Newbie Questions. Setup even possible.. or practical?
I need your help with regards to finding out if my theoretical network setup is possible (or practical) with pfSense, and some tips as to Hardware requirements for throughput. Please bear in mind that I am not that Linux or BSD savvy. My main OS for daily use is Ubuntu, but I would call myself an intermediate user.
Anyway; I would like a pfSense box with WiFi capabilities, so it would be acting like a router/firewall and access point. The connection is a fiber optic 75/75mbit connection. No kind of special hardware required from the ISP. Previously I have used a flashed Linksys Router with DD-WRT. I am guessing I would need hardware with 3 ports, and two switches.
I would like pfSense to handle 4 network with different IP ranges.
LAN #1 ("Normal" LAN wired - 10.1.0.10-255)
Wifi #1 ("Normal" WiFi - 10.1.1.10-255)
LAN #2 (VPN'ed LAN, wired - 10.2.0.10-255)
LAN #2 (VPN'ed WiFi - 10.2.1.10-255)
Traffic on the #1 Network (LAN & WiFi) will be "normal". I.E, the generic type of plug and play using ISP DNS server etc. Traffic on #2 will be sent though a 3rd party VPN. I have confirmed with my VPN provider that pfSense is supported by them.
To make things … a litte more "interesting" (and yes, less secure) i need what I am guessing what is called Keyhole access from network #1 to network #2. It will be very specific (i.e. this ip can access that ip though this port only). I addition, one of the components on LAN #1 is a NAS, which i need access to from outside by means of normal NAT (webserver, picture server, cloud, contacts, calendar etc). Btw, this NAS has two NIC, if that makes things easier to configure. But in that case. hHw?
In terms of hardware, I have been looking at ALIX systems, which I have gathered are quite popular, more specifically the APU.1C4 (http://www.mini-box.com/ALIX-APU-1C4-AMD-G-Series-T40E?sc=8&category=1361). But for this setup I am having a hard time gathering what kind of WiFi chip to get, as there is some problems with one of them?!… I am guessting that around 10 devices in total will be connected; Laptops, NAS, Smart TV, Sonos devices, mobile phones, tablets.
Recommendations and guidance is greatly appreciated.
I can atleast answer you on your theoretical network setup. Your thoughts on four different subnets, VPN setup, NAT and "keyhole" access is fully doable. It is OpenVPN you are considering using? Remember, when you have two different wired subnets, you either need a switch with VLAN capabilites or a dedicated switch for each subnet.
Regarding NAT and your NAS, it doesn't matter if it has one or two NICs. Use regular port forwarding rules in pfSense to access your NAS from the outside. But I would rather recommend that you setup OpenVPN Server on the pfSense, to access your NAS remotely. More secure.
Hope this helps a little bit :)
One other small suggestion, it's likely you'll get much better performance and compatibility on the WiFi side of things if you consider using an access point rather than a wireless NIC.
Even if you need two AP's in order to support your multiple LAN reqt's, it's been my experience that the compatibility, configuration and maintenance of the AP's is far easier to handle than the embedded NIC's.
You might even be able to use your old router as one of the access points (just make sure and disable DHCP).
Thank you for your inputs. I will have a switch for each wired subnet, and yes - it is OpenVPN to a reputable 3rd party provider.
As for the 2 different AP - I would greatly prefer to have pfSense handle both the routing, firewall and wifi connection if possible, unless the performance is really going to suffer. Having 1 pfSense Firewall, 2 swtiches and 2 access points is… a lot of equipment, and I'd rather not use proprietary router software for anything. I know DD-WRT is an option, but I would still prefer having pfSense handle everything.
The idea of using a separate WiFi access point is (in my mind) based on the idea that the AP has to handle the "wireless" part of the connection in the external box or the internal card, no matter which setup you choose.
The advantage of the internal card is you theoretically get more control of the cards internal properties - although support for the cards is sporadic in some cases. Integrating the network forwarding and routing control is done like any other interface.
The external AP is already designed to be "self-supporting" and the internal config has to allow config of the wireless part. The networking issues are normally handled through the simple expedient of disabling the AP's DHCP and any forwarding functions, UPnp, etc. Doesn't DD-Wrt have an AP only mode?
Personally I have no problem setting up AP's in this mode and treating them like an "extension switch" on my LAN networks with the ability to rely on pfSense for the rest of my firewalling/routing control.
Just my $.02 ;)