Pre-Installation queries



  • Hey! I've looked at running a pfSense box for a while. Sophos UTM delayed my decision but thinking pf is the way to go.

    Before I do install, I have a logistic question.

    First, the PC I'm using has a total of four ethernet ports via three NIC's.
    1x Intel dual port NIC
    2x Intel single port NICs

    My plan is to use one of the single-port NIC's for the WAN and the rest for LAN. Because I am also running a wireless network (router in AP which also has ethernet devices attached to it), would it be a good idea to bundle all the three remaining ports together as a LAN switch type thing? An ethernet switch is already going to be attached but that is pretty much full. So, eth0 would be WAN, eth1 to the Access Point and eth2 would plug into the switch that is the start of a bundle of switches. I assume a bridge between eth1 and eth2 would be okay (possibly eth3 for another LAN port)? If not, what would be the best option? (As I need to have access to the whole network - with it on the same subnet - from any PC, wired or wireless).

    In terms of spec, it's running an Intel Pentium processor (forgot what it is, but its an 1155) with 10GB RAM so its got a decent bit of horsepower.

    Thanks!



  • The short answer is:

    1. Understand pfSense is not a switch nor will it perform as well as a dedicated switch
    2. Make sure you understand the statement in 1)
    3. Goto 1)

    Other than that, you can use your extra NIC ports to divide your network into different subnets as required.
    Many people like to assign their WiFi to it's own subnet and assign Firewall rules to allow the traffic they want.
    Similarly things like cameras, servers, etc. can benefit from control as to how their subnets are accessed.

    If you want, you can simply tack everything onto one subnet and connect switches to your LAN NIC.
    If it's all on one subnet, pfSense won't get involved in device to device traffic, just what tries to get out and in from the WAN interface

    It's up to you how you want to design your network and if you want to control how traffic flows between subnets or not..

    Just remember: pfSense is not a switch (nor does it want to be).



  • That makes sense, divsys. I have a old router somewhere with Gigabit ports so that would be fine as a switch.

    With regard to having the wireless AP on a different subnet, (this may seem like a very stupid question) but would devices on the two different subnets be able to access each other? For example, my laptop accessing the storage machine etc? So would I simply be able to (as I already do with my Nighthawk) simply go to \StorageS1 and for it to work irrespective of wired or wireless?

    Going to install pfSense soon over Sophos UTM in a bit (minor niggles around internal hostnames and DNS annoying me about it) so yes.



  • I don't think so by default,  but you can set rules up to allow the talking between subnets.



  • In the end having pfSense in the middle of different LAN subnets (LAN1, LAN2, LAN3, etc.) is both more work and more control.

    The simplest solution to make sure everything on LAN1 can talk to everything on LAN2 and vice versa is to add a rule on LAN1 that allows "All to Any".
    Put a similar rule on LAN2 and bingo! both LANs can talk to each other.

    That approach is also the least secure (although common enough) approach to controlling your traffic.
    It's a good place to start because it gives that wonderful gratification of plugging all the wires in and being able to stream a movie from your media server to your phone app across WiFi - "look Ma, no hands and it works!"

    Once you look around at other installations, you may get the idea that perhaps a list of valid IP's is better than just "everyone".
    That might lead to thinking about using Static IP addresses in your DHCP, so you can specify whose actually connecting to your WiFi.
    That might lead to wondering if all users need access to storage as well as internet, should you lock your friends out of your storage, but let them use the WiFi?
    That might lead - but you get the idea.

    In general it sounds like you have enough pieces to get started and have at least given it a little thought.
    Try your first implementation and let us know how it goes.

    People here are always willing to help if you try and hit a roadblock - as long as you try first…....



  • pfSense is installed and running. However, it was done at 3am last night (when no one is using the network) when quite sleepy. To get everything working right now, I have simply put everything through a switch for now - no different subnets for the WLAN. Switch upgrade arriving in a few hours so I may just leave the WLAN on the same subnet. Until the tweaking bug gets to me.

    I have a bit of a problem, however. Someone might have some experience on what is going on here.

    On a moderate piece of hardware, I run Server 2012 R2 (that is, unfortunately, a domain controller) and inside that, a Hyper-V VM runs another instance of 2012R2 that has Exchange 2013 running.

    Since it might not be a good idea to put the real domain out there, the domain I'll use here is example.co.uk. So, the main domain controller (which doubles as the storage server on the network) has a FQDN of storageS1.example.co.uk. The Exchange VM is at exchangeserver.example.co.uk.

    Before, using my Nighthawk, I could literally just go to \StorageS1 or \exchangeserver and access it. I can't do the same now. However, when accessing the servers using the full FQDN (\storages1.example.co.uk or \exchangeserver.example.co.uk) it shows a login box but entering ANY credentials does not allow access - see attached. But, I can use the IP address to access them fine.

    To be clear, my workstation on \hpedesktop can be accessed perfectly fine, as before. It is only the domain'ed machines.

    Could this be because I put the example.co.uk domain into pfSense as the domain? Or is this a DNS issue?




  • Further to above, now I cannot ping my workstation either (HPEDESKTOP)

    C:\Users\amanh>ping hpedesktop

    Pinging HPEDESKTOP [fe80::45f4:6633:1899:fee4%13] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for fe80::45f4:6633:1899:fee4%13:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    Next stop: alternate DNS config (Forwarder rather than Resolver)

    Okay so, update. DNS changed from resolver to forwarder.

    I can now access my workstation. Had to change DNS Suffix. BUT the problem accessing \storages1 remains. To be clear, \storages1 is part of the example.co.uk domain so if I can access my workstation, why is it impossible to access the storage server?



  • Didn't read all your answers in detail as I'm running out the door, but I did glance at a reference to Win 2012 running your domain.
    With Win servers and AD you end up having to use the Win server DNS or the universe as Microsoft knows it begins to end.

    If I remember correctly, you can simply make an entry in DNS forwarder (or resolver) to pass on all DNS requests for your local domain to the Win server.

    I'll check back later tonight and see if I can't remember in more detail (or you could do a hunt on the forums for AD, DNS, entries. I'm sure there's a bunch).



  • Yes, in DNS Forwarder or Resolver you add a Domain Override to point your domain name to the Windows Server that has the DNS for the domain.

    In the end, you will probably need all Windows systems that are in the domain to use the Windows Server as their DNS server, and the Windows Server DNS will point upstream to pfSense DNS for out-of-domain name resolution.

    Other clients in your network (Linux…) can use pfSense for their DNS and will resolve names in the Windows Domain because of the Domain Override.



  • Only two 'machines' (as in one physical server, one VM) are on the domain - the main server(file server) and the email server are part of the example.co.uk domain. None of the other machines are part of this domain. They're all on a Workgroup.

    Is it henceforth worth setting the main server and email server DNS addresses as 127.0.0.1 and then adding the IP of the pfSense to the Windows DNS as a forward? Since it is only two of the machines on the domain?

    EDIT: I have now proceeded to, in stupidity, lock myself out of pfSense thanks to setting a HTTPS port forward on the LAN interface instead of WAN. Might be a while until I figure out how to fix this

    EDIT 2: So, I've tried the Domain Override out with the domain machines using the main server's DNS. It is still being a pain. Bit of an observation (no idea if this is something everyone knows or whatnot but here goes)
    The main server has a quad gigabit PCIE card with a single ethernet integrated. The IP for it is 192.168.1.100, the exchange server is at .150. I plugged in another ethernet cable (so there is three in total, but one is totally separate for the VM). DHCP assigned 192.168.1.17 AND allows me to access it by \StorageS1.

    I am assuming the router picks up on the hostname for the server when it assigns it an IP address via DHCP? If so, why isn't the same behaviour replicated when DNS sees that, on the LAN adapter, the IP has been set to 192.168.1.100 and the machine is called StorageS1?



  • Systems in the domain, when they receive an IP address from DHCP (wherever the DHCP comes from) should then go to their DNS server (the domain DNS server that is running on Windows Server) and register/update their DNS entry.
    Then that will be noticed by pfSense because of the Domain Override entry, once any previous cached value in pfSense DNS Forwarder has times out.

    Maybe the trick is that, when ths system gets DHCP, the DHCP server needs to feed it a DNS server address that is the address of the Windows Server. You could do that in pfSense DHCP with a static DHCP entry.



  • Thanks to tree-cutting duties bestowed upon me, I literally have had no energy to tamper with the pfSense box or the clients using them for a bit. Found some time tonight/early morning to see if this has worked.

    It seems it has! Seems being the important word.

    I was meaning to set up Hyper-V on my Workstation with a fresh copy of Windows 10 running as a simple sandbox for things. I took this opportunity to set it up fresh and see if the network tampering had done it.

    The VM was allowed to obtain its IP and DNS server via DHCP - I didn't intervene to change settings at all.

    Implementing your (Phil's) suggestion with regard to sticking in a single static DHCP entry and then trying to access everything from the new VM showed me that everything was working. I could access \StorageS1 and \ExchangeServer as is (no need for the example.co.uk domain suffix to be appended) and using ipconfig was showing that a Connection-specific DNS suffix of example.co.uk was being sent out to machines.

    Changing the IP of the JetDirect print server from 192.168.1.202 to 192.168.1.217 and accessing it straight away from the new VM using its hostname (http://HP_JetDirect - creative hostname, I am aware(!)) allowed it to resolve correctly to 192.168.1.217 whilst the workstation (which is host to the VM) was unable to resolve it after a ipconfig /flushdns command.

    The reason I said 'seems' earlier? It's the pessimist in me - I thought that it may have been owing to the way Hyper-V dealt with name resolution and (possibly) pulling it from the host's built up DNS cache. Seems not, though. However, since on the workstation, I have the DNS suffix manually appended, it introduces another variable into the test. We shall see.

    To be absolutely sure, I may find a spare NIC, shove it in the machine and have the VM use its own dedicated network port rather than share with the host, or use a machine with a fresh install of Windows. Alas, not a job for 1:30am so thats pushed to tomorrows agenda.