Adding pfSense to existing home network



  • I currently have a home router which does everything I need it to do. I always check for updates, but I'm concerned I won't know when the mfg's support has ended. I'm thinking about make/buy a box for pfSense, to sit in between my cable modem and router - I'm mostly just looking for the regular security updates of pfSense. What's the simplest way to accomplish this while minimizing impact to the existing network?

    I currently just use a single lan, wifi (on the same lan), and one additional guest/IOT wifi network. If I allow the existing router to continue to do dhcp/nat (as that seems simple), do I put pfSense into "bridge mode" (assuming there is that option)? Or would that negate the security benefits of pfSense?

    Or, I'm pretty sure, if I put my current router in bridge mode (and let pfSense do nat/dhcp), won't I lose the guest wifi on the existing router? Or is there some configuration where I can create a guest wifi, that is without adding a second router?

    Thanks


  • LAYER 8 Global Moderator

    You move your current router behind pfsense, and just use it as an AP. But yes you would loose its "guest" network.. You would use vlans for that.. Does your current wifi router support 3rd party firmware.. I have never seen a native wifi router that supports vlans.

    But to be honest and upfront - if your just going to use 1 flat network with everything on the same network - not sure what you think pfsense will get you?



  • my router is an asus n66u, pretty old. when i looked into something like dd-wrt, it's been a while, but I don't think even dd-wrt is being updated for that asus. maybe just buying a new router and installing dd-wrt is the way to go.

    what i'm looking for from pfSense is security updates. I don't like wondering when, or if, a mfg will decide to update their router. I could certainly stand to buy a newer router, but I feel like I'm just buying time - then it's back to wondering if the mfg will provide updates. Just recently saw the work Cisco did with their SOHOpelessly Broken 2.0 report. It was not encouraging.



  • my mistake, that SOHOpelessly Broken 2.0 article was by ISE, Independent Security Evaluators.



  • If you’re thinking about getting a new wireless router to turn into an access point anyway... don’t. Simply get a WiFi access point that supports VLANs. The Ubiquity line of access points, the AP-AC-Lite or the nanoHD are excellent models.

    They support VLANs and offer multiple SSIDs, so you can run a LAN WiFi and a guest WiFi on the same piece of hardware.

    Jeff


  • LAYER 8 Global Moderator

    Yeah if your going to go down the road of moving to pfsense.. Your prob also going to want a real AP ;) ie one that does vlans - the unifi stuff is great.. And something like the uap-ac-lite is very reasonable price entry point..

    dd-wrt is always being updated - but new users to that product sometimes don't always know where to look ;)

    For example I would think this latest for your n66u, dated today
    http://ftp.dd-wrt.com/dd-wrtv2/downloads/betas/2019/09-30-2019-r41212/broadcom_K3X/dd-wrt.v24-41212_NEWD-2_K3.x-big-RT-N66U.trx

    BTW - I wouldn't just install that, make sure you do your own research if that is the correct firmware... I found that in like a 10 second look through the beta ftp site for current stuff.. But there might be some specific process, or specific hardware version required, etc. Just wanted to show that your model number is being currently updated..

    The 3rd party projects can for sure breath new life into a decent piece of hardware that just has shit firmware on it from the maker ;) But if your wanting to step into the light with proper tools to run your network - you prob really want to invest in a switch that can do vlans and AP that can as well.

    With some investment for the proper hardware (can be had for reasonable home budgets these days) you really can run an almost enterprise level network in your home ;)



  • Years back I put dd-wrt onto an old linksys, it worked but was glitchy, tried reflashing and borked it. Been skittish ever since. But to your point, Yeah I DO get lost in those pages, and could have easily misinterpreted what I read about the N66U.

    I had absolutely no idea access points were so affordable. I'd like to think I'm at least Potentially capable of putting a small box together for pfSense . . . then again, I may play it safe and look at something like that SG-1100.

    Excuse me being outside my comfort zone here . . . so I just need say: SG-1100 and a switch (yes, the vlan kind) for my ethernet needs, and a ubiquiti AP (yes, vlan) for the wifi, and a bit of time to "learn stuff". my house isn't that big, and being able to get the wifi out of a crowded closet should really help the signal. Thankfully the attic in the fall isn't too bad.

    Thank you both very much


  • LAYER 8 Global Moderator

    I have ran dd-wrt on all brands, never had issue one with it.. I did brink one once while drunk and put the wrong firmware on it, but recovered it with the paperclip trick..

    The sg1100 would be a good choice for sure if your not full gig internet.. It can sure get close to that.. My house is that big either and I have 3 AP.. Users don't quite understand that having 1 single wifi router in the corner of your house under your desk is not the best source of wifi for the house ;)

    And yeah you have access to your attic - very easy to mount correctly ;)


Log in to reply