Just installed pfsense, need suggestion on preparation before online



  • I've just installed pfsense on an used T620 plus+intel 4ports gigabit LAN. I intend to turn my main wifi router (TPLink Archer C9) to an access point. I have a few questions for my preparation before going live the pfsense box:

    1. I have Synology which also runs OpenVPN Server. I will later use pfsense for that job; but in the meantime, do I need to set anything special on pfsense in order to make my existing openvpn works as is?
    2. I have a number of local devices with fixed IP set on the device itself. Same question
    3. I have a number of dhcp reservation for my local devices made on my main wifi router now. I understand that I can set them in advance on my pfsense. Any special setup I should be aware of?
    4. I now have my original Pi running Pihole (wired); and my main router primary DNS is set to the Pi IP so that all my local devices are subject to Pihole filter. Is it still a good approach under pfsense?

    Thank you in advance for any suggestion.


  • LAYER 8

    1 i think you just need to nat the openvpn port to the Synology, but i will move the work to the pfsense
    2 not best practice, it is best to use the dhcp server of pfsense to assign static ip, or leave them out of the dhcp server pools if you can't avoid it. it would be easyer to manage
    3 set them in advance, no special requirement except they must be out of the dhcp server pools, that is mandatory anyway, the dhcp server gui will tell you
    4 you can do that. i have bind9 on my server so i have set the ip of my bind9 server as dns server for my pfsense and for dns in the dhcp server, plus you can set firewall rules to prevent the use of unauthorized dns servers if you need


  • Netgate Administrator

    Yes, if you have static IPs on local devices just make sure they dhcp pool configured in pfSense does not contain them.

    You can use the DNS blacklist feature in the pfBlocker package to get much of the functionality of pihole in pfSense directly.

    Steve



  • @stephenw10 said in Just installed pfsense, need suggestion on preparation before online:

    Yes, if you have static IPs on local devices just make sure they dhcp pool configured in pfSense does not contain them.

    Better yet, use static mappings to assign fixed IP addresses. pfSense will not allow you to assign an address that's within the DHCP pool.


  • Netgate Administrator

    I usually do both in fact. On devices I have assigned a fixed IP to I add as a static lease also in pfSense. That way if they ever get set to dhcp they pull the same IP. It also prevents me using that IP for another static lease and adds them to Unbound, because that option set, so I can resolve them.
    But, yes, I try to avoid static IPs in general. Some devices just work better like that though. Usually really crappy IoT devices.

    Steve



  • Thank you everyone.
    So both the fixed ip set on device and those set on pfsense must not be in the dhcp pool. I will have to change some of my fixed ips.

    I will definitely install pfblockng.