Consering using pfsense.. is this possible / feasible ?



  • Hi.

    I'm thinking of buying a fanless PC with 4 LAN ports, 8GB RAM and a 64GB SSD. Either based on the J1900 or 3215u CPU. Can you advise if what I'd like to do is possible ?

    Currently network is:

    FIBRE 80/20 -> OpenReach Modem -> Asus Router- > Netgear Prosafe switch doing port based VLAN's (home/office)
    The Asus offers wifi and guest wifi which doesn't have access to the LAN.

    I'm thinking of doing:
    FIBRE 80/20 -> OpenReach Modem -> pfsense- > Netgear Prosafe switch doing port based VLAN's (home/office)

    I'd use NIC1 for WAN, NIC2 for the connection to the netgear and leave that doing the port based VLAN's
    NIC3 to an access point for home wifi and NIC4 for a guest wifi ?

    Would this work ? Can NIC4 be restricted to block all internal access, but all them access to the Internet ?

    I currently have various port forwardings setup on the router for SIP, RTP, FTP etc, I'd like to expand that so it's only from specific addresses not open to anyone as it is now.
    I also need the ability to have one VPN user connect and have access to one specific device on the LAN and nothing else.

    Can the above be done ?
    Is there a better way of doing it ?
    Is the hardware I'm looking at OK ? J1900 or 3215u ?

    Thanks
    Tom


  • Netgate

    Should be no problem.



  • Great..

    Is that a sensible why to do it or is there a better way ?

    How about the hardware ? is there a preference on the CPU ?

    I'm running a home / work LAN with around 40 devices.

    Regards


  • Netgate Administrator

    I have a very similar setup here, I have two Openreach modems loadbalancing though. That will work fine.

    The J1900 should be fine that though obviously I encourage you to check out our own hardware.  ;)

    The 3215u has a far higher single thread rating so will give better VPN throughput for example. Both will easily hit 80Mbps though (traffic depending).

    Steve



  • Thanks for the replies.

    Just wondering if it's possible to get away with out 2 Wireless Access points.
    If I connect a single access point to NIC3, can pfSense all LAN & Internet access to specific devices based on MAC & IP address, but other clients only have Internet access ?

    Also, once pfSense is installed how secure is it to start with ? Does it start off locked down and I have to open up what I need, or does it start open and I have to lock it down ?

    Thanks


  • Netgate

    @TomT:

    Thanks for the replies.

    Just wondering if it's possible to get away with out 2 Wireless Access points.
    If I connect a single access point to NIC3, can pfSense all LAN & Internet access to specific devices based on MAC & IP address, but other clients only have Internet access ?

    One access point can do it if it is a decent one that can tag different wireless networks to different VLANs. To do that securely you really want two different network segments.

    Also, once pfSense is installed how secure is it to start with ? Does it start off locked down and I have to open up what I need, or does it start open and I have to lock it down ?

    Completely closed to traffic originated from WAN.  Completely open to traffic originated from LAN.



  • Thanks for the reply.

    I'll take a look at different access points.

    I had hoped to reuse an old wifi router as an access point and see if pfSense could do it via the connected devices MAC address.


  • Netgate Administrator

    If that old router can run openwrt/dd-wrt you might be able to have it run multiple SSIDs over VLANs.

    Steve