Bought equipment. what should I do next?
-
Hi everyone.
I'm a total noob, and have just heard about Pfsense couple of weeks ago.
Reading here and some other places, I've bought some hardware, but I ned help with what should I do next.I would like to be able to connect to my VPN and QNAP server from anywhere in Europe (I travel a bit), and to be able to see my Plex collection from remote locations. I would also like to be able to see my IP cam (there is nothing sensitive there, just some scenery, and my friends and family have access).
How would you connect this together?
EDIT
I would like to add that Zyxel switch is completely new, and I haven't even turned it on or know how to use it if it needs some management. For the time being, I'm using some Linksys 8-port PoE unmanaged switch and Asus RT-AC3200 as a router.
 -
What type of networking experience do you have?
-
Well you can use that new zyxel as just dumb to get started. Then you can fancier with it after your up and running on new switch. And you have your remove access in.
To access your network remotely just run through the openvpn wizard. For plex, you can just port forward. Or connect in via your vpn then access your plex.
For your camera - I really would not suggest you open that to the public, and just access it via the vpn you setup.
-
What type of networking experience do you have?
Well, I managed to set up my little network through Asus router the way I’m able to remotely connect to my VPN, Plex and Qnap from outside. Opened some ports and configured some static IP’s.
That’s about it. :-[ -
Well you can use that new zyxel as just dumb to get started. Then you can fancier with it after your up and running on new switch. And you have your remove access in.
To access your network remotely just run through the openvpn wizard. For plex, you can just port forward. Or connect in via your vpn then access your plex.
For your camera - I really would not suggest you open that to the public, and just access it via the vpn you setup.
Yes, seems that I should be taking it slowly and gradually learn how to do stuff.
Should I only connect one port on my 4-port NIC to switch?
Any use for other 2 ports, OPT1 and 2? -
Depends. Do you have things you would like to firewall off fron the things you put on LAN port?
-
I can’t think of any. All devices on network should be able to «speak» to each other, and be able to connect to Qnap, VPN and Plex.
My biggest concern is all the probing of my server all day long, mostly from Asia, but also from other continents/countries.Gotta go to bed now. In case of new posts, I’ll reply tomorrow. Thanks for all the help.
-
There are packages to address that.
-
I already took a look at pfblockerng package, but first have to connect everything.
I work this weekend, but will be playing with pfsense from Monday. -
Your setup will be probably similar to mine depending if you want to segregate your plex/qnap and ip cams from your internal lan traffic.
Basically on the 4port card that is in the back ofthe pfsense firewall, you will dedicate 1 of the 4 to your WAN.
You can then have up to 3 different interfaces (OPT1, OPT2, OPT3)You do not have to add OPT2,3 at the time of the install, but can use it if need be at a later time.
Your WAN will automatically get your IP from your ISP, unless you have to configure it. All the configurations on your ASUS router will need to be obliterated. You will need to reconfigure it to remove the firewall and NAT. You will also have to tell it to forward DHCP request to the pfsense box or leave it in its own subnet and allow dhcp to be requested from the asus router. If you go with the later, you will need to add a route on the router pointing back to the pfsense box if you want to get to opt2 or opt3 (if configured)
Once this has been setup and working, you can then work on port forwarding like you had on your asus router.
Now the Zyxel switch comes into question… You can do this one of 2 ways.... You can plug it in on the asus router router or you can add it to an opt port. This is completely up to you, either way you are only getting 1gb traffic unless you LAGG it at which point you can only get 2gbp/s. With a 300Mbit connection, it doesn't really matter.
-
Thanks for reply.
I will definitely remove Asus router from the equation. Pfsense will be routing traffic.
I wonder if both WAN and LAN interface on pfsense need to have DHCP enabled, or only one of them?
To begin with, I'll use Zyxel as a "dumb" switch until I'm more comfortable with both pfsense settings and VLAN. I started switch, and it's a bit noisy for my taste. It has 3 Delta fans spinning all the way to 11000 RPM, producing up to 41.5 dB. I ordered new, quieter, Sunon fans from Germany, and should be getting them on Monday-Tuesday. -
.
I wonder if both WAN and LAN interface on pfsense need to have DHCP enabled, or only one of them?
To begin with, I'll use Zyxel as a "dumb" switch until I'm more comfortable with both pfsense settings and VLAN. I started switch, and it's a bit noisy for my taste. It has 3 Delta fans spinning all the way to 11000 RPM, producing up to 41.5 dB. I ordered new, quieter, Sunon fans from Germany, and should be getting them on Monday-Tuesday.Ha!!! 41.5 dB :D … how do you sleep?
The WAN Setup would be determined by your ISP. for most ISP's it is dhcp. If you have a static IP from your ISP, they should send some type of paper in the mail or email what the IP, subnet, and gateway is. Same is true for PPPoE (They would send you information in the mail/email. The other selections I haven't really seen.
I would definitely leave DHCP on LAN. My question I have is why leave the Zyxel as a dumb switch? You can configure it to be managed and forward dhcp request to pfsense.. from there, you can configure vlans at a later time.
-
Like others have mentioned, I would connect a cat5e or cat6 wire from your modem to the WAN port on the back of your PfSense box. You will have to decide which port on your nic will be the wan. I would make the built in NIC on your mobo the wan port. I then would connect the first port on the four port nic to the last port 28, on your switch. That will be the LAN Port. I would connect the Access point to port 27 on your switch. I would connect all your clients from port 1 going toward the last. I like to connect clients and devices that will only have one mac address to the first ports and things that will have multiple mac address (switches, access points) to the last ports of a switch. That way you work towards the middle.
If you want to get better bandwidth management you could do a lag port from PfSense to your switch but the probable that I have found with that is you can't put vlans on a lag port. I know you aren't using vlans now, but you have to think about the future. For example you may want to have multiple SSIDs to separate traffic. I personally put my cameras and Hue lights, and ecobee thermostat on a WiFi called IoT to minimize my attack surface. I also have corresponding rules that don't allow traffic from that network to my lan.
Like others have mentioned though I would start simple and then build the network out from there.
-
Not sure what kind of port is built in and what kind you added on, but surricata is sensitive about netmap compatibility, so if you plan to run that and want inline function to work, it may not be possible with every NIC port. In other words, you could have to leave the built in port empty if its not comptible and you want that function. Hopefully at least the add on NICs are good. If lucky, they will all work.
-
Not sure what kind of port is built in and what kind you added on, but surricata is sensitive about netmap compatibility, so if you plan to run that and want inline function to work, it may not be possible with every NIC port. In other words, you could have to leave the built in port empty if its not comptible and you want that function. Hopefully at least the add on NICs are good. If lucky, they will all work.
Looks like if the board is https://www.newegg.com/Product/Product.aspx?Item=N82E16813132565R&cm_re=asus_maximus_viii_hero--13-132-565R--Product
then the built in NIC is Intel I219-V and here is the data sheet https://www.intel.com/content/www/us/en/embedded/products/networking/ethernet-connection-i219-datasheet.html
The specs on the 4 port HP card is located here: https://www.hpe.com/h20195/V2/getpdf.aspx/c04111679.pdf?ver=4Looks like your setup is more for gaming than a router, but hey if you having it laying around why not. Doubt FreeBSD will have drivers for everything.
-
Great advices. I like that «start from the edges» approach.Can’t wait til Monday to start playing with «toys».
I don’t have any modem as my internet is fiber, and I just connected network cable directly from HET-3012 media converter into HP NIC port 1.
https://www.ctsystem.com/en/product/productdetail.php?fid=70&pid=70Yes, as hinted, I happen to have Maximus VIII laying around after upgrade, so I tought it should be used for something. I wasn’t planning on using built in NIC as I have more than enough ports on the HP card. I’ve already disabled intgrated sound and LAN card.
Pfsense installation went well, and I’m getting IP address from my provider. DHCP is enabled on both WAN and LAN. OPT1 and OPT2 are, for the time being, unused. That’s all I’ve had time for today. -
https://www.ctsystem.com/en/product/productdetail.php?fid=70&pid=70
Wow, what provider do you use? This looks awesome! Do they do phone and TV too?
I wasn’t planning on using built in NIC as I have more than enough ports on the HP card. I’ve already disabled integrated sound and LAN card.
I would use the built in NIC for WAN and HP for LAN(s). I guess now days with the PCI-e bus there is no downside to doing it the way you are doing it, but out of habit I prefer to have LAN and Wan on different NICs on different buses on the south bridge. The dedicated lanes of PCI-e should make this a non issue for your setup. Router ports are gold so I would enable the port in the bios and just leave it disabled in PfSense. That way down the line if you need it you can enable it without having to restart your firewall.
-
Provider is Altibox (Norway), and they have both TV and phone, but I just have internet from them.
They are sending internet through VLAN 102 and TV signals through VLAN 101.
I have IP phone from other company. For TV I use the satellite receiver. It gives better picture quality.
Thanks for the tip regarding internal NIC.
