Pfsense network recommendations/questions?



  • Hello all, well I am new to this whole pfsense community as I was brought on to it by a buddy of mine who said I should really look into it and since doing so intrigued me.

    I was looking at the SG-1000 just to start tinkering and playing, but then figured that if I was going to spend the money maybe I would be better off considering the SG-4860. Since maybe if it did what I thought it did would save some money in the long run by not having to buy it later on afer spending money on SG-1000.

    I currently run VPN services through client on my desktop computer through PIA. However I really would want to be able to secure my whole home network under VPN. But actually would prefer to be able to put certain devices under VPN and others not.

    I do not know if you are able under the interface of pfsense be able to run VPN client on SG-4860 and then be able to select which devices are under VPN tunnel and others that would be able to operate on a NON VPN tunnel?

    The other thing is with running the SG-4860 how much of a hit would I hit on my connection for speed when using VPN? Only have one choice for internet service provide (Comcast) and my current connection is 85mbps down and 10mbps up.

    Also if I wanted to incorparate my mesh WiFi router (Netgear Orbi or Luma, I have both) into the pfsense SG-4680, am I able to just connect it and then have wireless connection? If I can does the wireless channels end up being routed through VPN tunnel or NON VPN tunnel?

    I had two setups but was told that I could eliminate one pfsense box and have both VPN and NON VPN run through 1 pfsense box instead of two

    1 pfsense box
    –In from ISP--->[Cable Modem]–-->[pfsense box]–-->[SWITCH VPN]–->
                              |--->[SWITCH NON VPN]–->

    2 pfsense boxes
    --In from ISP--->[Cable Modem]–-->[WAN Router or pfsense box]–-->[SWITCH LAN NON VPN to devices]
                                              |–->[pfsense VPN box]

    Curious what your thoughts or suggestions for the best setup for me?

    Thanks,
    Donnie


  • Rebel Alliance Global Moderator

    Once you setup the vpn client on pfsense you can route whatever clients you want through this vpn or not.. Simple policy based routing, which can be network based.  Ie specific vlans don't or do use the vpn.

    You could limit to specific source IPs of your devices in any network to use or not use the VPN.

    You could set it so specific dest IPs or protocols do or don't use the vpn, etc.  Or really any combination you can come up with to use or not use the vpn.



  • Thanks for the information I really do appreciate it.

    I definitely have some learning and reading to do. But just kind of hard to do without an actual box setup with the software for me to work with and learn. I learn better when playing with the actual devices or software.

    So is there a difference in what pfsense calls LAN1, LAN2, LAN3, etc in SG-3100 vs OPT1, OPT2, OPT3, etc in SG-4680? Or is it the same just a different naming scheme but the same thing?

    Also if I were to setup my mest wifi router (Netgear Orbi or Luma), I assume I would just have to set it up in the proper mode i.e. bridge or access point mode, correct? This would allow me to have wifi, but does the wireless work then go under VPN or NON VPN based on which port it you plug it into? So if I setup LAN1/OPT1 as VPN and LAN2/OPT2 as NON VPN, does that mean I can setup pfsense so that anything connected to that LAN/OPT port would function that way? Did not know if I could connect both of them and then have a VPN wireless network and NON VPN wireless network or if I will just have to choose one or the other for my setup.

    Thanks


  • Rebel Alliance Global Moderator

    pfsense calls anything other than the default wan and lan opt interfaces.  You can map them to any physical interface you want.  When your talking hardware in say a sg2440 it would have 4 physical interfaces igb0,1,2 and 3 which you can map to whatever "name" you want to call it be wan, lan opt or whatever you name it..

    Your still just mapping a physical interface to a name of the interface.

    As to how you setup your wifi - that is up to you.. Be it they support vlans or not, etc.  I do not believe the orbi supports vlans.  So whatever network you connect it to would be the network it would be on.  So if you wire it to say your opt1 interface in pfsense lets say that is igb2 then that is what network your wifi would be on.  Then you could route all those clients out a vpn or just specific clients based upon what IP you give them or maybe what dest they are going too.

    If your wifi would support vlans, say something from unifi then you can get fancier and create different ssids (wifi networks) that are attached to different networks in pfsense be it a physical network or a vlan that sits on top of a physical interface, etc.



  • On a side note. You can use virtual box to run pfsense as a VM and play around with it to get more comfortable. Do a bit of research on the basics of IP routing. Also think of vlans as a separate network, switch and all. It just uses tags to differentiate. So opt1 could be vlan 10 for VPN users and opt2 could be vlan 711 not routed via VPN. Or you can get a bit more interesting and use LAN or opt1 or any one port as the physical plug for vlan10 AND 711. This is the point of vlan. You then configure the ports on your switch to be assigned to each vlan. On the WiFi side, at least with Ubiquity you can have 4 SSIDs and each is like a switch port in that it's assigned to a vlan.

    Each vlan, being it's own network, gets it's own IP range and DHCP scope AND firewall rules (policy routing).



  • Thanks for all the information, definitely more for me to learn that is for sure. But I do appreciate the time and suggestions that you have provided me.

    So if I was looking at the SG-3100, 2440 or 4860 is there one that you would think would be better than the other for my application? If I did not end up building something out of an old computer.

    On those boxes are all the ports configurable for IP routing or are only certain ports on those boxes configurable?

    For example on the 3100 I did not know if all 6 ports (WAN, OPT1, LAN1-4) are all configurable individually or if like the LAN1-4 has to be grouped and catagorized together, etc? The same with the 2440 or 4860. Do not know if the other ports other than the WAN and LAN are just switches and not really configurable or if they were.

    VLANS definitely is interesting and I definitely need to look into them more since they are new to me and dont understand them totally.

    But this definitely seems like fun and something that I could learn and end up having something good for my network.



  • The SG-3100 is good little box if you know you only going to use the minimal and basic functions. As soon as you start to tinker, you will want more.

    The SG-3100 has two "router interfaces" meaning you can only directly connect two networks (WAN and LAN) without using vlans (this is totally fine and normal for people to work with). The catch is that all VLANS on that port will share that ports bandwidth.

    The upside is the price. It's cheap and if you only have a few devices, you may not need a switch.

    Personally, I got the SG-2440. I love it. I'm running suricata (like snort but multi threaded), bandwidthd, OpenVPN, and a few other smaller packages. I have no issues hitting 160 Mbits down.

    If you want lots of room fro growth, get the sg-4860. The faster CPU will help with faster connections and IDS/IPS.

    The other consideration is if you have DSL. If you have DSL and want to run the modem in bridge mode, you will be running PPPoE on the router and that is single threaded so clock speed is critical.



  • curtisgrice thanks for your opinions and thoughts. You are definitely right I am sure the 3100 would be great for me initially but as I start to learn and tinker I will probably wish I had gotten something a little bit more robust. I think I will probably end up biting the bullet and either get the 2440 or 4860 (probably the 4860) just so I know I would be good for some time.

    What VPN service provider are you using? I have been using PIA but was wondering if there are ones that are better than the others or will they all really have the pass-through for me and not really be an issue? My service is only 150mbps down and 20mbps up so not like I am looking for gigabit transfer speeds since I am unfortunately not able to get any faster service at all.

    So with the 2440 and 4860 I would be able to configure all the ports/interfaces and have more options to configure things. That sounds like it would have a lot more advantages and something that would be better.

    So for wifi I will be limited to which ever router I am using and what modes I am able to configure it in order to connect it to my device correct? Would I be better off looking to upgrade or change out my wife from my Luma or Orbi to something else?



  • Personaly, I use the SG-2440 and a Ubiquiti AP-AC-LR for wifi. I'm not familiar with the Orbi or Luma. On the wifi end of things you can use any old wifi router/AP that works but not all support vlans. I got the Ubiquity for the price/vlan/AC/range, but if you already have something that works well and you don't have a need for segregated wifi networks (vlans) stick with it.

    I use a segregated wifi for all IoT things, cameras, smart lights, google hub, etc.. this way I can profile what the minimum ports/address needed for them to function and block all other traffic to and from the internet and my main network. Eventually I'd like to start doing some traffic analysis and write custom "snort" rules fro every time they phone home for no reason.

    I'm not using a VPN service at the moment. I use the VPN to connect back to home remotely and securely.


  • Rebel Alliance Global Moderator

    Orbi and Luma are user wifi mesh setups.  They have no power - they do not even support vlans.. Those are nothing more than expensive toys for users that don't have a clue..  And just want to plug shit in and get on facebook from their tablet..

    If you want to do anything from a security standpoint for wireless your going to want something that does vlans so you can have different wifi networks.. And your also going to want wpa-enterprise support so for your devices that support it you can use that to auth with, etc.

    Unifi is prob the most feature reach wifi at the lowest cost..  While you can drop some coin as well.. new UAP-AC-SHD has "Wireless Intrusion Prevention System (WIPS)" on a dedicated radio - and also has radio for doing spectral analysis…  This is not your $100 AP ;)  Right now they are in beta store for $350..

    https://store.ubnt.com/collections/beta/products/unifi-ap-ac-shd

    I would love to pull the trigger on one - but budget committee (wife) is on the war path of late ;)

    I currently have a Pro, LR and lite in my house for AP... Running 4 different wlans on wifi - and will prob isolate a bit more the nests from alexa which are currently on the same ssid and vlan, etc.



  • Hi all,

    when will the SG - 4860  have one of the Inet C3000 chips like C3850. I was going to buy SG - 4860 but it has the C2558 CPU that has a problem, I know there is a work around for it. but I am not buying something that has a known problem.

    Thank You,



  • curtisgrice and ManuelA thanks for the information I do appreciate it.

    But if funds are tight and dont have option or ability to change out my wireless and have to for the time being stick with what I have for cost savings. I could use technically use the Luma on one port for VPN wireless and Orbi on another port for NON-VPN, correct? However it would just be generic setup where you would not be configuring or have more advance features, it would just be adding wireless for that port for whatever I would have connect to it? Or could you still add groups and other things more generic for some control with that setup?

    BTW I do agree with you, they are more plug and play and for the time it worked for me and I liked it. But since been introduced to pfsense and what it can do definitely something I would look into just dont have the funds to get and change everything all at once unfortunately.

    Unifi and Ubiquiti are the same or are they different companies/products correct? One is just the company and the other is just there product line, right?

    So for the Ubiquiti you need to have physical connection for each one in the house? The thing is and the reason I have the Luma and Orbi was because the mesh network allowed me to get wifi to all ends of my house and get rid of the dead spot I was having with traditional wireless routers. So I am trying to figure out how Ubiquiti would help me out in my situation if I would need more than one in order to make sure that my house was good and I did not regress in the coverage aspect? The security and advance features I have no doubt hands down put Luma and Orbi to shame (but also geared towards different customers). Would I need to buy multiple units and have them hard line back into the switch/pfsense box for connection for them to work I assume?

    If you were going to recommend something what would you recommend in my situation?

    I could not check out the link for the UAP-AC-SHD since it said it was for beta users only.

    Thanks



  • ManualA,
    What is the issue that the SG-4860 chipset uses? And what is the workaround for it?
    I haven't heard of this until your post so now I am curious what it could be.

    Thanks



  • So quick question for you all if I were to buy the UAP-AC-SHD or even the UAP‑AC‑HD or the UAP‑AC‑PRO, how do you power the devices? Since it is not like your typical AP where you plug the power source into the wall.

    It says I need a  802.3at PoE+ support and can be powered by any 802.3at PoE+ compliant switch.

    Since I am new to this whole commuity and more robust networking devices, I was not sure if any real switch has that feature really or if it is only special ones or only Unifi switches that I need to look at getting.

    Thanks


  • Rebel Alliance Global Moderator

    Any of the AP from unifi are poe yes.. What flavor they use depends on the model.. the -lite and -lr are not really standard poe compliant.. And use a 24 passive mode..

    802.3af/A PoE
    24V Passive PoE (Pairs 4, 5+; 7, 8 Return)

    While Pro is
    Passive Power over Ethernet (48V), 802.3af/802.3at Supported
    (Supported Voltage Range: 44 to 57VDC)

    And HD
    The UniFi AC HD
    AP can be powered by an 802.3at PoE+ compliant switch.

    So while it can be a bit confusing to those not familiar with POE.. shoot even those that are ;)

    The good thing to know is that unless you are buying them in multi packs they all come with an injector.. This allows you to inject the power onto the ethernet cable you run to the AP..  You can always buy the injectors from them.
    https://www.ubnt.com/accessories/poe-adapters/

    Now if your going to be running multiple AP and or phones and or camera's etc.. Where your going to run multiple POE devices then it might be good idea to buy poe switch either a one that meets poe standards and use with the AP you get..  Or you can get switches from unifi that can power their different devices.  They also sell inline converters that convert standard meeting poe to their odd ball stuff ;) without having to actually inject the power.

    If your just buying single AP units - they should come with the appropriate injector you can use.

    Does this picture help in understanding poe?

    Or maybe this attached one?




  • johnpoz thanks for the diagram and information. It definititely is confusing I did not know it was that complex and everything. I thought it was just as simple as it had POE or did not and I did not know there was differnt standards for different voltage requirements. A lot learned thank you so much.

    So if I were to get the UAP-AC-SHD I would need a 48V POE injector adapter? The same for the Pro?

    Pretty much all of them could be powered by a 802at PoE+ compliant switch like the US-16-150W?

    Also do you have to use specific CAT cable CAT5 or CAT6? I was not sure if it needed to be CAT6 or if what I already have run in my walls CAT5 would be fine.

    Thanks



  • when will the SG - 4860  have one of the Inet C3000 chips like C3850.

    Who was telling this and when around? Its absolutely new to me that they want to use that SoC´s from  Intel
    but it will be nice if I see what the Supermicro SYS-E300-9D and SYS-E200-9D are offering!

    I was going to buy SG - 4860 but it has the C2558 CPU that has a problem, I know there is a work around for it.
    but I am not buying something that has a known problem.

    It can be coming to an problem under some circumstances, but not all units will have one!!!

    Personaly, I use the SG-2440 and a Ubiquiti AP-AC-LR for wifi. I'm not familiar with the Orbi or Luma. On the wifi end of things you can use any old wifi router/AP that works but not all support vlans. I got the Ubiquity for the price/vlan/AC/range, but if you already have something that works well and you don't have a need for segregated wifi networks (vlans) stick with it.

    To build a WiFi network it might be more easy to realize as in former days to the available equipment on the market
    but there are also some differences between some configurations.

    • A WiFi network with some older or used routers and perhaps let us say DD-WRt or OpenWRT (lede) will be
      good to realize a cheap WiFi network, but mostly the hand over or also called "roaming" is not given.
    • Realizing the roaming will be nice and more matching if hardware from only one vendor will be in usage
      such as MikroTik or UBNT will offer at these days.
    • A real mesh network is often using the HWM protocol, but they are not even compatible under each other
      to use it like everybody want to do.
    • MikroTik is using the HWMP (HWMplus) protocol
    • UBNT is using the HWM protocol

    So if you want to realize a real mesh you will need also equipment that is able to play nice together.



  • BlueKobold & johnpoz thanks for the information really helping me out and everything.

    For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.

    So more or less if I end up with UBNT UAP-AC-SHD or Pro, I would probably need more than 1 for my house I would assume correct?

    Also for the Unify software that you run on your machine in order to monitor or install or setup. Are you able to run and install that software on pfsense as a package or would I have to install it on my windows desktop or laptop and have that be the location for the install for the controlling software?

    I also saw that they have mobile apps but not sure if they are more for just monitoring and viewing and not really used for setup of a new device.

    BTW I ended up getting the SG-4860 box and it has been an interesting few days to try and get it setup. Have not gotten it totally running since only can have 1 computer online working it seems like it. So have to get the wifi APs in the mail and setup and then maybe I can set it up and leave it setup. It is definitely a neat system and software but man oh man it is robust and definitely taking some time to learn and understand and tinker with. But have been getting great help from the community.



  • For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.

    For 1 GBit/s you will need CAT.5e and if you ware willing you can also go with CAT.6(A) if you want to,
    for PoE is nothing else better then good shielded cables in my eyes.

    So more or less if I end up with UBNT UAP-AC-SHD or Pro, I would probably need more than 1 for my house I would assume correct?

    This pointed to the WLAN AP itself and the whole ground of your house.

    Also for the Unify software that you run on your machine in order to monitor or install or setup. Are you able to run and install that software on pfsense as a package or would I have to install it on my windows desktop or laptop and have that be the location for the install for the controlling software?

    The software is able to do the internal routing too, if so, and you let that WLAN Controller do that internal routing,
    you should be ending up with a small low power box, if not, you will be able to use a small RaspBerry PI 3.0 too.
    The RaPi would be my choice.

    I also saw that they have mobile apps but not sure if they are more for just monitoring and viewing and not really used for setup of a new device.

    Could be nice but I prefer that software WiFi controller.

    BTW I ended up getting the SG-4860 box and it has been an interesting few days to try and get it setup. Have not gotten it totally running since only can have 1 computer online working it seems like it. So have to get the wifi APs in the mail and setup and then maybe I can set it up and leave it setup. It is definitely a neat system and software but man oh man it is robust and definitely taking some time to learn and understand and tinker with. But have been getting great help from the community.

    Its a cool device and strong enough to realize more then all you want, so you will get also some headroom for future
    upgrades from your ISP line.

    The other thing is with running the SG-4860 how much of a hit would I hit on my connection for speed when using VPN? Only have one choice for internet service provide (Comcast) and my current connection is 85mbps down and 10mbps up.

    The SG-4860 will be able to route (without PPPoE) ~900 MBit/s on a symmetric 1 GBit/s Internet connection
    and around ~470 MBit/s over IPSec VPN!!!



  • BlueKobold thanks for the info. Yeah the SG-4860 is probably an Overkill for me right now and even in the future possibly. Gorget I didn't want to be constrained in the future and figured I would just spend now and get something that will be future proof.

    I do have a Raspberry Pi box didn't even think about using it at all.

    If you have more than one Unifi AP say SHD and Pro or 2 Pros, do they act together so same password and ssid so it is a seamless connection when walking around the house? Or do they act independent so you would have to connect and save multiple saids and passwords?



  • @BlueKobold:

    For POE I would just need to make sure that I am using Cat5, Cat5e or Cat6 cables correct? Was not sure if there was a difference other than throughput speed or if there was more to it than that.

    For 1 GBit/s you will need CAT.5e and if you ware willing you can also go with CAT.6(A) if you want to,

    For 1000baseT you need cat5, which is the cable the 1000baseT spec was designed for. Some additional tests were added to the cable standard and the result was cat5e. The differences mainly involve crosstalk tolerance, and had more impact on connector/punchdown assembly than the cables themselves. Most factory built cat5 cables would pass the cat5e spec but weren't tested/certified as cat5e. (Field terminated cat5 was a mess, as 100baseTX didn't push the specs as hard as 1000baseT, and only used 2 pairs like 10baseT–so some installers back in the day didn't even bother to terminate all four pairs.) In practical terms, any decent cable you buy new today will work fine at 1000baseT. You won't find any cat5 for sale in 2017, and If you're looking ahead to 10GbaseT there's no reason to buy cat5e rather than cat6 (if there's a huge price difference, find a different source.) If you already have cables, they're probably fine--just try them. If you run into problems (like the link takes a long time to come up, or won't get above 100Mbps, or starts at 1000Mbps and then steps down) it's probably the termination--but unless it's a really long run it's not worth fixing rather than tossing it.