my general getting started experience with pfsense and advice on out of the box setup
-
hi all,
i just wanted to share my experience so far with pfsense. i had setup pfsense at work for sort of niche things like 1:1 NAT with the SG-1000, but didn't really have that much experience with it. i decided to replace my home router with a pfsense box.
documentation is good between the official documentation, reddit, netgate forums, and not least of all comprehensive youtube videos. i've been learning a fair bit about pfsense, about networking, and about what the hell devices on my network are doing. i found leaked packets from docker containers (best guess is this: http://www.smythies.com/~doug/network/iptables_notes/) as well as some automatically added odd VPN routes leaking packets as well from a different container (might be similar issue).
i bought an xcy fanless mini pc from aliexpress after the tip from redditor /u/jvolkman.
i went with the i3-8145u just to have some room to grow as i continue to explore pfsense (or my bandwidth increases). they don't sell barebone which is a little unfortunate, but the price is good. it arrived pretty quickly without issue. i bought the cheapest option which was 2GB RAM and 32GB SSD. i intended to replace the RAM with 4GB because i figured i would want the room for growth and it was cheaper to diy. i ended up purchasing 8GB because it was only $10 more. i intended to replace the 32GB SSD with a 240GB one i had from my old gaming PC, but haven't bothered (yet). the xcy seller messaged me to say the 2GB RAM was out of stock and would be providing 4GB as a free upgrade; as far as i can tell this makes sense since no one makes anything smaller than a 4GB module these days. there are a few minor unusual things with this pc, like a COM3 internal header that doesn't show up as a device or another header without any description of what it does. there is a jumper i changed to allow it to boot up automatically after a power outage.
side note: i didn't realize how far downhill newegg has gone. i considered returning the RAM i purchased and just wanted to see what their return policy was. since i was returning without a reason other than that i changed my mind i figured i'd have to pay for return shipping, but would not have any other issues. their return policy says they can refund less if the value changes due to market changes or whatever. i could see this applying to a 2080 Ti purchase, but not the RAM i bought. i bought the RAM for $30. the return value was $10. the return shipping was $12 from newegg (could save a little with your own label). so i'd owe newegg $2 to return the RAM. i checked to see if there was some RAM market crash or something, but it is still for sale at the original price i purchased at.
somewhere on here i saw the advice to just get things working and then add things to play with one at a time. i plan on doing that, i think pfblockerNG might be next, maybe WiFi with VLANs, all exciting TBDs. below is my just basic get it working steps.
- i went into the bios, but i don't think there was really anything i felt compelled to change. the bios is pretty open and configurable.
- i booted from usb to install and used all the default options. only oddity was that it didn't seem to like my gaming keyboard connected through a kvm. it worked for the bios as well as windows that came pre-installed on the box. i grabbed another keyboard and connected directly to the box.
- the nic ports aren't numbered on this box, but not a big deal.
- i enabled automatic configuration backups, this is sweet, and diffs are available too!
- i disabled ipv6 because i've never gotten it to work well with all my devices before, but maybe pfsense will bring new hope in the future.
- switched the subnet on LAN to match my existing configuration.
- added DHCP reservations and port forwards to match existing network.
- changed my existing router to act as AP only.
- i enabled powerd and hidaptive profiles. as i understand this is needed to utilize the turbo boost functionality of this processor, though to be honest right now cpu needs are so little it basically only seems to throttle down from base frequency which is a nice heat and power advantage anyway.
- i enabled aes hardware acceleration since it is available on the cpu.
- i bridged a second nic to the LAN to connect a MoCA adapter to the network. only little thing there is that you have to add a rule either to allow DHCP requests from the bridged port or just add a rule to allow everything (https://docs.netgate.com/pfsense/en/latest/bridges/internal-networks.html)
- i enabled NAT reflection to allow some devices access to services inside and outside the house without breaking TLS certificates
- the only real issue/surprise that came up was that wifi calling stopped working when i switched to pfsense. pinning this down was a little difficult since information online is limited and i've never had any issues with any consumer router in the past with this, but did find a netgate forum post saying to add port 4500 with static NAT and that seemed to do the trick.
are there any other out of the box settings you recommend changing?
previous post discussing my hardware search:
https://www.reddit.com/r/PFSENSE/comments/ijxlhj/newer_fanless_pc_coffee_lake/
info on same/similar hardware:
https://www.reddit.com/r/homelab/comments/hzvfih/new_router_i58365u_quad_core_6_intel_nics/