better idea to do so?
Thanks again.
-
#1 assigning WAN to the LAN switch is solid.
#2 that all depends on your desired feature set. I use a 24 port dumb switch since I don't use VLANs, or PoE devices but have a large number of connections in the equipment rack that houses the majority of the gear for my apartment. I mostly just look at Newegg to find models and reviews then shop on Amazon or eBay to find that model.
#4 I mainly deal with commercial environments, however, for residential you typically go either up to the attic or down to the basement with the cables, tricky stuff that. You may want to consider the power line adapters, they use your existing electrical lines to transfer ethernet data. They work okay in houses with quality lines, they didn't perform very well in my apartment so I went with MOCA adapters that use COAX cable and provide more throughput in my instance.
#5 NAT is safer than DMZ since it's only the ports you route. The wiki should help with understanding setting those up, I only have one port open for my OpenVPN server running on my pfSense installation.
#8 the pfSense DHCP server would be the best choice as it is the firewall, plus on more robust hardware.
-
Thanks again, for your most recent comments….much appreciated! I will go ahead and implement your suggestions.
So, I just received the wireless card, stuck it in the pfSense box, and voila, it seems to get recognized pretty well. Other than assigning the interface to OPT2, I haven't done anything with it as yet (still have to figure out how to setup the pfSense box as a router).
Alongwith the wireless card I had also ordered a second "StarTech 1-Port 10/100/1000Mbps PCI Ethernet Card - Model #: ST1000BT32", which I also stuck into the pfSense box at the same time. Assigned OPT1 to this interface. The cost of each of these cards is approx. $15....so I've invested #30 for the 2 cards.
I know it's a cheaper option, but would it be wise to stick with these 2 cards (having spent just $30) versus purchasing a used HP 4-port card for $48 + tax + shipping (approx. $60) from eBay? In other words, would I ever need 5 gigabit ports (as opposed to just 3), and also bear in mind that these 2 single port cards are just PCI (not PCIe), whereas the used HP card is PCIe. Would that make a big difference, and therefore would make more sense for me to pay more and just buy the 4-port card?