Input/suggestions on setup (new to pfSense)



  • I am interested in setting up a new machine with pfSense. My intention is to have a better firewall than my router and to add some functionality I currently don't have.
    Plan to use pfSense for the firewall; run squid, snort and some sort of ad blocking. My current router is a Netgear Nighthawk R7500.

    My questions are:
    1. Am I going to waste my time with setting up pfSense for what I will be using it for? I feel I will not be using the software to it's full potential.
    2. Should I use pfSense to do DHCP and set my router as an AP? I don't want to replace my router because it is centrally located in the house.

    I want to have better security for our home network. I think pfSense can do that for me.

    Any suggestions on other things I can do with the software?

    I have a cable modem with 100/6 for speed.



  • @im_etten:

    … Am I going to waste my time with setting up pfSense ...
    ...I think pfSense can do that for me.

    Make up your mind - wanna use it or not? That's your decision.

    If you don't want to replace your current router how do you plan to set it all up then?
    Router behind router sounds like double-NAT which isn't totally bad but I wouldn't want to have that.



  • There's nothing really wrong with what you want to do but no one can tell you whether you'll be wasting your time.

    Cable modem > pfSense > R7500 as AP is good.  Especially as the R7500 is centrally located.

    The R7500 should be just an AP on the LAN (or an OPT interface, if you want WiFi to be separate).  DHCP should be on pfSense.

    You will need a pfSense box that has some extra grunt to run Squid and Snort/Suricata but that shouldn't be too hard.



  • Maybe I can't do what I was thinking. I was reading up on pfSense and I thought I could use the software to DHCP and turn off DHCP on my router so that all is does is act like an access point so I can maintain my wireless setup.



  • @biggsy:

    There's nothing really wrong with what you want to do but no one can tell you whether you'll be wasting your time.

    Cable modem > pfSense > R7500 as AP is good.  Especially as the R7500 is centrally located.

    The R7500 should be just an AP on the LAN (or an OPT interface, if you want WiFi to be separate).  DHCP should be on pfSense.

    You will need a pfSense box that has some extra grunt to run Squid and Snort/Suricata but that shouldn't be too hard.

    Yes, that is my plan. I was going to build a machine that has 4 NIC cards and a quad core processor. I plan to setup the network so the WiFi and LAN work just like my current router.



  • I was reading up on pfSense and I thought I could use the software to DHCP and turn off DHCP on my router

    You can, and that's what's being suggested.  You disable your R7500 WAN, disable its DHCP server and then plug one of its LAN ports into your pfSense box LAN or OPTx port.  Ta-da, it's an AP.  Then configure pfSense DHCP server and you're ready.  Your wifi clients own't even notice the change.  Same router, same SSID, same password.



  • @KOM:

    I was reading up on pfSense and I thought I could use the software to DHCP and turn off DHCP on my router

    You can, and that's what's being suggested.  You disable your R7500 WAN, disable its DHCP server and then plug one of its LAN ports into your pfSense box LAN or OPTx port.  Ta-da, it's an AP.  Then configure pfSense DHCP server and you're ready.  Your wifi clients own't even notice the change.  Same router, same SSID, same password.

    If I do this setup will I gain any speed by using the router as an AP?



  • I am interested in setting up a new machine with pfSense. My intention is to have a better firewall than my router and to add some functionality I currently don't have.

    That is and will be the most thinking of home users when they are starting with pfSense! pfSense is a x86_amd64
    based firewall software and you will be able to set up a fully UTM with it, but and this is the most fail thinking the
    most peoples are doing, you need perhaps some more time to set it up, maintain it and also often a more powerful
    hardware as thought is really needed, pending on the installed packets and the Internet line speed.

    Plan to use pfSense for the firewall; run squid, snort and some sort of ad blocking. My current router is a Netgear Nighthawk R7500.

    if you add now, the following two things on top of this, likes ClamAV and VPN you will be owning a fully UTM device
    and this is mostly the more powerful based on that actions, services and installed packets! Again in short, your
    Netgear router is ASIC or FPGA based acting and this is pfSense not! So now it will be on the raw Internet
    speed what powerful hardware you should go with or not.

    My questions are:
    1. Am I going to waste my time with setting up pfSense for what I will be using it for?

    No, it is right matching to your wished services and offers some more potential as you will expect from!

    • Radius Server with  certificates for your private WiFi clients
    • Captive Portal with voucher system für a guest WiFi system and their clients
    • SquidGuard and SARG adding to the Squid Service
    • IPSec and OpenVPN support based on AES-NI support

    But please know also too, that snort and squid are not packets as for set it up and forget it!

    I feel I will not be using the software to it's full potential.

    This is also owed to all parts of a game and not only some we are speaking about here!
    Amount of users, art and kind of network traffic, offered servicesm used protocols, HA or BGPi setup and so on and so on!

    2. Should I use pfSense to do DHCP and set my router as an AP? I don't want to replace my router because it is centrally located in the house.

    Due to the circumstance that WiFi is also in the game play here I would do so!

    I want to have better security for our home network. I think pfSense can do that for me.

    For sure it can, you router is doing in normal only SPI (netfilter) and NAT (network address translation)
    pfSense is using the packet filter (pf) and together with snort as an IDS/IPS system and Squid it is a
    much better security position pfSense will bring you in!

    Any suggestions on other things I can do with the software?

    As stated above Radius Server and Captive Portal with voucher system is a really often used thing
    at home to separate the entire WiFi network into a real private network with LAN and internet connection
    and offers to guests a internet only platform not able to use by all your neighbor kids.

    I have a cable modem with 100/6 for speed.

    Good this might be then telling enough because this might be then better to go with a lower powered pfSense
    box. A small APU2C4 will be nice here or a SG-2440 will do the job too or the brand new SG-3100 will
    do the job with ease too. Or watch out the Qotom thread here in that forum this will be also nice matching
    with an intel Core i3 or i5 and 4 GB - 8 GB of RAM.

    If I do this setup will I gain any speed by using the router as an AP?

    No, and why this should speeding up things? The internet and the WiFi can not speed up by pfSense at all!
    But this is a well known and the most common use case for older consumer routers due to the lag of WiFi
    support in FreeBSD which is the underlying OS for pfSense. Easy to deploy and change with only some set
    up corrections and not with the hassle of reconfiguring must be totally done new!



  • I am looking at the Qotom Q3554G4 or the SUPERMICRO MBD-X11SBA-LN4F-O to start with.



  • Another question.

    My router has a WiFi and Guest WiFi. Can I use the Guest WiFi from the AP and have it isolated from my private internal network?

    I am planning on connecting the AP to a switch.

    Modem –> pfSense --> Switch -- > AP (internal Wifi)
                                                              (Guest WiFi)



  • I am looking at the Qotom Q3554G4 or the SUPERMICRO MBD-X11SBA-LN4F-O to start with.

    If you will be getting your hands on the Supermicro hardware, 2 points from me above that will be nice to know;

    My router has a WiFi and Guest WiFi. Can I use the Guest WiFi from the AP and have it isolated from my private internal network?

    Three things must be given to realize that;

    • pfSense must support VLANs (by default)
    • the WLAN AP must be supporting multi-SSIDs (more then one SSID)
    • WLAN AP must be capable and supporting of Multi-VLANs too (more then one VLAN)

    I am planning on connecting the AP to a switch.

    • the network switch must or should be supporting VLANs too

    Modem –> pfSense --> Switch -- > AP (internal Wifi)
                                                              (Guest WiFi)

    • Set up two SSIDs likes private and guest
    • Set up two VLANs on all devices, pfSense, switch and the WiFi AP
    • put each SSID in its own VLAN in
    • At the WiFi AP the VLANs must be set as tagged too due to the circumstance of using more then one VLAN there!

Log in to reply