1 switch, 2 pfsense boxes is this possible?



  • Noob Here, I only know basic pfsense uses.

    Goal: to set up pfsense1 for Wired networks
    and to set up pfsense2 for Wireless Networks with Captive portal

    figure would be like:
    ISP -> Switch -> Pfsense1 (DHCP, Squid,Squidguard) -> switch for wired network (192.168.10.2-254)
                          -> Pfsense2 (DHCP, Squid,Squidguard captive portal) -> switch for 4 wireless routers. Wireless1 (192.168.100.1-254)
                                                                                                                                                        Wireless2 (192.168.200.1-254)
                                                                                                                                                        Wireless3 (192.168.300.1-254)
                                                                                                                                                        Wireless4 (192.168.400.1-254)

    Is this possible? or do I have to put pfsense2 under pfsense1?

    ISP -> Switch -> Pfsense1 (DHCP, Squid,Squidguard) -> switch for wired network (192.168.10.2-254)
                          -> Pfsense2 (192.168.11.1) (DHCP, Squid,Squidguard captive portal) ->
                                                                                    switch for 4 wireless routers. Wireless1 (192.168.100.1-254)
                                                                                                      Wireless2 (192.168.200.1-254)
                                                                                                      Wireless3 (192.168.300.1-254)
                                                                                                      Wireless4 (192.168.400.1-254)

    I don't understand vpn's or vlan's… I just have the knowledge for basic configurations

    the purpose of this is that I want to manually configure the dhcp + proxy on the wired networks
    but as for the wireless devices like mobilephones, laptops, etc I want them to be inside the proxy without assigning the proxy ip  and port on each wireless device.

    stupid as my question sounds even for me... please advice



  • You need to specify the make and model of your switch. If your switch is a layer 3 switch, then it is possible to split the incoming WAN connection to each pfsense box. If it's an unmanaged layer 2, then you're SOL.



  • Not sure why your requirement for (2) physical pfSense boxes exists.  You can accomplish all of that with a single pfSense box with (2) NICs as long as your switch supports VLANs.  Or if your switch doesn't support VLANs, then you could do it with a (3) NIC pfSense box.

    (Switches that support VLAN are not expensive, I use a Netgear GS108T.)

    pfSense can be configured to offer up different DHCP settings for each physical network (or VLAN).

    pfSense can be used to control the flow of packets (what is / is not allowed) between the physical networks or VLANs.

    Wireless Access Points should generally not be configured as DHCP servers (let the pfSense DHCP server handle that).  If you are using (4) WAPs in order to get coverage across a large area, then all can use the same SSID, but each on a different channel, and all can use the same WPA2-PSK password.

    An example network with VLANs:

    ISP -> WAN port -> pfSense -> internal port -> switch

    Two VLANs defined in pfSense and also on the network switch:
    #101 - Guest WiFi 192.168.101.0/24, DHCP .10-.250
    #250 - Internal wired LAN 192.168.250.0/24, DHCP .10-.250

    If the WiFi points are "dumb" (don't understand VLANs) then you give them an address in the 192.168.101.0/24 range (usually .2, .3, .4, etc) and plug them into the switch on a port that is a member of VLAN #101.

    Wired LAN devices get plugged into ports on the switch which are flagged for the LAN VLAN.

    If your WiFi access points are "smart" and understand VLANs, you can do more advanced things like use the same physical AP to service both guests and internal users, with different SSIDs and WPA2 passwords, with the traffic being tagged to the appropriate VLAN before leaving the AP.



  • @dskerror:

    You need to specify the make and model of your switch. If your switch is a layer 3 switch, then it is possible to split the incoming WAN connection to each pfsense box. If it's an unmanaged layer 2, then you're SOL.

    my switch is dumb… Unmanaged. Thanks for the reply


  • Netgate

    It would work fine but you'd need multiple outside IP addresses from your ISP.

    As has been said, a single pfSense would do it too.



  • @tgharold:

    (Switches that support VLAN are not expensive, I use a Netgear GS108T.)

    Sorry to hear that.  ;)  I have on of those too.  :(  Don't like it much.  GUI is slow, button images are small and difficult to select.  Not a true desktop switch (connections on front bezel.  Used to have access to a Cisco SG200-08 from work.  Liked it much better.  More professional like GUI and much more responsive.  Functionally probably pretty close.  Never did any performance comparison.  Wouldn't surprise me if they were base on the same chip set.



  • @tgharold:

    Not sure why your requirement for (2) physical pfSense boxes exists.

    I'm not that familliar with pfsense. there's still a lot of unknowns for me to understand.

    @tgharold:

    You can accomplish all of that with a single pfSense box with (2) NICs as long as your switch supports VLANs.  Or if your switch doesn't support VLANs, then you could do it with a (3) NIC pfSense box.
    (Switches that support VLAN are not expensive, I use a Netgear GS108T.)

    I didn't know this. can someone walk me through this? I've been reading about VLANS and I'm having a hard time
    translating it in laymans term… I guess that's too much advanced for me.

    let's scratch the smart switches and the smart wifi routers. (they're expensive here)

    @tgharold:

    pfSense can be configured to offer up different DHCP settings for each physical network (or VLAN).
    pfSense can be used to control the flow of packets (what is / is not allowed) between the physical networks or VLANs.
    Wireless Access Points should generally not be configured as DHCP servers (let the pfSense DHCP server handle that).

    noted.

    @tgharold:

    If you are using (4) WAPs in order to get coverage across a large area, then all can use the same SSID, but each on a different channel, and all can use the same WPA2-PSK password.

    is this possible with 4 different types of wifi routers? tp-link, tenda, dlink and linksys… hahaha
    when I arrived in this office this is what they got...

    @tgharold:

    An example network with VLANs:

    ISP -> WAN port -> pfSense -> internal port -> switch

    Two VLANs defined in pfSense and also on the network switch:
    #101 - Guest WiFi 192.168.101.0/24, DHCP .10-.250
    #250 - Internal wired LAN 192.168.250.0/24, DHCP .10-.250

    @tgharold:

    If the WiFi points are "dumb" (don't understand VLANs) then you give them an address in the 192.168.101.0/24 range (usually .2, .3, .4, etc) and plug them into the switch on a port that is a member of VLAN #101.

    Wired LAN devices get plugged into ports on the switch which are flagged for the LAN VLAN.
    If your WiFi access points are "smart" and understand VLANs, you can do more advanced things like use the same physical AP to service both guests and internal users, with different SSIDs and WPA2 passwords, with the traffic being tagged to the appropriate VLAN before leaving the AP.

    the switches are dumb… so are the wifi routers...

    I'm wondering what would be the best setup then?

    ISP (WAN/nic1) -> PFSENSE1 (LAN/nic2) #250 -> Dumbswitch1 DHCP1 for LAN) and
          PFSENSE1 (LAN2/nic3) #101 -> Dumbswitch2 DHCP2 to LAN:Wireless routers (not WAN: you said we won't let them broadcast and let pf do it)
    101.1, 101.2, 101.3, and 101.4

    I was wondering how would the DHCP Server tabs in PFSENSE GUI would look like?

    [WAN][LAN][LAN2] ? or should i call LAN2, VLAN?

    and for the captive portal, it can be set to only LAN2 right?

    sorry I'm not familiar with the terminologies

    I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…

    thank you so much for reply


  • Netgate

    is this possible with 4 different types of wifi routers? tp-link, tenda, dlink and linksys… hahaha
    when I arrived in this office this is what they got...

    Yes, it should work.  Set all the SSIDs as similar as possible on all devices.  (WPA2-only/AES, etc.)

    and for the captive portal, it can be set to only LAN2 right?

    Yes.  A Captive Portal instance can listen on one or more interfaces.  Other interfaces are unaffected.

    I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…

    Sounds like someone somewhere doesn't care if their network actually works. Must not be that important to operations. I'd feel free to take it down if you need to.



  • Heh, the GS108T serves the purpose for now, and it was only $80 or so.  I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range.  But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.

    Wifi AP's that talk VLANs start around $125-$150 in the USA (EnGenius ECB600, etc.).  Business grade APs get up into the $300-$500 range, but usually last longer and don't require frequent reboots.  Usually…

    Different WiFi APs, all set to the same SSID and same WPA2-PSK password work fine together.  Just make sure to put them on separate channels and get a tool like "WiFi Analyzer" on your Android phone.  Or some similar tool on an iPhone.  That will teach you about channel overlap and why people only use channels 1/6/11 in the 2.4GHz band.

    For interface names, I suggest:

    WAN
    LAN
    WIFI (rather then LAN2)

    The pfSense box will require (3) NICs.  The WAN goes to your ISP modem.

    You'll need a cable to go from the WIFI port on the pfSense box to a switch which is only connected to the (4) WiFi APs.  Without VLAN support on the switches, you have to physically separate the networks.

    You'll then need a second physical switch to support your internal LAN clients.  All the internal clients will have to connect to that switch.

    As Derelict says, you can put the captive portal on only the WIFI access port.



  • @tgharold:

    Heh, the GS108T serves the purpose for now, and it was only $80 or so.  I would go Cisco/HP for anything truly mission critical, but that gets up into the $25-$50 per port range.  But you can usually find a basic "smart" switch (not managed) that still supports VLANs for $10/port.

    The Cisco (Small Business) SG200-08 is typically within about $5-$10 of the Netgear GS108T.  I've used both and given a choice would take the Cisco.


  • Netgate

    My biggest problem with the Cisco small business switches is the huge power brick.  For basic VLAN/sort-of-managed switches I prefer the little d-links (DGS-1100-08) for that single reason.



  • I connect two pfsense each with a public ip from my service provider as shown.




  • To all masters,

    Thanks for the replies. I'll try everyone's suggestions this weekend.
    I just hope there's a simulator I could use to test things out first.

    I'll be first trying gtharold's suggestion, since the purchases I requested are I don't know why but pending.
    I have to explain to everyone from the operations manager to the purchasing/finance dept what's the purpose and what the devices do. this is just a small office and I'm already starting to hate it hahaha

    I have a question though
    If I'll be using Lan1 and Lan 2, and the 4 routers will be linked to Lan2,
    and the printer is Inside Lan1 but the users are in Lan2-wireless will they be able to connect to the printer?

    will my dumb switch and dumb wireless routers are capable to communicate back and forth?



  • You'll need to setup firewall rules on the pfBox to allow communication between the LAN1 subnet and the LAN2 subnet.  You can just setup an allow all firewall rule from LAN1 -> LAN2 on the LAN1 interface, then setup another allow all rule from LAN2 -> LAN2 on the LAN2 interface.

    If you want a bit more security between the two networks then you will need to identify what protocols should be allowed to cross the boundary between the two networks.  That can be a multi-week process as you identify protocols that you didn't know about.

    What I usually do is setup the following rule set when working on LAN network egress rules (i.e. rules that are defined on the LAN interface in pfSense where the "origin" is always "LAN network").

    #1 - Is almost always the pfSense anti-lockout rules
    #9998 (always the second to last rule) - is an allow-all rule with logging turned on
    #9999 (always the last rule) - is a deny-all rule with logging turned on

    Then I start to watch the firewall log for the LAN interface and see what sort of packets are being passed by the allow-all rule.  As I identify patterns, I create rules in the #2-#9001 positions that PASS that traffic.  For example:

    #2 Proto:IPv4 TCP/UDP Src:LAN net Port:1024-65535 Dest:* Port:80 Gateway:* Queue:none

    That rule allows HTTP 80 over TCP or UDP out of the LAN network and to anywhere else.  It has no logging, so now HTTP traffic over port 80 no longer appears in the firewall logs.

    Repeat the process until you think you have all of the ports identified, then disable (not delete) the "allow-any" rule and see whether everything still works.  If not, re-enable the "allow-any" rule and go look at the firewall logs and create more rules.


  • Rebel Alliance Global Moderator

    @daggero:

    I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…

    This always confuses the hell out of me… Why are you doing it - if you don't understand what your doing?  So your the one guy in the office that has a wifi router at home so your the IT guy?

    You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;)  Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too.  There you go $20 AP..

    I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;)  You can for sure can find smart switches under $100 usd..  What part of the world are you in?



  • http://www.amazon.com/MikroTik-CRS125-24G-1S-RM-rackmount-enclosure-manageable/dp/B00I4QJSIM/ref=sr_1_21?ie=UTF8&qid=1436292362&sr=8-21&keywords=mikrotik+routerboard

    One example of an inexpensive smart switch. This brute does way too much for so little. I just picked one up to test, and will roll it out to my test LAN in a few days.



  • I just picked one up to test

    I would love to hear your opinions on it once your testing is complete.

    RouterOS gateway/firewall/VPN router with passive cooling

    So it's got vents then?



  • @daggero:

    I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking…
    This always confuses the hell out of me... Why are you doing it - if you don't understand what your doing?  So your the one guy in the office that has a wifi router at home so your the IT guy?

    Precisely. I'm an IT support staff. I only repair computers, laptops install softwares… we used to be a 2 man team
    A network Administrator (AWOL)
    IT support staff (me)

    Since I have basic to no knowledge in Linux, BSD, and Networking. I became both.
    I know I don't need to master everything just how things work and where to look if needed.

    @johnpoz:

    You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;)  Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too.  There you go $20 AP..

    Noted.

    @johnpoz:

    I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;)  You can for sure can find smart switches under $100 usd..  What part of the world are you in?

    I'm from the Philippines… unfortunately.
    as for the purchases the company is in a really tight budget. And I already raised the issue even to the operations manager.

    all he said was:
    "if the old device is still working, I don't see why we have to get a new one? the internet is working. the problem is that it's just too slow. when the IT admin was here it was working great. maybe the problem is in your side check your configuration maybe you clicked on something you shouldn't have.

    I was just wow... I want to just... smash the AP's with a sledge hammer and leave. but I wan't to fix things first before that, I might learn something while I'm doing it. hahaha after that I'm leaving this hell hole