FIOS - WAN G1100 - pfSense - dd-wrt

bamhm182

With the help of Paint's thread on how to configure pfSense to mimic the Verizon G1100, I have gotten my pfSense box semi-working. I have applied the settings to my pfSense box, but for some reason I'm still getting around 340 Mbps down from DSLReports when the connection list is as follows:

ONT -> pfSense (Dell R210) -> DD-WRT (ASUS RT-N16) -> Nerdcave PC

I decided to look into iPerf and get the following speeds internally:

pfSense -> DD-WRT -> Nerdcave: 339Mbps
pfSense -> DD-WRT -> Garage: 316Mbps
Garage -> DD-WRT -> Nerdcave: 906Mbps
pfSense -> Nerdcave: 932Mbps
pfSense -> Garage: 941Mbps
Garage -> Nerdcave: 911Mbps

So there seems to be an issue with the pfSense box connecting to the DD-WRT router. As far as I can remember, my speeds to DSLReport are around 340Mbps when I have my Nerdcave PC plugged directly into the LAN of my pfSense box as well. I don't have time to look into this right now, but I will edit this if I end up getting it working.

EDIT: I took a shower and was thinking about it. I had pfSense plugged into the WAN on the router, but had the WAN set to act like a LAN. I thought maybe the NIC for the WAN wasn't good enough. Plugged it into a LAN and got the following:

This is the results with the only change being the LAN of pfSense is plugged into the WAN of the router instead of the LAN:

Still have to figure out why it's only 600Mbps though. There was a high bufferbloat on the 600Mbps one and next to none of the 300Mbps one.

Paint

@bamhm182:

Thanks for the update, Paint! I have applied the settings to my pfSense box, but for some reason I'm still getting around 340 Mbps down from DSLReports when the connection list is as follows:

ONT -> pfSense (Dell R210) -> DD-WRT (ASUS RT-N16) -> Nerdcave PC

I decided to look into iPerf and get the following speeds internally:

pfSense -> DD-WRT -> Nerdcave: 339Mbps
pfSense -> DD-WRT -> Garage: 316Mbps
Garage -> DD-WRT -> Nerdcave: 906Mbps
pfSense -> Nerdcave: 932Mbps
pfSense -> Garage: 941Mbps
Garage -> Nerdcave: 911Mbps

So there seems to be an issue with the pfSense box connecting to the DD-WRT router. As far as I can remember, my speeds to DSLReport are around 340Mbps when I have my Nerdcave PC plugged directly into the LAN of my pfSense box as well. I don't have time to look into this right now, but I will edit this if I end up getting it working.

EDIT: I took a shower and was thinking about it. I had pfSense plugged into the WAN on the router, but had the WAN set to act like a LAN. I thought maybe the NIC for the WAN wasn't good enough. Plugged it into a LAN and got the following:

This is the results with the only change being the LAN of pfSense is plugged into the WAN of the router instead of the LAN:

Still have to figure out why it's only 600Mbps though. There was a high bufferbloat on the 600Mbps one and next to none of the 300Mbps one.

The Asus RT-N16 running DD-WRT is the bottleneck. This router/Wireless access point is a single-band N-Router (1x1) with a slow single core CPU (480mhz). Given the performance tests from DD-WRT (http://www.dd-wrt.com/wiki/index.php/Asus_RT-N16#Performance), you are experiencing the theoretical maximum of routing power for the RT-N16.

I dont agree with your setup - as from my interpretation of your post, you have both your pfSense and DD-WRT acting as a router. Instead, please reconfigure the RT-N16 DD-WRT setup to be a Wireless Access Point only. Please follow the Long version of these instructions exactly (a factory reset is required): https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

bamhm182

Sorry for the lack of clarity. The DD-WRT router is only configured as a WAP and DHCP forwarder. I agree that it is most likely the bottleneck. I plan on buying a new wireless router soon. I've heard good things about Ubiquti, so I'll probably look into them. For the meantime, I'm getting a quad port Intel NIC to toss in my R210 which should eliminate the need to have anything physically plugged into the DD-WRT AP.

Paint

@bamhm182:

Sorry for the lack of clarity. The DD-WRT router is only configured as a WAP and DHCP forwarder. I agree that it is most likely the bottleneck. I plan on buying a new wireless router soon. I've heard good things about Ubiquti, so I'll probably look into them. For the meantime, I'm getting a quad port Intel NIC to toss in my R210 which should eliminate the need to have anything physically plugged into the DD-WRT AP.

Are you using a switch? You should not use an ethernet port in Bridge mode instead of a switch…...

bamhm182

Found a networking diagram creator and made a crude drawing of what I intend to do now that I have enough ports on my pfSense box. I have 6 ports on my pfSense box, one will be used for the WAN, two will have my computers directly plugged into it, two will have my unRAID box with traffic split between what I want on a VPN and what I don't, and one will go to a LAN port of my DD-WRT router that is configured to be an AP just as your link recommends.

Network.png_thumb

Temido2222

Please get a cheap switch off of Ebay/Amazon, doesn't need to be managed. A switch works better then bridging a NIC. Ubiquiti is pretty good, I've heard very good things about their APs.

Paint

@bamhm182:

Found a networking diagram creator and made a crude drawing of what I intend to do now that I have enough ports on my pfSense box. I have 6 ports on my pfSense box, one will be used for the WAN, two will have my computers directly plugged into it, two will have my unRAID box with traffic split between what I want on a VPN and what I don't, and one will go to a LAN port of my DD-WRT router that is configured to be an AP just as your link recommends.

The 4 ports on your pfSense box are NOT like a switch and should not be bridged. In your setup, you would need two ports on your pfSense box - one for WAN, and one for LAN. The WAN goes into your upstream connection and the LAN port goes into a switch. Lastly, each of your other devices should be plugged into the switch.

In short, your diagram is exactly correct EXCEPT there needs to be a switch between your pfSense machine and the rest of your LAN.

bamhm182

I don't understand what is so bad about using all 6 ports of my pfSense box in place of using 2 ports and a switch. Is the issue that I plan on having 3 of the NICs serve the same VLAN? I plan on having one VLAN pretty much closed off for my internal network devices (Garage, Nerdcave, WAP NICs), one VLAN for OpenVPN, and one VLAN for hosting a few external websites. It makes sense in my mind that I would at very least want to use 4 of the 6 NICs; WAN, LAN, LAN-VPN, LAN-DMZ. Am I wrong in my thinking?

Paint

@bamhm182:

I don't understand what is so bad about using all 6 ports of my pfSense box in place of using 2 ports and a switch. Is the issue that I plan on having 3 of the NICs serve the same VLAN? I plan on having one VLAN pretty much closed off for my internal network devices (Garage, Nerdcave, WAP NICs), one VLAN for OpenVPN, and one VLAN for hosting a few external websites. It makes sense in my mind that I would at very least want to use 4 of the 6 NICs; WAN, LAN, LAN-VPN, LAN-DMZ. Am I wrong in my thinking?

No, that's not why. Each port in your pfSense box is acting like a router, not a switch. Please do some of your own research.

https://www.google.com/search?site=&source=hp&ei=pkIWWbfVPIn-jwTIxbqgBg&q=bridge+vs+switch+vs+hub

bamhm182

So the problem is that my networking is overkill then. I'm fine with that. I'm using an enterprise level server, albeit an old one, to manage a small home network. What isn't overkill about that already?

The reason I wanted to use pfSense in the first place was to learn a little more about networking and get some more control over my network in the meantime. The current setup I have gives me the opportunity to play around with a network that is much more complex than everything plugged into a single router. If that results in me doing things "wrong" from time to time while I'm still learning, well I'll call that an acceptable loss.

Thanks for the information, though.

EDIT: This guy explains another reason to have this infrastructure set up a bit more elegantly: http://dotbalm.org/a-technical-professionals-home-network/

The shape of the network is driven by my particular situation with my available resources in mind. I’m a fan of segmentation, which is really just an extension of the principle of least privilege as applied to networking. Thus the firewall ends up doing some internal routing and security segmentation duties which would normally be delegated to core routing infrastructure in a large organization. But since this is just a humble home network, my firewall will not be a substantial bottleneck for any traffic which will need to traverse it.