New to pfSense, and need advice on configuration settings.



  • Good evening, I am new to pfSense, and advanced networking in general. I have a basic understanding, but not enough to allow me to achieve what I need for this project.

    I have just put together a machine for the purpose of installing pfSense with the following spec:

    Pentium P4 2.3Ghz
    1GB ddr RAM
    80 GB HDD
    3 x PCI Network cards plus onboard Network interface.

    Additional hardware that I have available are 2 x Huawei wireless routers.

    I have a single fibre internet connection supplied by Talktalk.

    Basically what I am looking to achieve is 2 independent internal networks. Both networks will need to be wireless access points as well as having devices connected via LAN ports.
    The 1st network is to be used by myself and my partner and the 2nd network is for the kids and guests. The main reason for doing this is that I want to be able to give higher priorities to the 1st network, and apply safety rules to the 2nd network for the kids.

    At the moment, we can have up to 15 devices connected via wireless and this causes all sorts of problems.

    Obviously, I don't want either of the networks to be able to access each other.

    There is one more thing that i would like to achieve, and that is to be able to connect a desktop pc to both networks so that everybody has access to it. This pc is used as a stand alone pc, but also has network shared drives for file sharing. This pc only has the onboard network interface, but I can install more nics if it will help.

    So this just leaves me wanting to know if all of this actually achievable and if so, could somebody please advise me on how to configure pfSense and also how I should set up the routers (Firewalls, DHCP settings, IP addresses, subnets etc etc etc…..in fact, everything from start to end)

    Many thanks in advance.



  • vlan lets you isolate devices on a network, but if you plan to use vlan make sure your devices support it, powerline adapters often dont and some routers dont either.

    Importantly you cant mix and match powerline adapters, so the talktalk powerline adapters which you might have will not work with say netgear or tplink adapters and if you encrypt the data, some older models from same manufacturer use different encryption methods so dont work with newer stuff, fwiw.

    If you cant do vlan, you could create two lans each with a different ip address range which can run over the same powerline adapters as these act like switches provided the house has not had too much remedial wiring done like building extensions and in effect has separate electricity circuits.

    If you want to reuse your talktalk router making them effectively an access point, switch off dhcp on the router and give it an ip address not used by either of your lans, and plug the lan connection into one of the four client ports on the back of the router but not the fibre connection which would seem the intuitive thing to do. Wifi is set on the router like normal ie wep/wpa2/etc etc so you might not have to change anything on that score, but when setting up the router to act like an access point, make sure the computer used to config the router has an ip address in the same address range as the router is set to, otherwise you wont be able to access it and configure the router.

    eg

    TalkTalk
    |
    pfsense
    | |
    |  lan1 192.168.1.x –> router/access point 1 (router ip 192.167.3.1) &/or powerline adapters off to various devices.
    |
    |
    lan2 192.168.2.x -->> router/access point 2 (router ip 192.168.4.1) &/or powerline adapters off to various devices.

    The above works a treat.

    However this might work, I've never tried it, but should be possible as most routers are not that secure.
    If you have dhcp running on the lan for your guests, and your lan2 only allows known fixed ip devices, you might be able to plug both lans from pfsense into each router and still provide wifi coverage for both networks from one wifi/ssid on each router, although you could still make the wifi key the same for each router, it depends on how complicated you want to make it.

    If you are not using vlans, you can still create rules in pfsense which restrict access between the two lans much like a vlan would do to help maintain the isolation you require.

    hth.


  • Netgate Administrator

    What speed is your WAN connection with Talktalk?

    You will need to run some traffic shaping to prioritise LAN1 traffic over LAN2. Not too difficult. You will need to setup Squid and Squidguard (or similar) to filter the traffic on LAN2. Your hardware may be pushed to do that, depending on your bandwidth.
    Also will you require a greater bandwidth between the two LANs at all? I see you want them isolated (also easy to acheive) but if you ever want to move a large file between them that would have to be routed through your pfSense box and that will limit it. It won't be able to push 1Gpbs for example.

    Steve



  • Thanks for the replies guys, much appreciated, my responses to you are at the bottom.

    Ok, so far I have finally managed to install pfSense onto the machine, to find that one of the nics is either faulty or not supported by pfSense, but that's not really an issue at the moment, it still leaves me with 2 nics and the onboard interface.

    I had made several to attempts to configure pfsense to run without success. To be fair I was mainly using the "trial and error" route, which is fine by me, as it's the best way to learn, but eventually I have managed to get a system running, with just one of the old wireless routers. I still have more to do to get the system running both routers and ultimately 2 separate networks.

    The set up as it stands:

    Modem
    |
    |
    WAN interface (fxp0 ((default ISP gateway)
    |
    |
    pfsense
    |
    |
    LAN interface (dc0 (10.0.0.1/8)) DHCP enabled (range 10.0.0.10 - 10.0.0.100)
    |
    |
    WAN port Router1 –-- LAN (192.168.2.1) DHCP enabled.

    Oh, and if it makes any difference, I have disabled the firewall and NAT on the Router1, because I want pfSense to handle that side of things.

    This works brilliantly. I get very good internet access, I am able to access the webGUI's of pfsense and Router1 from a machine attached to Router1 either by ethernet cable or wireless and I can communicate with other machines attached to Router1

    I don't know if anything is actually wrong with this configuration, but like I said, it works brilliantly.

    Now, here comes the part where I need advice.

    I tried to configure OPT1 (rl0) to work as a second LAN to connect Router2, but It caused problems. As soon as I had finishing the assignment and clicked apply changes, I got booted out of the webGUI and was unable to log back in. The only way to restore it to a previous state, was to remove the assigned IP from the card through the DOS configurator. This returned me back to a state where I could access the webGUI via 10.0.0.1.

    What I had done. was to apply the same configuration to OPT1 as I had to LAN, but under the subnet 10.0.10.1/9.... so I guess by doing this I caused a conflict.

    So, I have spent many hours trying to find a solution to this on these forums and google, but I couldn't find anything that seemed to fit the bill. Bearing in mind that I am trying to create 2 separate networks, that can not communicate with each other.

    @firewalluser:

    vlan lets you isolate devices on a network, but if you plan to use vlan make sure your devices support it, powerline adapters often dont and some routers dont either.

    hth.

    I have absolutely no intention of using PL adapters… I have some and they are useless in this house  ;D
    I am trying to stay away from VLANs if I can help it, but if that is my only option then so be it  ;)

    @stephenw10:

    What speed is your WAN connection with Talktalk?

    You will need to run some traffic shaping to prioritise LAN1 traffic over LAN2. Not too difficult. You will need to setup Squid and Squidguard (or similar) to filter the traffic on LAN2. Your hardware may be pushed to do that, depending on your bandwidth.
    Also will you require a greater bandwidth between the two LANs at all? I see you want them isolated (also easy to acheive) but if you ever want to move a large file between them that would have to be routed through your pfSense box and that will limit it. It won't be able to push 1Gpbs for example.

    Steve

    With my package my speed was supposed to be 14Mb but was varying between 8Mb and 13Mb, but recently has been more consistently around 15Mb, and last night when I tested it through the pfsense set up, I got 18Mb  :o


  • Netgate Administrator

    Ok. Your issue with adding the second 'lan' adapter is, as you guessed, a subnet conflict.
    Your LAN interface is using 10.0.0.1/8 which is a huge subnet, everything from 10.0.0.0 to 10.255.255.255. You almost certainly don't need that!  ;)
    When you added your second NIC you gave it the address 10.0.10.1/9 which is inside the LAN subnet and also huge.
    Try using, for example, 10.0.1.1/24 for LAN and 10.0.2.1/24 for OPT1.

    Once you have doen that you'll find you have no access from the OPT1 subnet. Only the LAN interface is 'ready to go' by default. You need to enable DHCP on OPT1 in Services: DHCP Server: and then add firewall rules to allow out traffic in Firewall: Rules: OPT1: Check the LAN rules for inspiration.

    When you said you had a fibre connection I was imagining +100Mbps. Your P4 should have no problems with 18Mbps.

    Is your WAN using PPPoE from the pfSense box?

    Steve



  • Thank you Stephen, that bit of subnet info worked a treat  :D

    Within half an hour of me posting I realised exactly what I had done wrong, but couldn't work out the best way to correct it, but as soon as I read your reply, I was on it.

    Initially, I could only access internet on the LAN based network, the OPT1 was blocking internet access, but I realised that the firewall was not set up, effectively blocking the internet. I have set the rules as per the rules that are automatically applied LAN, but I dare say that I am going to have apply more rules to both LAN and OPT1, but just or the moment I'm leaving everything as is for a few days just to test the system.
    I haven't set traffic shaping yet either.

    It does appear to have improved the QoS already, even though I haven't set traffic shaping yet.

    One more question that I have, is regarding my fallback service. If the pfsense box should fail, then I will be reconnecting to the previous network. The router for this is still in situ and transmitting SSID even though it doesn't have a wan connection and all of our devices are now connected to the new networks. All devices still have the settings saved for this network, so it's just a case of selecting the network and connecting, but obviously the router will not be connected to the modem, this will have to be done manually, but is there a device that I can connect the incoming wan from the modem to, that will automatically detect that my preferred router (pfsense) is not working, and route the wan to the back up router?


  • Netgate Administrator

    The correct way to do this, if you need this sort of uptime, is to use a pair of pfSense boxes in a CARP setup.
    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
    That's probably beyond what you're looking for!

    It is possible to do what you're describing by using a LAN-bypass NIC. The NIC has two Ethernet ports that usually appear as two separate interfaces to pfSense but if the power fails the ports connect together bypassing the pfSense box. It can also be configured to go into bypass mode if the OS crashes using a watchdog timer but that requires some interaction with the OS.
    Generally speaking bypass cards are more trouble than they're worth. If you search the forum you'll just find people trying to disable the by-pass mode.

    Steve



  • Hmmm, maybe I will just leave as is, and manually reconnect the wan, doesn't seem worth the hassle lol.
    Oh well, now it's time for me start thinking about firewall rules… see how many hurdles I have to jump this time haha

    Just want to say a big thanks for your prompt replies, your information has been very helpful  ;)



  • I was just re-reading this thread, and noticed this question that you asked me:

    @stephenw10:

    Is your WAN using PPPoE from the pfSense box?

    Steve

    Sorry, I don't know how I missed it  :-[

    Anyhow, no, the WAN is using DHCP as I was under the impression that this is the protocol used by talktalk. If anybody can prove me wrong please let me know. However, I have not had any issues so far.


  • LAYER 8 Netgate

    If the two choices are DHCP and PPPoE and one side is incorrect the link won't come up at all.


  • Netgate Administrator

    It was the wrong question anyway. What I should have asked was, does your pfSense WAN interface have a public IP? In other words is your modem acting as just a modem or is it routing and NATing which is much less desirable.

    Steve



  • Hi Steve,

    In all honesty, I don't know, how would I find this out?

    Thanks


  • LAYER 8 Netgate

    Look at the IPv4 address for WAN in status->interfaces.  Go to a web page like www.wimi.com.  Are the addresses the same?



  • @Derelict:

    Look at the IPv4 address for WAN in status->interfaces.  Go to a web page like www.wimi.com.  Are the addresses the same?

    Yes, the addresses do match.


  • Netgate Administrator

    That's fine then. I was originally asking because it may have conflicted with the LAN subnet but that's not the case.

    Steve



  • That's great, thanks guys  ;)


Log in to reply