Installing pfSense with a layer 3 switch
-
I have TWC 300 megabit connection now and I want to try pfSense. I have a Cisco SG300-28 switch running in layer 3 mode. I have a couple of questions about installing.
1. Can I install only an IP address I want on the LAN side. No DHCP server installed. My layer 3 switch handles all the VLANs and DHCP. I just need a plain IP address. Is this possible?
2. If I use embedded, how much ram does it take? If I add snort does it change?
3. I have an old Intel server board with a Xeon low voltage CPU and 2 Intel NICs. Is it best to have both NICs connected when you install. How do tell which is going to be the LAN side and the WAN side? I do not know MACs. Can I leave the internet disconnected when I install? Should I?
PS
Is it easy to add static routes for all my VLANs? -
If your going to run a downstream router (L3 switch doing your routing between your vlans) then you would connect to this router via a transit network, pick a rfc1918 /30 and use that as your transit.
Then yes you can create routes to your other vlans, or just 1 route that covers all your vlans. So for example if you use say 172.16.0.0/30 as your transit and all your downstream networks fall in 192.168/16 then you could use that one summary route of 192.168/16 pointing to your L3 switch address in 172.16.0/30 - for example pfsense lan 172.168.0.1 and your sg300 at 172.16.0.2/30
No you don't need your wan connected when you setup pfsense, but its normally easier if you do - pfsense will list the interfaces and their mac address when you setup so easy enough to pick which one is wan and which is lan if you know the macs.
As to using embedded version. Do you only have a CF or something for this server? As to amount of ram required, yes using packages like snort is going to up the requirements to run smoothly not only in ram and cpu but also storage space.
-
The only reason I thought embedded is it runs from ram? This is an old server no flash. Is there a down side to embedded? Maybe I will just use the regular install.
I don't remember the MACs any more. If I unplug one of the cables is there a light or something which will come and go as I plug it back in? Does pfSense figure out which cable is the modem and I can just go with it?
I don't see ram requirements any more. Is it because everybody has enough and ram is cheap. Will 4 GIG be enough for home or is 8 GIG better?
-
4 gig is more than enough… I run it in a vm and only give it 1.. Sometimes only 512..
All stuff runs in ram... ;) Loading the whole thing into ram buys you what exactly? I think your over thinking how much horse power pfsense actually needs...
Pfsense is pretty good at figuring out which interface is your wan.. If it dosn't work - just reverse them..
-
I have pfsense up and running. But I have a problem. I need to add static routes for my networks in the layer 3 switch.
I have gone to system routing and I can enter the routed network but I cannot enter the default gateway. The default gateway lives on the switch not the pfsense box. pfSense is installed in a VLAN on the layer 3 switch and the only path into the layer 3 switch is the IP addess for the layer 3 switch network which pfsense is installed in. I am not able to enter the layer 3 switch IP address uless I am missing something. The gateway is a pull down with predefined pfsense IP addresses. I need to be able to type an IP address for my layer 3 switch. How do I accomplish this? -
System > Routing > Gateways Create a gateway to the switch IP address on the correct interface and check default.
-
I have configured a gateway to the switch. Should the monitor IP address be same as the gateway? I added 3 static routes. It does not seem to be working. I can't ping from either side. Only the pfsense VLAN is working for internet. I had to move a workstation into it to have internet access.
-
So now that I have created these static routes do I need to create firewall rules to allow the static networks out? Or is all inside traffic allowed out?
-
I have entered the firewall rules and now I have internet access on all the VLANs.
My problem now is how do I tune this thing for speed? I am only seeing about 200 megabit with 24ms response time. The Cisco RV320 I just pulled out was hitting 350 megabit with 18ms response time. I am using DSLreports speedtest.
I have an old Intel server board with Intel NICs and low voltage Xeon processor dedicated, no VMs, with 4 GIG RAM.
-
Are you doing a speed test from something directly connected to pfsense, or something from behind your L3?
What are the nics in your pfsense? Did you set a transit network?
-
I am using dslreports speedtest from a workstation on a static route. I was worried about the static route so I am now testing in the same VLAN as pfsense. It seems sluggish and it should be really fast since my Cisco SG300-28 layer 3 switch is feeding it at GIG wire speed. I tried adding high D but it really made no difference. When I run the speed test the CPU goes to about 4% otherwise it is 0. I am looking at the Intel NICs and they show 1000 full duplex connection. Memory is setting at 4%. There is no DHCP only one IP address. Nothing has changed on my network except pulling out the old router and assigning the same IP address to pfSense.
How do I tune this thing?
Could it only be running fast Ethernet full duplex? The speed never goes above 200 megabit? I am fully convinced this system is only running at fast Ethernet full duplex speed because I have way more resources on both CPU and memory left over. pfSense is not using the resources available in this box. It is under utilized.
Is there a way to shut off IPv6? I don't need it.
The NICs are built in to the motherboard. This is an old Intel server 5000 motherboard.
What do you mean by this? 'Did you set a transit network?"
-
I have 2 Intel 82563EB NICs built in to the motherboard. They are 10/100/100 NICs. I do not see support under FreeBSD 10.2 Hardware Notes. Has the hardware support been pulled for these NICs?
-
A transit network.. How do you have pfsense connected to your L3 switch.. What IPs? What are the other vlans on your L3 switch? Do you have any other devices on the network that connects pfsense to your L3 switch??
If you do your going to run into asynchronous routing problems!!
if you don't want to use ipv6, then sure tell your interfaces none for IPv6 and you can set advanced network ipv6 uncheck it and now all ipv6 traffic is for sure blocked.
-
My pfsense box has 2 NICs. One WAN em0 port with an Outside IP address from Time Warner Cable connected to an Ubee modem in bridge mode. The other LAN NIC em1 has 192.168.10.1/24 on it. It is connected directly to the layer 3 switch on VLAN10 IP 192.168.10.254. The switch handles the local VLAN routing. The other networks are 192.168.0.0/24, 192.168.2.0/24, and 192.168.3.0/24. There are no routing loops. It was working with the other router fine with less latency. I was going to give the other router to my daughter for her new house.
lVLAN1 192.168.0.254/24
l
192.168.10.254/24 l
WAN–--pfsense---------VLAN10---layer3switch--VLAN2 192.168.2.254/24
192.168.10.1/24 l
l
l VLAN3 192.168.3.254/24I have static maps to 192.168.0.0 192.168.2.0 192.168.3.0
My gateway for the static maps is 192.168.10.254 the layer 3 switch IP pfsense in plugged into which is an access port on the layer 3 switch and is the VLAN10 IP address. There are no VLANs defined on the pfsense box as the access port strips the tags off.
-
Well I made progress. I went under the WAN interface General Config selected IPv6 configuration type and selected none.
My DSLReport's speedtest now is running 345 megabit. IPv6 is having a drastic effect on NIC speed.
Have you seen this before?
-
that doesn't disable ipv6 on pfsense, that just sets your wan interface to not get a ipv6 from your provider.. I doubt ipv6 has anything to do with your speed other than you were prob using ipv6 for your testing and your isp ipv6 network is slower than their ipv4, or the connection to where you were testing via ipv6 is slower, etc..
So your now at the speed you are paying for..
Do you have any other devices on this 192.168.10 network? If so then its not a transit and those devices going to have issues talking to stuff on your L3 switch.
Also you don't need a /24 as a transit, you could just use a /30 - if you made it say 172.16.0/30 you could then just use a simple summary route 192.168/16 route to your networks on your L3 switch. Then no matter what 192.168 vlan you add to that switch you never have to touch your routes again.
-
The idea with VLAN10 was to create a router VLAN that would be totally isolated from all other devices on the local network including things as slow wireless devices, broadcasts, Windows elections, and all chatty local traffic.
Sometimes I need to add a short term device to the router VLAN because of changes and things like configuring pfSense.
So I did not use /30 mask.I could arrange my networks so I could super scope them in a class B mask. I have my layer 3 switch setup posted on SmallNetBuilder forums so I tried to keep it simple, no tricky masks. The only thing a little hard is I have ACLs setup so I can share certain IPs to the guest network using a /29 mask.
-
Here are some setting I have changed today under System->Advanced. I think my NICs must be supported as I have been reading pfSense all day and tunning.
1. I changed kern.ipc.nmbclusters="1000000" to increase mbufs. I had to add this entry to system tunables.
2. The settings for Hardware TCP Segmentation Offload (TSO) and Hardware Large Receive Offload (LRO) under System > Advanced on the Networking tab default to checked (disabled) for good reason. Nearly all hardware/drivers have issues with these settings, and they can lead to throughput issues. Ensure the options are checked. Sometimes disabling via sysctl is also necessary. I enabled these by unchecking them.
My system seems smoother now. What do you guys think? Any ideas about more tunning?
-
I have just added CoDel under traffic shaping without bw parameters. It is working quite well. Since I have a 300 megabit connection for home and I don't think I will saturate it this should be a prefect fit. I have gained 3ms over my standard configuration using DSLReports speedtest. My whole network seems to be flowing better.
I should add now my system does not show any more resources being used.
-
Do you have any other devices on this 192.168.10 network? If so then its not a transit and those devices going to have issues talking to stuff on your L3 switch.
Also you don't need a /24 as a transit, you could just use a /30 - if you made it say 172.16.0/30 you could then just use a simple summary route 192.168/16 route to your networks on your L3 switch. Then no matter what 192.168 vlan you add to that switch you never have to touch your routes again.
I have been thinking about your commit having devices on the 192.168.10.0 network. I am thinking maybe you are having problems because you are using the pfsense box as the default gateway for workstations in the same network as pfsense. If you use the L3 switch as the default gateway for workstations on the same segment, network as pfsense there will not be problems accessing devices on the L3 switch. All nonlocal IPs for the workstation will flow out the default route which points to pfsense on the L3 switch so it should all work well.
So when a PC on the same segment as pfsense requests an internet IP address the IP request hits the L3 switch and bounces back to the pfsense box.
