Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie Setup Advice - Few General Questions

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 484 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheYetiWakes
      last edited by

      At present I have the following setup:

      Dual Router/Modem [Asus DSLAC68U]

      Wired Devices:

      • UnRaid Server for Plex / Nextcloud
      • Hue Bridge
      • Main 4K TV (Through Powerline)
      • Old Qnap NAS for onsite backups

      WiFi Devices:

      • Linux Desktop PC / Laptop / Harmony Hub / Hifi's / Chromecast Audio / Secondary TV / Phones etc

      I access Nextcloud through a subdomain / reverse proxy setup within UnRaid and Plex is currently port forwarded for outside LAN access.

      Now everything works and I have no real need for Pfsense firewall other than I like to tinker and i'm curious! Perhaps I'm totally wrong so advice please as all I have is a tiny bit of knowledge, enough to be dangerous to myself:

      1. I'm thinking it may be better to separate out various things such as having all the I.O.T stuff kept apart from other bits or does this not matter? Would this be done by putting it on its own VLAN?
      2. Setup a guest WiFi, apart from everything else.
      3. Possibly make the Nextcloud connection more secure than reverse proxy? If so how?
      4. Anything else strike people as needed with current setup?

      I can get hold of a Qotom like pfsense box with i5-7200u CPU / 6 1Gbit Lans / 8GB Ram and 128GB SSD.

      1. Thinking of getting a Draytek Vigor 130 modem and then using the current combined thing as just an access point for Wifi. Good or bad plan? Should I use a better AP than this?
      2. Do I need a switch to achieve the above or can I do all this from just the pfsense box?

      Again I must stress this is just a home hobby / learning experience. I've read lots of threads but think I'm getting myself confused now.

      Any advice on the above much appreciated.

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @TheYetiWakes
        last edited by DaddyGo

        @TheYetiWakes

        Hello,

        There are many questions, but this should not be a problem:

        I. Is the ASUS device currently in modem or router mode?
        (double- NAT or not)

        you should use the pfSense, if you really want additional protection around you and your IT enviroment
        it's a firewall + everything else (so you also need to change your mind when you start using it)

        I see you have - usual SOHO stuff, these will be clear from your description, but in fact they require a serious configuration:
        (precisely, because these are so many things)

        according to your steps:

        1. absolutely right, you definitely need to segment your network = VLANs (or many real
          interfaces) (IoT / WLAN / home / office/ game / etc)

        2. this is the minimum (guest WiFi and guest VLAN)

        3. I think, have to talk about this later, if you have mastered pfSense

        4. hmmmm???

        5. Yes, that's for sure, look for one that can handle VLANs
          UBNT UniFi , Cisco WAP series, etc.

        6. the pfSense is not a switch, it is a NGFW + router + etc., but in factory releases there are some type that has a switch chip
          but yes I suggest getting a good, manageable switch (VLAN capable), like Cisco SG350 series or other (I prefer these)

        this Qotom is chasing me, but I have no experience with it so I can't say anything .... (slant-eyed)

        just to say that for starters, if you can afford it you would prefer this:
        https://www.pfsense.org/products/

        +++++(but don’t think it’s a place for advertising...(I have no such intention)
        it just helps you avoid lots and lots of problems like Qotom) ☺

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        T 1 Reply Last reply Reply Quote 1
        • T
          TheYetiWakes @DaddyGo
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • T
            TheYetiWakes
            last edited by

            @DaddyGo thanks for the time taken to reply, it's much appreciated.

            Thanks for the time taken to reply it's appreciated and cleared a lot of queries up that I had.

            I shall look at discarding current modem / router and getting a better dedicated AP to go with the Draytek and a dedicated switch. Currently leaning toward a UBNT device for an AP and shall look at Cisco for a switch.

            The pfsense device I was looking at wasn't actually a Qotom, just very similar. With six Lans I assumed it would act like a switch too. Obviously not?

            The reason I went for Chinese single box was it seemed more powered than the official Netgate stuff with an i5 intel..

            Looking at a SG-3100 for example it doesn't seem to have AES-NI which I was led to believe was vital for future support. It also doesn't have much ram?.

            Is this not that important then?

            DaddyGoD 1 Reply Last reply Reply Quote 0
            • A
              aarons44
              last edited by

              I recently installed pfSense for the first time on my home network, and your question #1 was what I used it for. Having a strong perimeter doesn't accomplish as much as it used to, if there are devices on the network that are mobile, and will leave the network and come back on a regular basis. Risk they get compromised off network and then come back on and infect everything else.

              I used pfSense to isolate my Qnap on it's own segment. One segment for all user devices - laptops, desktops, phones, TVs, Rokus, etc. Qnap on its own segment. Restricted file sharing, Qnap management console and Plex to only the devices that need it. I also loaded the Snort package on pfSense and enabled the Qnap specific rules.

              Overkill yes, considering I could have just made sure I had regular offline backups of my Qnap instead. But this was a fun project.

              1 Reply Last reply Reply Quote 1
              • DaddyGoD
                DaddyGo @TheYetiWakes
                last edited by

                @TheYetiWakes

                Hi,

                my experience is that, all kinds of "big" Chinese boxes = end is always crying

                Netgate HW:
                there is also support for the original Netgate hardware, which you can use, if you are a complete beginner

                @TheYetiWakes "With six Lans I assumed it would act like a switch too. Obviously not?"
                you're on the right track, and the answer really "NO"
                (it is unlikely that those many ports also have switch properties)

                from XG-7100 the official hardware series includes a switch capability

                204478e7-f9e9-4d45-9355-6055fb47cc9b-image.png
                if we consider redundancy, it is better to have a separate VLAN capable switch, so if NGFW breaks down, it will still work within your network (internaly)

                AES-Ni theme (future):

                9400e1cc-b2bc-421c-9d9b-4f38fe46a77a-image.png

                A lot of colleagues run pfSense on older older hardware with 2 to 4 GB of RAM, so muscle strength is not always relevant

                I think for your purposes and to be able to learn, a SG-5100 is enough for the first time

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 1
                • T
                  TheYetiWakes
                  last edited by

                  Thanks for the clarification on a few things.
                  It's helped me get my mind round everything better and giving me a clearer idea of what direction I need to go to get everything as I want.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.