Needing help understand how best to implement PFsense into my home network…



  • Hello,

    So I have a dilemma.  I am wanting to have a better firewall solution.  I currently have a Motorola Modem that connects to a Asus RT66U router running Shibby Tomato firmware, then I have after that a Netgear 24-port switch that has two desktops, one PS3, network printer, raspberry pi, and two lines for LACP FreeNAS box.  On my router I connect at least two smartphones, Amazon fire tv stick, chromecast, two laptops, an Intel Edison, and a soon to be smart tv.

    Now recently I had one of my hard drives in my FreeNAS box, that I built myself, have bad sectors and I am planning to RMA it to WD.  Now my freenas box doesn't have ECC ram.  What I want to do is re-purpose my custom built FreeNAS box into a PFsense firewall box.  I am then going to buy a FreeNAS mini with 16GB of ECC and when the RMA hard drive comes back reload my FreeNAS and load the data back on the drives.  Then install a dual-nic pci-e card in the old FreeNAS box and install a WD SE 1TB 128MB cache with a full PFsense install on it.

    My questions are, the old freenas box is an AsRock AMD 350E M1 with one Realtek rtl8111E NIC and one PCI-E slot.  Now if I hook the modem up to the Realtek NIC, then have one of the Intel NIC ports vlan0 to the network switch with all wired hardware on it, then have vlan1 with the other intel nic port to the router in bridge mode would I have any issues with speed and reliability with the Realtek NIC?  Also some of the wireless hardware would need to talk to the FreeNAS box, would it be okay to have a rule to route between vlan0 PFsense box to laptop on vlan1?

    In addition I have a 105Mbps Comcast line would the E350 be able to handle a couple VPN connections and NAT filtering without having a large slow down in speed?

    All in total I am looking at the hard drive and dual NIC pci-e card to cost around $230, and the FreeNAS mini to cost around $1000.

    Thank you for any help you can give me in this endeavour!



  • After reading through your entire post, I gather the bottom line is that you have 3 questions:
    1:

    would I have any issues with speed and reliability with the Realtek NIC?

    There are 56 pages of results when searching the forums for "realtek."  Chances are you will find more information about your hardware among them: https://forum.pfsense.org/index.php?action=search2

    2:

    would the E350 be able to handle a couple VPN connections and NAT filtering without having a large slow down in speed?

    The answer depends on how much traffic you plan to put through the box, but you note this is a home network, so the dual-core processor on the E350 will likely handle whatever you can throw at it.  You didn't mention how much RAM is on the board, only that is is non-ECC.  Even if all you have is 2GB, you will likely not be able to put enough load on the box in a home setup to tax the system so much that you notice any slow down in network speeds.

    3:

    would it be okay to have a rule to route between vlan0 PFsense box to laptop on vlan1?

    This is where you lose me.  I'm not sure why you want to divide your lan into 2 segments with separate subnets- 1 for wired and 1 for wireless traffic? You wouldn't need separate vlans to bridge the connection.  Just bridge the 2 interfaces and assign the bridge as your LAN interface and all traffic will route between the two ports.  Maybe I've missed something?



  • @rudelerius:

    After reading through your entire post, I gather the bottom line is that you have 3 questions:
    1:

    would I have any issues with speed and reliability with the Realtek NIC?

    There are 56 pages of results when searching the forums for "realtek."  Chances are you will find more information about your hardware among them: https://forum.pfsense.org/index.php?action=search2

    2:

    would the E350 be able to handle a couple VPN connections and NAT filtering without having a large slow down in speed?

    The answer depends on how much traffic you plan to put through the box, but you note this is a home network, so the dual-core processor on the E350 will likely handle whatever you can throw at it.  You didn't mention how much RAM is on the board, only that is is non-ECC.  Even if all you have is 2GB, you will likely not be able to put enough load on the box in a home setup to tax the system so much that you notice any slow down in network speeds.

    3:

    would it be okay to have a rule to route between vlan0 PFsense box to laptop on vlan1?

    This is where you lose me.  I'm not sure why you want to divide your lan into 2 segments with separate subnets- 1 for wired and 1 for wireless traffic? You wouldn't need separate vlans to bridge the connection.  Just bridge the 2 interfaces and assign the bridge as your LAN interface and all traffic will route between the two ports.  Maybe I've missed something?

    1.  Thank you I will just google it.. Kind of stupid on my part to ask that…

    2.  I have 204-PIN SODIMM 8GB (2x4GB) of 1066MHz RAM.  This is the fastest speed I think that board allows and the highest capacity I could find in a dual-channel configuration.

    3.  I was thinking more along the lines of partitioning the network wireless versus wired for organization and maybe security.  I am kind of newb with the more advanced topics of networking so whatever my notion of what I am about to say might be a load of BS.  I know a lot of larger networks use vlans to be easier to manage in organized groups.  I know that VLAN hopping could happen.  I was just thinking that if I could partition the network where only the wired connections and only a select few; Intel Edison, Amazon Fire Stick, and one laptop, of the wireless devices are allowed to see or interact with my wired workstation, NAS, etc...  I was thinking that if my wifi router was ever compromised I was thinking having stuff compartmentalized would be a better route.  So if you think VLAN is a stupid idea it could very well be a stupid idea.  If I was to just not use vlan and put it all together would it be less secure than partitioning it out?

    +1 to karma for the help!



  • if you plan to use vlan's then whats the point in using 2 interfaces - seperately ?

    you can run multiple (+-4096) vlans over 1 physical interface …. that's basically the point of it all.



  • Intel G3260 Pentium Prozessor (3.1GHz, Sockel 1150, 3M Cache, 53Watt) ~80 €
    miniITX Board 100 €
    miniITX Case & PSU 100 €
    RAM & CPU cooler 100 €
    2 x GB LAN Intel® i210AT or Intel® i217V on board

    This will fit your needs and cames then with 2 Intel GB LAN Ports
    for 60 € on top you get a used Intel Dual Port NIC from amazon.com

    Over eBay it would be less expensive!

    VLANs, QoS, VPN, and what ever and then not speeding up the line is not really realistic.



  • So, @adramalech707
    I don't think you are stupid at all.  Please don't take my comments that way.  I just wasn't clear on your intention for creating separate subnets (because that's really what you are talking about doing) with vlan.

    I will just google it.. Kind of stupid on my part

    Again, not stupid.  Use the forum search to get the best results. Seems like there is a lot of discussion of Realtek NICs.

    8GB (2x4GB) of 1066MHz RAM

    I don't think hardware is an issue for you, except perhaps in regard to power consumption, or noise.  But, you've been running the FreeNAS box for a while now, so probably you are happy with it.  If you reconsider, check out BlueKobold's suggestions, or do some further research on other hardware options.

    I was thinking more along the lines of partitioning the network wireless versus wired for organization and maybe security

    Here I feel like you need to think more about why you want to divide your clients into separate groups.  Firewalls are best at blocking things.  If your intention is to block communication/traffic between certain devices, then it would make sense to divide those devices into separate subnets and set up rules on the firewalls to allow no traffic between them, or only select, essential traffic.

    In this scenario, you essentially have 2 LAN networks.  Call them what you will, but they are basically 2 separate LAN networks behind a firewall that protects them from the outside world (WAN, internet).  The firewall also protects one LAN from the other and vice versa.  If you are allowing traffic between some devices on LAN B to LAN A, but not other devices, I would ask why those devices are not placed in LAN A to begin with?  Especially if they are all client devices.

    There might be a good reason to segregate different machines.  For example- is (or will) your (new) FreeNAS box be accessible from the internet?  If so, that would be a good case to justify putting it on a different subnet from your clients (note: this would actually be considered a DMZ, but the premise is the same).  That way, you can protect your clients from any unwanted traffic coming from a sector of your network that is directly facing the internet.

    Maybe segmenting your wireless network from wired is a valid case where you might want to limit access from wireless to wired for only a few MAC addresses, and that is doable.  But, if wifi can be hacked and MAC addresses can be spoofed, I wonder how effective or necessary that is.

    One other point about vlans is that they are really unnecessary in the case you are describing, and here's why.  A virtual lan is created to allow traffic from more than one subnet to move along the same port/wire.  vlans become necessary when you need more subnets than you have ports.  So, in your scenario you have 2 Intel ports and only wish to have 2 subnets.  You can create a different subnet on each port and block traffic between them with the firewall without any need for using vlans.

    Or, as noted previously you could bridge the two interfaces and essentially make 2 separate ports into one that uses the same subnet.  That would keep all of your clients on the same subnet and accessible to one another no matter whether they are wired or wireless.

    You are correct that many corporate networks use vlans to segregate network traffic, to avoid congestion, and many other reasons.  vlans are a rabbit hole you could go down.  You could bridge the ports and create one big network, then use vlans to create separate subnets for printers only, for laptops only, for entertainment devices like the PlayStation and Fire Stick only.  Then, you could set up rules on the firewall to only allow certain traffic between each of those subnets.  And, I say if you are looking to learn how to do those things (like bridge interfaces, set up subnets on vlans, etc.), then go for it.  But, if you just want a capable firewall to protect your clients from external threats, then keep it as simple as possible.  Better yet, keep a simple setup for your home network, then get yourself (a) lab computer(s) that you can experiment with, either by using a virtualized firewall and clients, or physical.

    Hopefully that gives you some things to think about.


  • LAYER 8 Global Moderator

    "you could bridge the two interfaces and essentially make 2 separate ports into one that uses the same subnet"

    Please don't recommend people to bridge interfaces in a ROUTER.. Pfsense is not a switch you don't use interfaces like switch ports..  If he needs more ports for devices or AP even then use a switch, not ports on a router..  Bridging has its use sure - but not to leverage a nic port as a switch port.  Those are much better off as another segment.  His wifi if wants to connect his AP there..

    There are plenty of reasons to have your wifi on its own segment, and then even on that physical interface other vlans so you can control access..  Maybe some of his devices if not all of them can have access to his nas that is on his wired lan, but he doesn't want users of guest wifi (different vlan) to have access, etc..



  • @johnpoz, it wasn't really my intention to recommend any particular set up.  My only real recommendation was to think more about his needs and goals and to use a confiugration that works for those.

    Sorry to all if that wasn't clear.


  • LAYER 8 Global Moderator

    With new users its a good idea to not even bring up the word bridge ;)  Take a look around the board at all the bridging nonsense –- its a freaking disease..  Should be killed with FIRE...  They get a router with couple of ports in and they think its a home router with switch ports...



  • Please don't recommend people to bridge interfaces in a ROUTER..

    Who was doing so? In normal there is a very clear outspeak over this or so called golden rule:
    "Router if you can and bridge if you must"

    But at this days where many boards where out with a so called bypass option or function likes the
    most C2x58 boards are delivering, it will be only in some rare cases with urgent need a solution.

    A VLAN capable Switch with 5 GB LAN Port is at the cost of 25 € and so the need of bridging is far away in this situation.

    Take a look around the board at all the bridging nonsense

    I really consider with this!

    They get a router with couple of ports in and they think its a home router with switch ports…

    Not really in my eyes, it attends more on the wish of many users to have transparent firewall and in earlier
    days this would be done by setting up a LAN NIC in a so called "promiscuous mode", but as described above
    alone Supermicro is selling 5 Boards with a so called "bypass function" with 5 and 7 GB LAN ports and switches
    becomes more common also for the home usage. And at least we will see 90% of all this bridgers back in a
    forum and starting threads like;

    • My ports are flaping
    • My NIC is lacking
    • My Throughputs descries
    • Router/Firewall is becoming more unstable

    And what ever, so yes you really right not to be speaking about "bridges"!


Log in to reply