My new firewall build



  • Hi Forum

    I am planning on building my first pfsense firewall. I plan on closely following this guide:

    http://www.get-virtual.net/2014/09/16/build-firewall-appliance/

    To summarise, I'll be using the following hardware:

    • ALIX APU1D4 board (in the article he uses the APU1C4)

    • ALIX APU 1C4 casing (black!)

    • Kingston SSDNow 60GB mSATA 6Gbps SSD

    • mini-PCIe wi-fi Adapter Compex WLE200NX a/b/g/n

    • 2x TP-Link TL-ANT2408CL (2,4 GHz, 8 dBi)

    • 2x UFL/IPX to RP SMA pigtail (~15cm length)

    Some questions:

    • I'm a bit out of touch with wifi, is this a good wifi card that covers all the new wifi signals?

    • I'm really excited about pfsense 2.2 since it is based on FreeBSD 10.1 (I run a server based on this at home) so will I be able to upgrade from 2.1 to 2.2 with this setup?

    • I assume with 4GB of RAM that I can run Squid and Snort on this box? I went with a 60GB SSD since it was only a little bit more in price

    • Is the ALIX APU1D4 board ok with pfsense 2.1 (and 2.2)?

    • I'm not so sure about Kingston for the SSD drive (I have had their USB drives fail on my before), are there any other good/compatible SSD drives I can use in this setup? Would need to be 60GB.

    Any comments or concerns about this build? In the beginning I'll be using it with 8MB ADSL broadband. Later on (when available) I'll be moving over to 50MB fibre.

    The main thing I am unsure of is the wifi card and the upgrade to pfsense 2.2 but would appreciate any feedback on the entire build!

    Thank you!  8)



  • The hardware selection should be fine to take care of 50Mbps (https://www.pfsense.org/hardware/)

    If you want to be involved in testing, you can install 2.2Beta. Squid and Snort should run with 4 GB of RAM I let other more expert to provide more informations.

    Said that, my only concern is the Wi-Fi adapter, personally I would buy a Wi-Fi router to be used as AP and wired to pfsense, maybe one compatible with DD-WRT and/or openWRT firmwares.

    pfSense has limited wi-fi capabilities, better use it as wired firewall/router.



  • @Wolf666:

    The hardware selection should be fine to take care of 50Mbps (https://www.pfsense.org/hardware/)

    If you want to be involved in testing, you can install 2.2Beta. Squid and Snort should run with 4 GB of RAM I let other more expert to provide more informations.

    Said that, my only concern is the Wi-Fi adapter, personally I would buy a Wi-Fi router to be used as AP and wired to pfsense, maybe one compatible with DD-WRT and/or openWRT firmwares.

    pfSense has limited wi-fi capabilities, better use it as wired firewall/router.

    I am happy to give 2.2 Beta a test run  :) From what I understand it'll have much better wifi support since pfsense is based on FreeBSD 10 (or 10.1)?

    I am keen to hear what others think of running Squid and Snort on this setup with 4GB RAM.

    Yeah, I am concerned about the wifi adapter too. I do want something that can do b/g/n. Can anyone recommend a wifi card that will work with pfsense 2.1…or even 2.2? I guess I could use my DrayTek 2820 as a wifi access point? I was hoping for the pfsense firewall to replace the Draytek altogether!

    Can you recommend a wifi router that will play nice with pfsense?



  • I am using a Netgear R7000 with DD-WRT firmware (kong's build), in AP mode.



  • @zarje:

    I am keen to hear what others think of running Squid and Snort on this setup with 4GB RAM.

    For home or SOHO? No problem with snort. Squid is a completely different story…



  • @chemlud:

    @zarje:

    I am keen to hear what others think of running Squid and Snort on this setup with 4GB RAM.

    For home or SOHO? No problem with snort. Squid is a completely different story…

    Its for home but I host a "production" server at home. I host two domains for email…one is my own and the other is for someones business. It only has about 6 or 7 users on it.



  • So I have been giving this some thought  :)

    Currently I have a DrayTek 2820vn ADSL router which has wifi on it. What I was thinking was to carry on using the DrayTek as it is (ie: use the ADSL modem and wifi on it) but then connect the pfsense WAN port to a LAN port on the DrayTek. Then I would enable the DMZ host on the DrayTek and point it to the IP address on the WAN port of the pfsense box.

    So why do this? Well:

    1. I can use the DrayTek for wifi

    2. I can use the ADSL modem on the DrayTek (I didn't want to buy a new ADSL modem for the pfsense box since I'll have fibre in 6 - 9 months)

    3. I can then use the pfsense box purely as a firewall (and not have to buy wifi cards, aerials, etc)

    Would this setup work?



  • Greetings,

    pfSense router connected to your DrayTek ADSL router's LAN side will still amount to double NAT whether you enable DMZ or not.
    That configuration will probably work for a web server hosted on your LAN but other protocols such as SIP used in VOIP would most likely fail.
    All in all it's truly not a great solution; you are better off turning off the NAT gateway/router/firewall functionality on your DrayTek and use it as a simple modem or gateway (sorry for the terminology, unfortunately nowadays vendors/ISP use a rich and colorful vocabulary to impress their clients. The most accurate expression should be "use DrayTek as a ADSL to ethernet modem from which you get one public IP address")

    Doing so, you would have eliminated your wifi access as it probably needs the NAT router functionality on the DrayTek to function. Instead get yourself an inexpensive plain wifi access point ($20 AP good for web access, $50-60 very good for even video streaming from netflix or hulu plus, amazon, etc)

    Alternatively, you can run your ADSL router in its full capacity (with NAT, wifi etc) and use pfSense as a bridged firewall, but your wifi users wouldn't benefit of the firewallin capabilities of pfSense, and frankly something like untangle free version is a better alternative, and easier to setup/use compared to pfSense if all you want to do on that box is firewalling/filtering.

    As a side note, why don't you consider hosting your production machine(s) on a VPS (DigitalOcean or Linodes). In the long run they are more capable, cost effective, and dependable than anything you can build around a consumer grade home network.
    For instance, on DigitalOcean, for $5/month you can run a full blast Debian server with Webmin/Virtualmin and setup 3-4 virtual hosts with full service email, apache2 or nginx based wordpress, etc. Who knows, that might eliminate the need for running a machine 24/7 at home and pay for the modest $60/year DigitalOcean bill. Food for thought …

    Hope my 2 cents help.
    Halea



  • Why hello Halea! And thanks for the post.

    Aaah yes, double NAT, that does sound terrible  ::)

    you are better off turning off the NAT gateway/router/firewall functionality on your DrayTek and use it as a simple modem or gateway

    Its so funny you should mention this as I was just looking into it. I was reading:

    http://www.i-helpdesk.com.au/index.php?/Knowledgebase/Article/View/354/2/how-can-i-configure-my-vigor-router–in-bridged-mode

    Ok, lets simplify this: Lets forget about wifi altogether. I can live without it and it would simplify my network design greatly. I can always add it back later on.

    So to summarise:

    1. Run DrayTek in bridged mode (and disable wifi)

    2. Use PPPoE/PPPoA on the WAN interface on the pfsense box

    So this would allow me to get my static IP on the WAN interface of the pfsense box?

    Thanks for your suggestion about using VPS but I have run my server at home for over 5yrs now and love it! Yes its more expensive but the options I have (and the power) is awesome. When I have my pfsense firewall in place I'll be turning my existing server into an ESXi VMware host. I don't only use my server at home for email but as a learning tool for my job (I work in IT).

    Appreciate the comments.  :)

    NB: Just to make things even more interesting/complicated, I'll be adding IPv6 to my network and have a Hurricane Electric tunnel to enable me to use IPv6. I assume you can use IPv6 with pfsense.



  • @zarje:

    1. Use PPPoE/PPPoA on the WAN interface on the pfsense box

    pfSense does no support PPPoA but PPPoE ONLY



  • @zarje:

    1. Use PPPoE/PPPoA on the WAN interface on the pfsense box

    You would use PPPoE on the pfSense router if you set it up as "pass through" on your DrayTek ADSL box.

    Alternatively, you may be able to run PPPoE on your DrayTek, get the public IP and pass through (bridge mode) that public IP to the pfSense box on the WAN interface, assuming that DrayTek supports the bridge mode, but it probably does. I haven't used ADSL in a while now as I have been on cable and fiber for quite some time, but that's how I configured my ADSL when I had it.

    Halea



  • Exactly as haleakalas reported.

    I am using a DrayTek Vigor 120v2 since my ISP has PPPoA only, connected to pfSense, letting pfSense do authentication.



  • @Wolf666:

    Exactly as haleakalas reported.

    I am using a DrayTek Vigor 120v2 since my ISP has PPPoA only, connected to pfSense, letting pfSense do authentication.

    Thanks guys, thats most helpful!

    On my DrayTek currently it is using PPPoA to the ISP and from what I have read after my last post, pfsense ONLY does PPPoE on the WAN interface so it got me wondering, will it all work??

    It sounds like the answer is yes. So in the end I will use the DrayTek as a plain ADSL modem in "PPPoE pass through mode" and let the WAN interface on pfsense do the ISP authentication with PPPoE.

    On the DrayTek 2820 under WAN and then internet access there is an option called:

    Bridge Mode:
      Enable Bridge Mode

    Do I leave this unticked?

    If I have pass through enabled on the DrayTek, and my ISP uses PPPoA, how come this will work if I use PPPoE on the WAN interface of the pfsense box?  :o

    Wolf666: Would you care sharing what your DrayTek settings are since you have an ISP with PPPoA (like me) please?

    Once pass through mode is enabled do I change the protocol settings on the DrayTek from PPPoA to PPPoE?



  • PPPoE pass-through is a kind of software relay which converts PPPoA into PPPoE and viceversa.
    In your case you only have to enable that feature (you have already a working PPPoA connection with the correct parameters). Once enabled the PPPoE pass-through, the ISP Access setup section will go blank (it is ok).

    Then simply connect  the DrayTek WAN to pfSense WAN, disable NAT, Firewall, DHCP on draytek.

    Put your access details in pfSense, choosing PPPoE. The DrayTek will take care to convert PPPoE into PPPoA.

    The DrayTek has to stay in a different subnet than pfSense. In order to keep access to modem follow: https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN



  • @Wolf666:

    PPPoE pass-through is a kind of software relay which converts PPPoA into PPPoE and viceversa.
    In your case you only have to enable that feature (you have already a working PPPoA connection with the correct parameters). Once enabled the PPPoE pass-through, the ISP Access setup section will go blank (it is ok).

    Then simply connect  the DrayTek WAN to pfSense WAN, disable NAT, Firewall, DHCP on draytek.

    Put your access details in pfSense, choosing PPPoE. The DrayTek will take care to convert PPPoE into PPPoA.

    The DrayTek has to stay in a different subnet than pfSense. In order to keep access to modem follow: https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

    Ok so let me summarise this to make sure I understand 100%:

    ISP –-(PPPoA)--- DrayTek 2820 ---(PPPoE) --- pfsense

    So on the DrayTek 2820 I set in WAN - internet access settings:

    1. PPPoE/PPPoA Client - Enabled selected

    2. PPPoA protocol set in DSL settings

    3. PPPoE passthrough set to enabled for wired LAN

    4. Do I need to set the encapulation type to LLC/SNAP as I have read about?

    Then on the pfsense WAN interface I just enable PPPoE and enter my ISP credentials.

    Am I on the right track here?  8)

    Edit: Is it not better to connect the WAN interface of the pfsense firewall to the LAN interface on the DrayTek rather?



  • Also encapsulation type must be set on DrayTek.

    The rest is ok.



  • @Wolf666:

    Also encapsulation type must be set on DrayTek.

    The rest is ok.

    So set encapulation type to LLC/SNAP?

    Also, is it not better to connect the WAN interface of the pfsense firewall to the LAN interface on the DrayTek rather?

    With this type of configuration, can I use IPv6 with Hurricane Electrics tunnel?



  • encapsulation is ISP typical, check your ISP parameters.
    In order to work as a dumb modem (bridge), your DryTek WAN must be connected to pfSense WAN, I don't know any other way.
    Cannot help you on IPv6 since I am on IPv4 only.



  • @Wolf666:

    In order to work as a dumb modem (bridge), your DryTek WAN must be connected to pfSense WAN, I don't know any other way.

    This one was confused me  ::)

    Ok, so does this mean I go into WAN - Internet Access - WAN 2 - Static or Dynamic IP on the DrayTek

    I assume that I will then give it a static IP address in a range that is unique to the DrayTek and pfsense as follows:

    DrayTek WAN 2 port: 192.168.0.10

    pfsense WAN port (for PPPoE): 192.168.0.20

    I assume PPPoE Pass-through will then "convert" my PPPoA connection from the ISP to PPPoE on the pfsense WAN interface?

    Can you still access the DrayTek web interface from the WAN 2 interface? (assuming you have configured pfsense to allow access to this from the WAN interface) Which IP address would I use to browse the interface…192.168.0.1 (the default set in the LAN settings on the DrayTek) or 192.168.0.10 (the WAN 2 address)?

    Thanks for the help!



  • @Wolf666:

    The DrayTek has to stay in a different subnet than pfSense. In order to keep access to modem follow: https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

    I recall my previous advise. Different subnet means for example:

    • pfSense 192.168.1.1
    • DrayTek 192.168.2.1 or 10.0.0.1 or other private IP except subnet 192.168.1.0/24 (in my example the one of pfSense LAN)

    pfSense WAN mUst be set on PPPoE it will negotiate a dynamic IP (I assume), you don,t have to put a static IP there. This is a stright forward configuration, pretty common.

    Those IPs are not WAN's IP, they are IP used on LAN side to manage the units, have access to their GUI or SSH or Telnet.



  • @Wolf666:

    @Wolf666:

    The DrayTek has to stay in a different subnet than pfSense. In order to keep access to modem follow: https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

    I recall my previous advise. Different subnet means for example:

    • pfSense 192.168.1.1
    • DrayTek 192.168.2.1 or 10.0.0.1 or other private IP except subnet 192.168.1.0/24 (in my example the one of pfSense LAN)

    pfSense WAN mUst be set on PPPoE it will negotiate a dynamic IP (I assume), you don,t have to put a static IP there. This is a stright forward configuration, pretty common.

    Those IPs are not WAN's IP, they are IP used on LAN side to manage the units, have access to their GUI or SSH or Telnet.

    I think I get it now. So I can continue using the default of 192.168.0.1 to browse the DrayTek web interface but I MUST use a different subnet for pfsense (ie: 192.168.15.x).

    Do I have to configure anything on the WAN2 interface on the DrayTek? Or is it just a matter of running an Ethernet cable from WAN2 on the DrayTek to the pfsense WAN interface? I assume the PPPoE Pass-through will just be passed from the WAN interface on the DrayTek to the WAN interface on the pfsense box?

    On the DrayTek it says:

    PPPoE Pass-through:

    [tick box] For Wired LAN

    Note: If this box is checked while using the PPPoA protocol, the router will behave like a modem which only serves the PPPoE client on the LAN.

    When they say LAN I assume it'll work when using the WAN2 interface too?



  • Yes, now you should be ok.



  • @Wolf666:

    Yes, now you should be ok.

    Great, thanks for the help!

    One more questions, will this USB serial cable allow me to configure pfsense on the APU board:

    http://www.ebay.co.uk/itm/281329973320?_trksid=p2055119.m1438.l2649&ssPageName=STRK%3AMEBIDX%3AIT


Log in to reply