My pfSense Story...

  • Re: Share your pfSense stories!

    So an IT coworker told me about pfSense when I suspected someone may have been trying to get into my home network. I purchased a box from Amazon. It came with no instructions and I couldn't get it to work.

    The following weekend I accidentally discovered I had to download/install the pfSense software and placed the box between the modem and the first hub. It still didn't work.

    The following weekend I plugged a laptop directly into it and there was the Internet. It also reached my HTPC but nothing past the two hubs on either end of the house.

    The following weekend I pinged the HTPC and noticed the IP was 192.168.x.x, not the 10.x.x.x I expected. So I restarted EVERY device on the network. Everything was now on 192.168.x.x and talking to each other. Except the wired devices which could not access the LAN but could reach the Internet because the modem has a wireless component that bypasses the pfSense box. I didn't know if I should switch these wireless machines to 192.168.x.x. The IT coworker gave vague advice.

    The networked printer, the FreeNAS storage, the batch files to archive files, and the TV tuners all needed to be redone to the new IPs. Then the HTPC couldn't reach the tuners - one was working intermittently while the other needed a new AC adapter. I don't know if the IP change created the problem and wondered if power cycling killed the adapter. The IT coworker asked me why Over-The-Air TV when I can "Netflix." I wondered why people are paying to see network reruns on the Interwebs.

    This past weekend I disconnected the pfSense box. Then I restarted all devices to get everything back on 10.0.x.x and redid all processes that involved IP addresses. The tuner that still has a working adapter keeps crashing when the HTPC attempts to record. It could be because it expects two tuners to choose from so I'll wait for the replacement tuner AC adapter.

    Perhaps if I redo my entire network from the ground up (with a substitute to my ISPs modem) I can incorporate pfSense. Until then I'll just keep this box on the shelf as a reminder that network guys aren't a programmer's friends. LOL

    HOWEVER, if anyone reading this can figure out where I went wrong I am open to comments/suggestions.


  • @boii5

    Don't take this to wrong but yep.. Few things you are doing wrong. I suspect that I.T. is not your primary job..

    Whenever you change your primary router/DHCP server on your network.. yes things will change. I would take a few days and do some reading of the forums to learn.

    Your Modem.. by your description is a "Gateway" device. You would have to put it in bridge mode and turn it's wireless off to bypass it.

    Pfsense is not more trouble than it is worth to someone who understands why we use it and design our systems around it. Running your own network is a learning experience and takes some time.

    Install your pfsense box's WAN to your old routers LAN and plug a computer into the LAN port of your pfsense box.

    Remember that you can always ask how for any of these quick steps.

    Log into your pfsense box.. Default is might be http or https depending on how you set it originally. You can change that. For now Id leave it. If you try to change its LAN to the same as your present LAN behind your modem you will have issues. WAN and LAN cannot be in the same subnet.

    Build a WAN firewall rule to allow you into the box from the WAN side. Simply make the rule destination "WAN Address".

    Now you can move your computer back to your network and reach your pfsense box via the WAN address your Gateway modem assigned it. Take some time to look at some of the how to's provided by Netgate and the forums here. pfsense gives you much better control and protection over your network when correctly configured.

    This wont do your present network any good right now but will provide you the opportunity to play with the box without messing with your internet connection for everything else.

    Good luck!

  • LAYER 8

    A firewall, like pfsense and any other firewall, aren't "plug and play". you must understand what you are doing and you must undestand a little of networking at least. Take in mind that Netgate don't sell on Amazon and you probably have bought some chinese stuff pretending to support pfSense.
    the easiest way would be to change the ip and the dhcp server configured inside pfSense (from 192.168.x.x to 10.x.x.x) instead of reconfigure all your network. it is more likely that power cycling killed the adapter.
    you can't accidentally discover , you have to plan and configure accordingly

  • LAYER 8

    it's learning if you want to learn and if you like it. if you say Sorry but the pfSense was more trouble than it was worth it appear like you are not interested and you are just giving up.
    we all gave him some advice.. so if he want to learn more, the forum is here to help.

  • I'll give you $12 for the box.

  • LAYER 8 Global Moderator

    @boii5 said in My pfSense Story...:

    It came with no instructions and I couldn't get it to work.

    And that would be pfsense issue how exactly?

    As to what you paid for some box of amazon? Again what does that have to do with pfsense exactly?

    As to what you did wrong, sounds like you jumped into the deep end of the pool because someone told you too (your coworker) without even knowing that you can't breathe water ;) let alone actually swim.

    But for now I'll just hope some Russian or Iranian doesn't want to ransom my season two of A.P. Bio

    I think you are misinformed on what a firewall can do to be honest.. While yes pfsense could be used firewall between network segments on your network. As to someone trying to get into your network from the wan/internet side - to be honest pfsense not going to provide you any more protection there than some soho wifi router you got at the local computer store for 49 bucks.. Or your isp rents to you, or just lets you use. If your not providing services to the public in the first place.. Even the cheapest of cheapest soho routers block unsolicited traffic inbound to your network..

    Now if your going to forward traffic into your network from the internet, then sure pfsense is going to give you more ways to do that "securely" than your typical soho router.. You could limit what source IPs can talk to your forwards via place source IP restrictions on your forwards. You could get fancy with it via using pfblocker to work out IPs from country X and only allowing from that country, or blocking known bad actors IPs, or blocking specific countries from talking to your forwards via is built in geo ip based IP lists, etc. etc.

    If you are running services to the public you could also run IPS to block bad traffic you have forwarded to your services via known signatures, etc.

    But what it can not do is stop you from running some bad code on your machine that searches your network stuff to encrypt via your network shares. Especially if all your local services are on the same network.. And even if you firewall traffic between your machine and your fileserver - if you have file sharing allowed between your machine and your file server on some other local network segment.. Pfsense not going to know that its some ransomware encrypting shit on your fileserver, vs you actually doing it.. So even running a IPS on traffic between your segments not going to help you.. So yeah IPS/IDS might help you detect such software phoning home or whatever - its prob going to be too late since you have already run the code, etc. etc.

    Before jumping into the deep end, you should of prob taken some swimming lessons ;) If all your it worker told you was check out pfsense.. Then that is what you should of done - done some research.. Ask here for example on what is required to do xyz.

    There are plenty of people here more than willing to help the new user get up to speed..
    Lay out your current networking setup. What equipment, what services your running.. Drawing is always worth 10k words..

    Then ask what you can do to make it better, more secure.. Its never going to be just plug shit in..

  • @boii5 said in My pfSense Story...:

    HOWEVER, if anyone reading this can figure out where I went wrong I am open to comments/suggestions.

    Without knowing ANY details of your configuration (since you have provided none at all), I would guess that you're doing something wrong. Sorry we can't be more specific. Provide detail of your current config and what you have done and maybe we can help you if you're interested in getting it working.

  • LAYER 8 Global Moderator

    If I had to guess, out of the box issues he would of had is put pfsense behind his current wifi router, is stuff on that network would have not been able to talk to stuff behind pfsense, and sure would of been on different network other than the default pfsense lan network.

    But yeah without details of how you tried to connect and configure everything there is no way to know what was actually wrong.

    Without any info to what your wanting pfsense to actually do, then no its not possible to help you do that.

  • @johnpoz said in My pfSense Story...:

    Without any info to what your wanting pfsense to actually do, then no its not possible to help you do that.

    Maybe you should upgrade your crystal ball. 😉

  • The saddest part reading this is his co-called co-worker who pushed him into the deep end and walked away.

  • @NollipfSense said in My pfSense Story...:

    The saddest part reading this is his co-called co-worker who pushed him into the deep end and walked away.

    Maybe he should be asking that co-worker for help.

  • @JKnott said in My pfSense Story...:

    @NollipfSense said in My pfSense Story...:

    The saddest part reading this is his co-called co-worker who pushed him into the deep end and walked away.

    Maybe he should be asking that co-worker for help.

    If I were he, I would take the co-worker for lunch in exchange for a visit to set up the pfSense box. Maybe his IT co-worker mentioned pfSense just to brush him off.

  • LAYER 8 Global Moderator

    Yeah its quite possible he asked the local IT support at his office.. And he brushed him off by dropping a name... Guess he is lucky he didn't drop say palo alto or the like as the name - or maybe this guy would be down 20k+ vs the 300 and in the same boat ;)

    Not sure where these users get the idea that security is easy, and or push a button.

    There is no device you drop into or in front of your network be it 300 or 10k in cost that makes your network secure - NONE... No matter what firewall you buy, no matter what software you run.. All just tools, how you use the tools requires atleast understanding the basic concepts of what the tool does and how to use it..

    And you need to know which tool you need as well, or your going to be pounding on that screw with your 300$ hammer screaming this hammer freaking sucks!!

Log in to reply