Prospective pfSense Deployment



  • Hey all,

    I'm thinking of setting up a pfSense machine this weekend, as (for once) I am not overloaded with schoolwork and feel up to the challenge of configuring a new network system. I currently have a Linksys EA3500 router running and serving as my primary firewall/ethernet+wireless router. It features the stock Linksys Smart Wi-fi firmware, which is fairly primitive and a little on the gimmicky side. To my knowledge, the chipset in this router is not currently hackable with either DD-WRT or OpenWRT. The computer to be potentially used as the pfSense machine is an HP Compaq small form factor, with an Intel Core 2 Duo and generally decent specs given the demands of pfSense. I would add in an ASUS PCE-N53 card (I haven't yet opened up the PC to see if there is a PCI-E x1 slot for it, but if there were not I would be willing to purchase a card) to provide it with wireless capabilities.

    My question is, would this be worth it? I am wondering whether or not the trouble of configuring everything would actually provide tangible performance/consistency benefits over the current setup. There are no major issues with the present hardware in terms of wireless drops.

    Thank you for your time!



  • My vote would be to setup pfSense as the main router/firewall and attach the Linksys on a separate NIC card as an AP only.

    You could put the AP on the main LAN NIC, but isolating it off on it's own subnet lets you divide and conquer the wireless traffic vs wired.

    Let pfSense do it's job as a router.  Wireless nics can be made to work, but any $40 wireless AP is going to be easier to setup and control.  Not to mention it's typically more reliable and effective in the long run.

    You've picked a great weekend job, go ahead and get your fingers dirty - you'll never look back  ;)



  • One of the many nice things about pfSense is that it is rather easy to setup (provided you have some basic understanding about TCP/IP and how your ISP want you to connect), but, at the same time, provides many advanced features which you play around with.

    In other words, you either already know everything about routing and stuff and can put the knowledge tp work with pfSense - or you can learn a lot about routing and stuff.

    Plus, with decent hardware, pfSense can easily outperform the typical home router in many situations. BitTorrent traffic, for example: when installed, Vuze is configured to "play it easy" in order not to overload your router. Bleh. With 2GB in you pfSense box, you can set most option in Vuze to "unlimited" and get hundred torrents running at the same time. Of course, the BT traffic will occuoy most of your WAN bandwidth, so the next thing you will be interested in is the traffic shaper. I like HFSC. Not quite easy to set up, but quite rewarding, IMHO. Yes, you will notice additional lag when playing online FPSes while simultaneously saturating your link with BT traffic, but it will be still usable.



  • Thanks to both of you for your replies. I configured my network as suggested (with pfSense running on the PC and the router serving as an AP). All seems to be working soundly, and has been stable since it first went up 6 days ago.

    I do, however have one small question. I have a Fonera 2100 serving as a wireless bridge (it receives the wifi signal from the AP, and is plugged in via ethernet to a client computer to which it provides connectivity). It is running Gargoyle 1.2.9 and has been working perfectly even prior to my configuring pfSense last week, except with one small issue (both before and after pfSense); when I boot up the computer to which it is connected, it initially cannot connect to the Internet. I had some difficulty figuring out why this was, but funnily enough (and for the first and probably last time, ever) the Windows Troubleshooter was able to resolve the issue while stating; " 'Ethernet' does not have a valid IP configuration' ". It seems as though the troubleshooter allows for the computer to be assigned a DHCP lease each time. Having to run the troubleshooter for the ~30 seconds or so it takes upon boot-up is a little on the tedious side, though. Is there any way I can resolve this issue permanently through pfSense, or perhaps the Linksys AP? Do I assign a static IP to the wireless bridge (I have it configured on Gargoyle to run on 192.168.1.7, but it is possible pfSense is also assigning it a separate IP within the DHCP range. Is this an issue?)

    Many thanks!



  • It sounds like Windows tries DHCP to get an IP address but it times out, and then when Windows gives up it drops back to a link-local address (in 169.254.0.0/16).
    You should just have 1 place that gives out DHCP on the (bridged) LAN as a whole. Turn off any DHCP server on that Gargoyle ethernet-WiFi bridge.
    Do some packet capture on pfSense LAN to see if port 67/68 request/response packets from the offending computer are actually seen at pfSense during the boot. Maybe the WiFi bridge is asleep when the computer starts to boot, wakes up when it sees its attached ethernet cable become active, but does not establish the bridge fast enough to pass the DHCP requests, or the MAC address of the PC is not learnt immediately by the bridge devices and so replies from pfSense are not bridged back to the PC, or ???


  • Netgate Administrator

    If you have assigned the Fonera device a static IP in it's configuration then it won't be asking for another one from pfSense via DHCP. However you need to make sure that IP is outside the DHCP range pfSense is using on that interface otherwise you may end up with duplicate IPs and the inherent errors that causes. There is usually something in the logs to indicate that though.

    If it's just one machine at the end of the wireless bridge you could assign that a static IP also. Then it will just not work for the time it takes to establish the bridge but will function fine after that without any intervention.

    Steve