New simple setup, need help and have a pic with specifics



  • Not having any experience, I'm having trouble with a very simply set up so I hope I could use this picture I stole and wrote up to get feedback. I think I've covered everything, but nats and double nats and such I don't understand, I assume a certain wifi router solves that, but the terms are not familiar, and bridging is not even something I know I have to do, and the simple explanations are not simple. so if you don't mind, here is my simple set up with everything I could think of. All ideas welcome just please help me understand. I hope it ok to do it this way, and that it zooms up to be read. I don't mind getting a few more things, including a router (wifi) but I have 3 and one is an asus rt ac3200 so I see no need... Thanks.

    0_1552676453410_pfconfig2png.png



  • I made it fuzzy when I resized it, sorry some is hard to read. I'll be back in and out, to answer any questions... This means a lot to me, I've really struggled because there are TOO many option, configurations, and nobody seems to agree. I worries me that I know I can make it function but will be unsure of it really working at all.
    One thing, I do want to change default adresses, and the idea of the pfsense box giving my IP addresses sounds best.



  • pfSense isn't really a beginner's tool when it comes to networking. That said, what problem are you actually having?

    Here is what I would do. Note that this is not the only way to do it:

    Get a cheap switch
    Plug the switch into your pfSense LAN port.
    Plug your LAN clients into the switch.
    Disable the WAN on your wifi router.
    Disable the DHCP server on your wifi router.
    Plug the wifi router LAN port into the switch.
    Configure pfSense with defaults and away you go.



  • I managed to understand that. but with 4 lan ports and a disabled WAN and disabled DHCP, isn't the wifi just a switch with a wireless card?
    4 ports on the pfese box, one for wan 2 lines going to my clients (laptops) and one going in a LAN on the now simple wifif router.
    True. And every device has wifi now if necessary.
    The switch is a benefit, is why you'd do it... Versatility? More devices?
    Disabling the wifi DHCP and WAN.... Pfsense will pick up DHCP duties by default then?
    Finally my network adapters. I need to configure those on the clients or will pfsence cover that so I can leave in automatic?
    I think yes.
    Yes Kom I do know it's over my head, I'm in classes for networking to catch up from a 20 yr old CS minor. But defualt isn't bad, I understand, and you can learn a baby step at a time from there, as you study.
    Then, there's the other reason.... I don't trust 10 laptops with a Microsoft 10 OS as far as I could throw them so a porch screen makes a better firewall in my opinion. I spend much times in event viewer and pluck things with unrestricted access from my firewall every week I had no clue was in my machine. Last week, some phone program I forget the name of now.

    Or, run a script. watch my resource meter drop like a rock with that week's bloat gone.

    I'd like updates stopped at the box for inspection and deletion of garbage before it hits my clients. I understand one can just never let useless data collection items past pfsense.

    Thanks, I'll likely do what you sad. In which case I'll be running, if on default. So it's not a problem to run but, to run with reasonable efficiency as I learn a piece here and there is the main thing.
    I was going to ask if one of those ports could just pass through (or split off before the pfsence box) to a wifi router (different one from the network wifi) and give me my own network, and the rest of the house just what's on that wifi router as most houses do. I think so but don't want to complicate thing any before it even covers my stuff.

    Any comments on remote connect say from Bucharest, Romania to Kentucky to grab something off a client? Or storage device? Is that where VPN on the mini-pc instead of my client devices make it a server I can connect to?



  • Little help guys?

    I'm setting up, as Kom suggested mostly. All good. But I need to know if I should put a splitter on the cable between the ISP's modem and the pfsense box, and leave as is for the rest of the house as most homes have....

    From the splitter i want to run line 2 into the mini's WAN with pfsence. That will be my network. I may plug in a couple of laptops with Ethernet LAN on the mini, might use 1 port for a wifi router with the WAN and DHCP disabled so pfsense runs the show on my office network (I have 4 ports to work with; I assume a WAN, and 2 LANs to laptops, and one LAN to the DHCP/WAN disabled WiFi router would work...

    Or a WAN into the box from the split and 1 LAN out of the mini to the (DHCP/WAN disabled) WiFi router for MY network
    (the other WiFi router way over there being a normal WiFi router giving out addresses as it should, for the house, remember, separate network) that has 4 LAN ports (a switch, basically, with WiFi is what this Asus router on my network will be) and into the LAN ports on it I can plug my clients in.

    From the pfsense book, videos, other reading this seems simple. Am I missing something? Granted, this will do nothing but default pfsense firewall duties until I start cautiously making adjustments. Automatic sensing of my clients, mini is my DHCP server and firewall, no major issues here? The scheme is sound in the above cases, is it not?

    The only possibility for problems I anticipate is, I have 1 ISP's cable coming into the house, and 2 DHCP activities going on... The house wifi router and my own pfsence box. That may not fly, but if not I'm sure it's obvious to most of you. I see no conflict. I've run a laptop with my VPN's DNS servers set on it downstairs while the desktop upstairs had no VPN at all and was in Auto so... No problem.

    Right?

    I'll worry about VPN on the mini and remote connect to my mini later. I'll keep VPN on my clients as I have now, if possible.

    I just want this up and running on default values. Might change a default address, idk. Not asking much though.... Can I split before the mini pc and have 2 networks like this?



  • I managed to understand that. but with 4 lan ports and a disabled WAN and disabled DHCP, isn't the wifi just a switch with a wireless card?

    By doing what I said, you turn your wifi router into a simple access point only.

    The switch is a benefit, is why you'd do it... Versatility? More devices?

    More holes to plug things into.

    Disabling the wifi DHCP and WAN.... Pfsense will pick up DHCP duties by default then?

    Assuming you have configured it to do so. You configure DHCP when you are first setting up the interface.

    Finally my network adapters. I need to configure those on the clients or will pfsense cover that so I can leave in automatic?

    Leave your client NICs set to DHCP. You can create static mappings if you need to set specific IPs for each client.

    Any comments on remote connect say from Bucharest, Romania to Kentucky to grab something off a client? Or storage device? Is that where VPN on the mini-pc instead of my client devices make it a server I can connect to?

    You can create an OpenVPN instance and then safely connect to that from anywhere in the world.

    But I need to know if I should put a splitter on the cable between the ISP's modem and the pfsense box, and leave as is for the rest of the house as most homes have....

    What?? No. ISP <-> Cablemodem <-> pfSense

    What 'split'?? Unless you have signed up for additional IP addresses, you only get one public IP address on WAN. Splitting the cable will do nothing for you other than cause problems. Maybe I'm no tunderstanding you or what you're trying to do.

    Bascially, you want pfsense handling everything. You do NOT want your wifi APs handing out addresses etc.


  • LAYER 8 Global Moderator

    @NotNetworkGuy said in New simple setup, need help and have a pic with specifics:

    I've really struggled because there are TOO many option, configurations, and nobody seems to agree.

    Who doesn't agree on what? Kom's advice was spot on.



  • I did exactly all that above the Openvpn comment. Seems to be running with no problems. Although this Cisco SG100D-08 switch looks like it's seen better days. In fact I wonder if it's been modified or repaired somehow; but a guy gave it to me for 5 bucks.

    Open VPN was and is still what I set out to achieve last year. Still having trouble, because this router has some issue that won't let it work. VPN provider wants me to send it there, to be flashed I believe. I was told it could be, tried myself via directions from the VPN provider, did not work. So it's get a flashed router I guess or send this to them.
    That's how I understand it to be; Not much understanding of the flashed routers and Openvpn. What I know is I am unable to achieve Openvpn at this time and they want me to pay them to make it happen. I'm sure they can but it's not much more money to just buy a new router. Honestly I wish getting to the support site/signing in/ signing in to the Asus interface was easier; getting a firmware update, then getting into my interface, has been my only complaints about this router but it hasn't gotten any better. I was told I had the wrong password a half-dozen times, even after changing it as instructed and waiting awhile. Not sure what the problem is with signing into an ASUS site. Any recommendations on WifI routers? I do not want anything WiFi related inside this mini pc.

    John, I wasn't questioning anyone here, certainly not Kom. I mean articles, YouTube, off this forum, that sort of thing giving contradictory information as usual.

    Now, just because it seems to be going well doesn't mean it's true. Tonight I'm checking everything bit by bit to be sure I have not made some mistake, but I think if there were any major issues the software would have said so.
    Then rest my brain a few days, before investigating what other useful thing I can enable. It seems capable of a great many things without any more software purchases at all. But it's like a kid in the candy store looking at what's available...

    The cable splitter... That was a thought to keep outgoing traffic from my home office, where I want this protection, completely separate from whatever my girlfriend might be sending out from the desktop PC upstairs. As it is I did not achieve that. The WiFi router is on the LAN side of the mini and her business is leaving the house just as mine is, on the same network, as we do have a single provider and IP address. Probably I'll ask if I should get an additional one and what to do after will be another question but I'll keep reading the book before I ask I guess. I know I can correct this somehow and will. Eventually. Still have a headache from what I've done thus far though.

    Thank Kom. The fact that I'm typing from the far side of a working mini pc with pfsense means you were very helpful. Pfsense seems to set itself up nicely without much input at all. So far.


  • LAYER 8 Global Moderator

    @NotNetworkGuy said in New simple setup, need help and have a pic with specifics:

    John, I wasn't questioning anyone here, certainly not Kom. I mean articles, YouTube, off this forum, that sort of thing giving contradictory information as usual.

    hehehee - you mean the internet has FUD on it??? Who would of thunk it ;) heheheeh

    If you spot something in question on this forum that is not good info, that has not already been called out.. Please point it out... People are welcome to their opinion on how to do X, etc.. But if its wrong info then yeah pretty much everyone here will call them on it.



  • Right?
    The evolution of man stops now. We can only go backwards from here unless there's a universal anti-FUD law passed somehow lol.


  • LAYER 8 Global Moderator

    You would hope - people are like parrots ;) They hear something and just want to spread it around.. Screw taking the few seconds to validate it before spreading it..

    Other times they just don't have a clue - but think they do ;)



  • You speak the truth, Sir John.

    Kom! Or anyone, really.....
    I am not satisfied and need to make some slight adjustments, if you would assist, please.

    First, pfsense was kindly loaded on this device for me before shipping. It is 2.4.4 but.... I like to load my own software, call me paranoid. The first issue is, not familiar with much UNIX or really not yet cozy with anything non-Windows unless we go back to DOS of early 90's, I hesitate to download from the pfsense site, to memstick (USB thumb drive, AMD64, New York will be my choice) and booting from this to my mini-pc, which already has pfsense. I wonder, if I should format this SSD first. Also, I wonder even more (just kidding, I'll be doing this) if my Bios is set to boot from USB... I'll be sure.
    But, should I wipe this SSD? then re-load pfsense?

    Let me note that I had no cozy installer at any point, the thing went right to work and wanted 1 of 16 options because they apparently made choices for me and there was ZERO literature in the mini-pc box. Nothhing. Not a scrap of info or explanation, and let me back up a sec....

    ISP's modemwith no Wifi, (WAN from the Great Wide World)
    to----->Mini-pc with pfsense to----->New switch with Wifi, 4 lan ports
    (formerly known as Asus rt ac3200, now a sad expensive WAN disabled switch.... Or is WAN disabled? Hmm...)

    There was a possible conflict. Address conflict.

    Forgive if subnet is incorrect but it appears ISP's modem was my WAN---->re0---->v4/DHCP4---->blah.168.0.101/24

    (not alarmed by this)

    my LAN----->rl0---->v4----->blah.168.1.1/24

    and the problem was, if there was one, is that the WAN- disabled Asus wifi router (now sad switch with wifi) has a default address stamped on the bottom exactly like my LAN which should be the mini-pc's LAN (or rl0) and even though the WAN is disabled, Idk if it's a problem.

    This configuration happened after I, moments before, didn't want any vlan nonsense configured and entered n for no, still ok but it naturally pfsense wanted to know what re0 was because:

    "Network Interface Mismatch-running interface assignment option."
    re0- link state changed to down
    r10-link state changed to down

    and so, I did this unplug trick instead of 'a' for auto because someone said to.

    I did a thing in college once, because someone said to, and wound up at the infirmary with a... well never mind that story. Sorry.

    Anywho, it wanted a WAN interface name so when I unplugged:
    re0 link state changed to down,
    and when I plugged back in....
    re0 link state changed to up
    Therefore I concluded I was in the right hole. I could comment further on that but won't in mixed company
    .
    I entered re0 for WAN to confirm.

    Then, it wanted LAN interface name so i did the unplug trick on the cable going to the poor demoted Asus wifi router and upon unplug,-> link state down, and plugged back in,-> link state up, therefore I declared myself clever. 2 holes in 1, Although I had 4 holes to choose from. Yet now, this conflict as stated above:

    WAN---->re0---->v4/DHCP4---->blah.168.0.101/24
    and
    LAN----->rl0---->v4----->blah.168.1.1/24

    and default IP on Asus: blah168.1.1 remember, so at this point I'm worried a bit...

    Mini-pc with pfsense should be my LAN (rl0) with blah168.1.1/24 and then from pfsence mini to switch (Asus wifi being the switch with 4 LAN ports and 1 forever empty deactivated WAN), nothing but a thing with 4 LAN ports with WiFi, that I can theoretically plug 3 clients (laptops, say) and said clients would have an Ethernet connection, and my iPhone there would have a WiFi connection, and all 4 devices protected by my nice mini pc router/pfsense firewall/DHCP server. Knowing I disabled the WAN on ASUS I had to assign DHCP duty to pfsense so option 2 let me set and configure 2 interfaces (re0 and rl0) and I believe I should now set a new LAN ipv4 (rl0) to blah168.1.2/24, not worry about any new WAN upstream gateway nonsense (ENTER for none) or any ipv6 stuff (ENTER for none) then 'y' for hellyes when it asks if I want to enable DHCP on the LAN (pfsense mini pc).
    Then give it a range of (24?) IP addresses. I say blah168.1.3 as starting point, taking any worry about the Asus's default IP being 1.1 (although it should not matter if I disabled the WAN in the Asus anyway, should it?) and an ending point...
    Umm I'm not sure what to put. Blah168.1.24?

    This would give:
    WAN---->re0---->v4/DHCP4---->blah.168.0.101/24(ISP)
    LAN----->r10---->v4/ipv4----->blah.168.1.2/24(mini pc)

    before I change DHCP duties to pfsense.

    Wifi router just a switch with wifi, and 3 Ethernet client ports with IP's between blah168.1.3 and blah186.1.24. or .26 or .27, idk I'm asking what that end range number should be, as ISP is .0
    end range must be blah168.1.24. Correct?

    Alternately, nothing plugged into the Wifi router but the line from mini pc, and everything could be on Wifi until I ran so slow nothing did anything, or 1 laptop plugged in Ethernet port on switch, 1 empty port, and whatever Wifi devices I choose until no more speed at all..

    This is perfectly reasonable, yes? I'm not hooking any client up either way until I know, and when I know, I still need help knowing how to properly re-download pfsense and boot from that USB stick, download to SSD, and configure as above.

    So I've taken my Asus wifi router, disabled WAN, and have a 4 port LAN switch with Wifi. I took the default Asus IP out of the picture just in case and there is no blah168.1.1 on my network.

    I don't know what that end IP range should be, which pfsense will be handling now as DHCP server,

    And before this I want to re-download and start over, but don't know if I should format my 128 gb SSD on the mini after checking the BIOS to make sure the mini will boot from USB stick,

    and last but not least.... Use entire 128 GB for pfsense? using the whole drive is recommended. But is this an OS where I can put a Bitdefender anti-virus and Nord VPN? or at least Nord OpenVPN (I doubt Bitdefender will run on anything but Windows or some Linux and I don't want Microsoft anything on my pfsense mini but Nord should not need Windows or even a Linux distro should it?)
    So I'm stuck bro. I might want other nifty programs on the mini running with pfsense, certainly OpenVPN, other cool stuff, but do I need to put a different OS on there, partition the drive, or what?
    Definately not CS101 questions. But I'm so close here, I have a working pfsense plan running with a crappy switch that is now unacceptable and going in the trash, this non-WAN Wifi router should be no different, I just need to re-download what some stranger from China loaded on and not waste all my SSD space I want later for OpenVPN and extra cool programs that compliment pfsense.

    It took me a long time to write all that. yet, one more thing I forgot....

    I do have a spot for an HDD drive on the mini too if I want. Just have to plug on in. See the chord sticking up left side beyong the SSD? HDD ready. Have a couple laptop drives right over in the drawer in fact.

    FullSizeRender.jpg

    Whew my brain hurts.


Log in to reply