Installing pfSense on brand new hardware – no drivers?

  • @Doktor:

    The problem with hanging an access point off it is that I would then lose my guest network (unless I hang two off there, maybe?). That's really something I'd rather not lose. pfSense has been doing quite well with wifi on my current Atom box using an Atheros wifi card. Sure it's not blazing fast, but the most demanding thing we do on any of our wireless devices is watch YouTube videos, and we spend most of our time on the wired systems anyways.

    If you get an access point that supports a guest network (or, more generally, multiple SSIDs), chances are this is exposed as a separate VLAN, which pfSense can easily deal with. Point in case, I have an Airport Extreme attached to my pfSense box, and the built-in guest network feature works just fine once you figure out what VLAN tag it uses.

  • Netgate Administrator

    The single core CPU will be slower. Although the pf process is single threaded the other processes can be run by the second core. You'll still be far faster than 100Mbps.

    I would have no worries relying on VLANs to separate wan from lan, at least not with a half reliable switch.


  • I like that little router…  I think that plus the switch will be excellent.  Better than average.

  • I think when he gets the switch, he should:

    Take 1 of the ports on either the far left or right and make it the WAN by making that port untagged vlan10 (for instance) but also include tagged vlan10 in that port.  Then label the port with a sticky as WAN.  (Don't include vpid1 here)

    Then take port right next to it and make it a trunk vlan tagged to include vlans 10 and 20 (but not vpid1) and plug that into pfsense.
    Put a sticky label on that as pfsense connection.

    Then make several ports right next to that as vlan untagged vlan20 to act as LAN ports and do include tagged vlan20 + vpid1
    And label l those all as LAN.

    Maybe leave a couple ports at the other end of the switch to later use as vlans 30 and 40 for guest networks or whatever.
    Label them.

    Then go into pfsense and set up those vlans and firewall rules.

    What do you think?  Further suggestions stephenw10?  Anyone?  I don't think OP has done this before.

  • What is "vpid1"? Is this referring to the management VLAN?

    This is what I would do on something like a Dell PowerConnect 28xx:

    • create VLAN "WAN" with VLAN ID 10
    • create VLAN "LAN" with VLAN ID 20

    WAN port:

    • make member of VLAN "WAN" only, in untagged mode
    • set PVID (the default VLAN that incoming untagged frames on a given port get assigned to) to 10
    • set ingress filter to allow untagged frames only

    LAN ports:

    • make member of VLAN "LAN" only, in untagged mode
    • set PVID to 20
    • set ingress filter to allow untagged frames only

    pfSense port:

    • make member of both VLANs, both in tagged mode (plus possibly whatever VLAN the switch has its management interface on)
    • PVID doesn't matter (unless the management VLAN has to be untagged)
    • set ingress filter to allow tagged frames only (unless the management VLAN has to be untagged)

    So I guess the main difference is that I see no reason to allow incoming tagged frames on any of the non-trunk ports, and I wouldn't allow LAN ports to access any other VLANs (directly, that is – they could of course still do so through the pfSense box if the firewall rules permit).

  • a vpid is a typo of pvid…  1 is usually the default for management.
    On my switch I include pvid1 on the LAN side so I can access my management gui.
    I also have to allow tagged traffic from the trunk to the untagged ports.

    tagged vlan10 to untagged vlan10 etc...

  • Netgate Administrator


    make it the WAN by making that port untagged vlan10 (for instance) but also include tagged vlan10 in that port.

    Not sure I agree with that, you don't want any tagged packets coming out of the WAN port.  :-\

    There are always terminology issues when dealing with VLANs, manufacturers seem to use different terms for the same thing. It's only going to be confusing speculating here. The only helpful thing to do would be to read the manual for that specific switch and write something based on that. Otherwise I'll just wait for questions.


  • :DYeah - VLAN terninology varies from device to device.

    On the port we will call WAN, anything that enters that port should be considered VLAN 10 (assuming he decides to call wan vlan10)

    For me, that is done by assigning that port untagged vlan10 and must also allow tagged vlan10.

    I'll read the manual to see if its same for him.

    The relevant bits start at:  "Link Types of ports" in that manual.  Its same as mine.

    The ports connected to non-vlan capable things (that all but 1 port) all get type "access" and are untagged.  Then 1 is "trunk" and tagged and its connected to pfsense.  Simple.  I like the "MAC VLAN" function.  I don't need it, but can see where it would be useful.

    I think I see your issue with me including "tagged" packets…  On my switch I can make a port untagged vlan10, but unless I include tagged vlan ID 10 access, it will ignore the traffic that came from the tagged trunk.  That may vary from switch to swith, so yeah - maybe better to try it without first.

  • @kejianshi:

    On my switch I include pvid1 on the LAN side so I can access my management gui.

    If you allow your clients to talk to the VLAN that the management interface is on, why not just use that VLAN for your LAN in the first place?


    I think I see your issue with me including "tagged" packets…  On my switch I can make a port untagged vlan10, but unless I include tagged vlan ID 10 access, it will ignore the traffic that came from the tagged trunk.  That may vary from switch to swith, so yeah - maybe better to try it without first.

    I was specifically talking about ingress filtering of tagged packets, so that wouldn't apply to traffic from other ports.

  • He seems like a smart guy.  I'm sure he will figure it out.  ;)

  • Well unfortunately given my zero prior experience with VLANs, I was unable to make this work. Since I have the venerable WRT54G running my network now, I at least have the stability I need.

    At this point I now have the time to either rebuild a new box or futz with the VLAN thing until I get it working. If someone would have the time and patience to help me figure out what I'm doing wrong with the VLAN setup, I'd love to learn how to do it… otherwise, the hardware build I'm currently considering is so: - Jetway mini ITX motherboard with Atom D2550 and dual onboard RTL8111E NIC - Jetway daughterboard with 3x Intel 82541 NIC - 4GB DDR3-1066 CL7 RAM

    Existing SSD
    Existing Mini PCIe WiFi card (though I plan to consider hanging an access point off this eventually, for 802.11n or ac joy)

    Thoughts, either way?

  • Netgate Administrator

    Since you already have the switch I would try to get VLANs working first.
    What have you tried? What did it do? What did you expect it to do?


  • Time to get that experience with VLANS now.  Could you post your VLAN switch setup as it is now?  You might need to post a couple of screens to show the whole configuration.

  • I'll have to get those tonight. The gist is:

    Port 1: ACCESS VLAN 10 only (cable modem goes here)
    Port 2: TRUNK VLAN 10,20 (pfsense box goes here)
    Port 3-7: GENERAL VLAN 20 (misc LAN connections)
    Port 8: GENERAL VLAN 1,20 ("management" port for web GUI access)

    IIRC, all ports except 2 are set to UNTAG, and 2 is TAG.

    In pfsense, I created two VLAN interfaces on re0 (the physical port), one with VLAN ID 10 and one with VLAN ID 20, then set those as the appropriate WAN/LAN networks.

    Does this sound about right, or does something sound terribly wrong with it? I was able to plug into port 8, and access the pfsense box on port 2, but pfsense wasn't getting a WAN IP.

  • Thye call those "general" and not untagged "access"?

  • (on this switch, anyways:) "ACCESS" can only be assigned to one VLAN, and I believe is UNTAG only.

    The big problem I ran into is that the router's WAN VLAN wouldn't get an IP address from the cable modem… and then I just kinda stopped there because without a WAN IP this setup isn't going to do me much good.

  • You can get an IP, I'm pretty sure.  You just need to figure out how.

  • Netgate Administrator

    See this is exactly why there's always confusion using VLANs.  ::)
    I confess I always kind of muddle through when setting up VLANs, there always seem to be at least three ways of doing the same thing. The concept of the PVID seems completely superfluous when you can set the ID tag specifically. I am open to be corrected here and I imagine in a much more complex network may require (or at least utilise) these features.

    The settings you have made don't look obviously wrong. I'll re-read the manual while waiting for screen shots.


  • Well - He would have to have the pfsense set up properly and the switch in order to get an IP.  I really do think this is just a temporary setback.  It makes no sense that someone would make a switch that could't have more than 1 untagged access vlan.  It did take me a couple minutes to wrap my mind around it, but only a couple.  Someone could also set this up via teamviewer and let him watch how its done once.  I've done that a few times also.

  • If someone would be willing to do the Teamviewer thing, I'd greatly appreciate it. I could plug the switch's WAN port into the WRT54G's LAN so we can play with it without interrupting the network for everyone else in the house. Both my cable connection and the WRT54G LAN give DHCP-assigned IP addresses, and the WRT54G's range (192.168.1.x) is completely different from where I have my pfSense box set (10.0.x.x) so that shouldn't conflict.

    Even if I could get someone in IM or IRC so we could discuss what's going on live instead of spamming the forums, that'd probably go a long ways :)

    (BTW, I got home late last night and basically just fed the cats and passed out, so I didn't get to set up the hardware or get screenshots – sorry)

  • Netgate Administrator

    Ok, read the manual (we are talking about the TL-SG3210 V1 here?). It's actually refreshingly informative though it still seems needlessly complex to me.  ::)

    I would do this using only access ports and one trunk port. Since you have more ports than you need (at least at this stage) I would reserve one port to be the management port, that way you can always get back into the switch webgui using a different machine connected to it. It should be possible to use VLAN1 as the LAN interface and that way have access to the switch webgui from any LAN client but doing so is never recommended. This is because the management VLAN, VLAN1, is treated differently by the switch than any other and weird things can happen if you're not paying attention.
    So configure your switch much as is shown in the example in the manual, section 6.4. It's only sliughtly different to your own config posted earlier:

    Port 1: ACCESS VLAN 10    (cable modem goes here)
    Port 2: TRUNK VLAN 10,20    (pfsense box goes here)
    Port 3-7: ACCESS VLAN 20    (misc LAN connections)
    Port 8: ACCESS VLAN 1  ("management" port for web GUI access)

    I guess the two SFP ports are 9 and 10? You can probably leave them as default which you will notice is also the status of port 8.

    Using access ports instead of general removes a lot of the possibility of errors. The PVID of the access ports is automatically set to the VLAN it's assigned to and the PVID of the trunk port should not matter since it should never see any untagged packets.

    The only thing that concerns me slightly is that in your previous config the pfSense box should have been able to talk to the modem. The other VLANs may or may not have worked depending on how you had configured the general ports. :-\

    I'm very open to being corrected on this.  :)


  • I think you know what you are talking about stephenw10.  I could jump on and correct the setup using your outline via teamviewer, but I was sort of thinking someone else might enjoy the experience.  I don't see a reason why this won't work.  If no one else gets into it in a day or so, I'll have free time for that by then.

Log in to reply