Need Advice: PFSense with Two Wifi Routers (1 VPN / 1 Non VPN)

starlights

I am a CS student and enjoy tinkering, however compared to most here I would probably be classified as a novice, especially in networking. As a part of self learning, I am in the process of creating a PFSense firewall for my home network. I would like some advice layout from networking and pfsense gurus out there if possible.

At this time I have two ASUS AC1900 routers. Router1 is connected directly to my Fios via ethernet (No Fios Modem since I have ethernet enabled connection). This router creates a ISP based connection for devices and appliances in my house. Router2 is connected to Router1 (Lan to Wan) with DHCP enabled so it acts as a second network. This second network (Router 2) is VPNed through AirVPN.

Depending on which network i connect the client devices to, I get the benefit of both US and VPNed network. I haven't had any issues with double NATting so far.

I am creating a small PFSense box as a firewall and will probably install Snort on it once I am comfortable with PFSense. I am not sure how to deploy this firewall so I can maintain the VPN/Non VPN functions with the benefit of having a firewall and would appreciate advice.

I plan to use my two routers for Wifi, via Lan/Opt1 on the PFSense box. If i let one of the routers handle the VPN as it does now, will the PFSense box be able to conduct deep packet inspection on the VPN packets? If not, how best to set up? What are the advantages (or disadvantage) or letting PFSense handle VPN vs the Router?

I am aware that PFSense can be configured to be a (Open)VPN Client - is it possible to have vpn on one LAN but have another without VPN?

Any and all pointers are very welcome.

divsys

My initial suggestion would be to put the pfSense box as your initial firewall/router replacing the existing "Router1".
pfSense is fully capable of merging all the functions you've described into one appliance.

The only thing you may need to determine is whether you have enough physical NICs in the box or whether you'll need to explore a VLAN setup to allow for enough interfaces.

All the isolation/separation/network control issues you're describing are one of the main reasons pfSense shines in this scenario.
Not the least because you should be able to eliminate all the potential double NAT issues pretty easily.

starlights

Thanks divsys. You confirmed my initial impression.

I do plan to run it (atleast initially) as a firewall, connected directly to the incoming Ethernet connection. The device that I will be installing pfSense tonight on has 4 NICs so I plan to enable atleast 2 of the 3  available LAN/OPT ports, to which I will connect Router 1 & 2 for VPN & Non-VPN.  (Device from Amazon: https://www.amazon.com/dp/B019Z8T9J0/  with 8GB RAM and 60GB SSD)

Now my question is that do I need to use one of the routers for VPN (Router based VPN) or can pfSense enable VPN on just one LAN port and keep the other w/o VPN.

Incase through pfSense, my only option is to either have VPN on all available LAN ports or not have it at all, then I will opt to not have it at all and let one of the routers handle VPN - however in this case, my question is that can pfSense do deep packet inspection on the VPN Tunnel created by the router?

More questions later…

Thanks!

divsys

Now my question is that do I need to use one of the routers for VPN (Router based VPN) or can pfSense enable VPN on just one LAN port and keep the other w/o VPN

From your previous post, by VPN I take it you mean "connect to AirVPN for a 'protected' internet connection" rather than provide a secure connection to your local network for remote clients (pfSense can do both).

For this type of setup, pfSense becomes a Client to AirVPN and then that connection becomes a gateway for other interfaces.
I would strongly suggest you try and adhere to the KISS principle and keep this setup down to 1 firewall/router (namely pfSense by itself) until you have the kinks worked out.
Trying to manage the settings for two or more devices routing this data is likely to create more problems than it solves.
pfSense is fully capable of handling this problem.
I suspect in the long run the other routers will be relegated to basic WiFi AP's in your network.

For details on setting up AirVPN w/pfSense do a quick search on the forums/Google, I'm sure you'll find a ton of options.

Start small and build, we'll be happy to help where we can -welcome to pfSense  :D

starlights

Thanks again divsys.

You assumed correctly regarding VPN (Protected internet for now).

Here is my simple initial setup based on your advice.

| <–> AP1 (Non VPN)
Incoming Internet <--> pfSense Firewall |
                                                            | <--> AP2 (VPN)

Additionally, for installation and setup guidance, I am using this video guide by Mark Furneaux: https://www.youtube.com/watch?v=rgupXMlz3is

divsys

Probably the easiest way to set this up under pfSense is to allocate separate subnets for AP1 and AP2 and perhaps even your wired LAN devices.

For eg. you could create separate interfaces:

Interface        Subnet                Descr
LAN            192.168.10.0/24    General Wired internet devices, no VPN required.
APLAN1      192.168.11.0/24    Wifi devices, no VPN required
                                                      This could be simply put on the LAN subnet if desired, saving one interface
APLAN2      192.168.100.0/24  Wifi devices, VPN required
                                                      You could also add a switch here and connect wired VPN required devices.

You'll notice I've suggested using subnets that are NOT 192.168.0.x/192.168.1.x, that'll potentially save grief if and when you do external OpenVPN clients (/soapbox)

Segregating the networks early in your setup will make it simpler when you start setting up rules to decide who gets what, where, and when.

starlights

Thanks again divsys. Noted! :)    I was in half a mind to only enable one LAN port from pfSense box and then use a switch for Router1&2 but I think this is a better method.

This is definitely helpful for the longer term / learning.

divsys

Glad it's making <ahem>pfSense (lame I know….)  ;)

Seriously, drop back in anytime.
This is definitely one of my favourite forums due to the sheer bulk of good information.
You just need to do a little investigation to ask the right questions and we'll get you on your way.</ahem>

starlights

I have one other question: Installed pfSense today and for the most part everything went smooth, however I did not configure the WAN or LAN yet. My question is that can everything be setup without connecting the pfSense box to the internet?

At this time, until I am comfortable with pfSense to a small extent, I would prefer not to disrupt our current internet connection. Additionally, I may have to wait a couple of hours after disconnecting the current internet router for the lease to expire…

Is it possible to setup/configure without being connected to the internet/WAN?

divsys

Sure, you can configure the box from a pc connected to the LAN interface by logging into the WebGUI.

If you installed your LAN interface at 192.168.10.1 then you just enter that address in a web browser on an attached PC and you should get the Web login page.

Check out:https://doc.pfsense.org/index.php/Installing_pfSense#Post-Install_Tasks

The docs pages are a good source of getting started info.