How to Setup pfsense router for this network?



  • Hi folks,

    very impressed with what I have seen of this software so far !!

    I have a problem though in getting my network set up to run under a pfsense router.

    THIS is what I have at present :

    INCOMING WIFI - Mikrotik Grid set @ 192.168.1.1, supplies all dhcp to LAN (Network is at 2MBPS)

    (pfsense router needs to come here)

    From the pfsense I split off to :

    1.  Billion 400g router set @ 192.168.1.2 
    Wireless to –-> PC 1
    Wireless to ---> PC 2
    Port 1  --->  PC 3
    Port 2  --->  PC 4
    Port 3  --->  LAN 2 --->  HUB 4-PORT  --->  Port 1  --->  PC 5
                                                                --->  Port 2  --->  PC 6
                                                                --->  Port 3  --->  PC 7
                                                                --->  Port 4  --->  PC 8
    Port 4 --->  LAN 3 ---> Nanobeam M5-19 set @ 192.168.1.21 connects wireless to Nanobeam M5-19 set @ 192.168.1.22 ---> (2)

    (2)  D-link 2750U set @ 192.168.1.3 --->
    Port 1  --->  PC 9
    Wireless to  ---> PC 10
    Wireless to  ---> PC 11

    My main problem is obvious - WHAT settings do I use for :

    1.  the WAN port on the pfsense router ?

    2. the LAN port on the pfsense router ?

    3. and then for the rest in sequence,

    1.  Billion 400g              (192.168.1.2)
                    2.  First nanobeam        (192.168.1.21)
                    3.  Second nanobeam  ( 192.168.1.22)
                    4.  D-link router            ( 192.168.1.3)

    I would presume the settings on all the PC's would stay the same e.g. (Obtain IP address automatically)

    The main reason I want to implement the pfsense in here is to be able to control Internet UP/DOWN speed for all devices on the Network, i.e.

    All devices on the D-link must only be able to use 1MBPS.

    The rest all on full network speed.

    Can this be done using pfsense ?

    Thanks for the forums,

    TG



  • 5 routers for 9 clients?  What's up with that?

    1. If your Mikrotik dishes out DHCP on its LAN port, then you would set your pfSense WAN port to DHCP.

    2. pfSense LAN port 192.168.1.2/24 and OPT1 port 192.168.1.3

    3.  Billion 400g (192.168.2.2), D-link router (192.168.3.2)

    Are the nanobeams DHCP or static?  Hard to know what to do with them without more info.

    This would be a lot easier if you could get rid of some of these extra routers and replace them with switches.



  • ummmm…

    There ARENT 5 routers here ... theres ONE router at the central location, thats the Billion...

    and ONE router at the remote location - 4km away .., thats the d-link ... the D-link is connected to the central via two nano's??

    its a very simple setup, and switches cannot be used as how do you supply wireless then ??

    And NOTHING is set for dhcp on the network, everything is supplied by the Mikrotik.

    Remember the billion and the D-link are in essence switches now.



  • You have the Microtik, pfSense, Billion, DLink… that's 4 right there.  I thought the nanobeams were routers also, or are they transceivers?  Of course you would need a wireless router to act as an AP.


  • Netgate Administrator

    There doesn't in fact appear to be any routers shown here! All these devices are in the same subnet so I assume they're acting as access points and switches.
    Only the main microtik device is probably routing but that isn't shown. 'Mikrotik Grid', what do you mean by that exactly? I assume it's a router with a wireless WAN side using a grid antenna?

    Because all these devices are in the same subnet limiting some but not others becomes tricky. I would be much easier to use two internal interfaces in the pfSense box, one limited one not.

    I would be tempted to replace the Microtik device with pfSense but that may not be possible if it is using wifi directly.

    Steve



  • IMHO it should be fairly easy to insert pfSense in this setup, IF I understood the setup correctly.

    The Microtik connects to the WAN port of pfSense, and the WAN is configured to get it's IP through DHCP.
    The LAN port of pfSense connects to the Billion (that is used as a dumb switch?), pfSense LAN side should have a different IP range, and you need to configure it to hand out IP addresses in that different range.  (all devices behind pfSense should get an IP from pfSense, and have pfSense as its gateway)
    Make sure NAT is on (it is by default)

    Basicly you will be NAT'ing twice, but I think that won't be a problem (as long as you don't need vpn's, dyndns, or things like that)

    Add some rules to allow traffic, and you should be going again as before.

    Then you can start playing with the limiter…

    Happy toying...  ;D



  • Stephenw10 you have it exactly, there IS at this stage only the Mikrotik that is acting as a router, that is a Grid Antenna receiving the Wireless signal and passing it on to the network.

    the rest are simply switches yes.

    Stephenw10 so what you are saying is I should maybe put another LAN card in the pfsense and split the network THERE so that the link to the billion and the d-link are separate ? In essence the devices on the d-link are the ones that needs speed limits imposed.

    Yes I see the sense in that …. also means that when the NEXT office comes online soon, I can put a switch in and drop BOTH offices from the one LAN card as they both need the same rules.

    Yet you say "(all devices behind pfSense should get an IP from pfSense, and have pfSense as its gateway)" - ??? that means I would have TWO routers with dhcp ?? pfsense AND the Mikrotik ??
    If that is the case surely it is going to cause problems?


  • Netgate Administrator

    Yes, it's much easier to apply rules to an interface especially if the clients you're trying to filter are using DHCP and hence may change IP address. This also offers real separation between the two internal networks, much better security. If you're adding further networks you may want that on a futher separate interface. You can always add rules to allow the network to talk to one another but you can't segregate them later if they're all the same network segment.

    I have no idea what sort of distances you're operating over here but often in this sort of situation using VLANs and appropriate managed switches can makes things easier or at least allow you to do things with only the existing cabling that wouldn't otherwise be possible.

    Normally I would suggest getting brave and trying one of your routers with OpenWRT and using that for VLANs but neither of yours appears compatible.  :(

    DHCP should not be a problem since devices behind pfSense will only see the pfSense DHCP servers. Only the pfSense WAN interface will see the Microtik DHCP server.

    Keeping things simple is key for an easy life here, minimise the number of devices you have. What will the Microtik router actually be doing in this setup?

    Steve