Running pfSense on laptop with 1 NIC and VLANs



  • I'm currently using an Alix 2D13 for my home network with a cable connection of 60/10.  It has been working well over the years, but now I'm thinking to replace it with something faster. APU2 is on my list, but then I thought of trying something a bit unorthodox…

    Installing pfSense on an old Core 2 Duo laptop with 4GB ram. Obviously it only has 1 NIC, but with a managed switch and VLANs it should work in theory. My current setup includes 1 WAN, 4 LANs .

    Is there any major concern or limitations about running WAN and LANS out of one single physical NIC? Anybody else running a similar setup?



  • I have similar setup and works fine. I wrote a brief description here: http://blog.txrx.hu/2016/02/01/pfsense-on-single-nic-esxi-box-part-1/

    I've put ESXi on a single NIC machine which makes it even easier since on the ESXi layer you can present multiple interfaces to pfSense that appear as separate physical interfaces. My setup looks like the following: I have a managed switch where port 8 is an access port with WAN VLAN ID, port 7 is a trunk port with LAN and WAN VLAN IDs, port 1-6 are LAN VLAN access ports. 1-6 is used for LAN devices (NAS, RasPi, television, powerline adapter, etc.), port 7 is the single port ESXi box with pfSense and port 8 is connected to the modem of my ISP.
    In ESXi you'll have a virtual switch under networking, create new port groups here, name it WAN and LAN and assign the same VLAN IDs that you assigned in the switch. Then create a virtual machine for pfSense, and add multiple network cards in the VM and use created port groups as network labels, so the virtual interfaces will be connected to a particular port group on the vswitch that you have already assigned VLANs to. That's it, install pfSense in the VM like you had multiple interfaces and configure them according to your setup.

    One advantage here: you can create virtual network segments as well. For instance my pfSense VM has 4 virtual NICs, 2 in the WAN port group, 1 in the LAN and one in the LAN_2. This way (if your ISP uses DHCP to allocate you IPs) you can actually get 2 public IPs since both WAN vNIC will be visible at the ISPs DHCP. I use this setup to route my LAN traffic through one WAN, and the LAN_2 traffic through WAN_2 which is server traffic of virtualized servers running on the same ESXi. This way LAN_2 (that is exposed to the world) is open for some server ports through WAN2 and WAN1 is entirely my home network traffic. LAN2 is also reachable from LAN but LAN2 can not go anywhere other than WAN2.

    I have a 100/100 fiber connection, no issues in terms of performance. Machine is a 4th gen i5 with 8GB RAM.

    I hope this helps.



  • Great, thanks for the tips. Not sure I can use ESXi, but I'll try to play around with it.



  • It can certainly be done. Be sure to configure your VLANs on both pfSense and the switch properly.

    Trunk all VLANs used on the switch port connected to pfSense, setup VLANs on the physical interface when prompted during the first startup after installation.

    I'm using VLANs on a LAGG group (aggregated physical NICs) but it is otherwise identical to a single NIC since the LAGG interface is just treated as a single NIC with higher bandwidth.



  • That LAGG setup  looks interesting ;) . Just one question… I started playing around with it and I noticed that the mac address on all VLANs is always the same as the parent physical interface. Can that cause any issue in terms of security or functionality? What about traffic shaping, would that still work in a single interface configuration?



  • Vlan interfaces (aka SVI) follow the parent interface Mac address. In most cases, there are no issues.

    The most common problem will be if your isp hard locks the wan to a particular Mac address (their supplied router or gateway). Since you're already running an Alix, I don't see this being an issue.

    As for traffic shaping, you can still apply it to vlan interfaces. As far as pfSense is concerned, it sees an interface - doesn't matter whether it's physical or virtual. You apply traffic shaping as you would a physical.

    The only difference is that you now need to take into account the fact that all your interfaces share a pipe so you must allocate bandwidth accordingly.
    For example, if you have a client on LAN uploading to the Internet, then the traffic goes into pfSense as inbound on the physical, and leaves pfSense (through WAN) as outbound on
    Physical.
    You will need to understand the flow of traffic from the perspective of the physical link since you only have 1Gbps (assuming a GbE nic) in each direction. Having multiple internal networks can quickly saturate the link if you're routing between them.



  • Thanks all for detailed info. I will try this weekend with the ESXi setup. I like the flexibility, plus that seems to be the only way to get a second IP through DHCP from my ISP.



  • @MaxPF:

    Thanks all for detailed info. I will try this weekend with the ESXi setup. I like the flexibility, plus that seems to be the only way to get a second IP through DHCP from my ISP.

    I wanted to make a post out of that one, will do it in the next few days :)



  • @domper:

    I have similar setup and works fine. I wrote a brief description here: http://blog.txrx.hu/2016/02/01/pfsense-on-single-nic-esxi-box-part-1/

    I've put ESXi on a single NIC machine which makes it even easier since on the ESXi layer you can present multiple interfaces to pfSense that appear as separate physical interfaces. My setup looks like the following: I have a managed switch where port 8 is an access port with WAN VLAN ID, port 7 is a trunk port with LAN and WAN VLAN IDs, port 1-6 are LAN VLAN access ports. 1-6 is used for LAN devices (NAS, RasPi, television, powerline adapter, etc.), port 7 is the single port ESXi box with pfSense and port 8 is connected to the modem of my ISP.
    In ESXi you'll have a virtual switch under networking, create new port groups here, name it WAN and LAN and assign the same VLAN IDs that you assigned in the switch. Then create a virtual machine for pfSense, and add multiple network cards in the VM and use created port groups as network labels, so the virtual interfaces will be connected to a particular port group on the vswitch that you have already assigned VLANs to. That's it, install pfSense in the VM like you had multiple interfaces and configure them according to your setup.

    One advantage here: you can create virtual network segments as well. For instance my pfSense VM has 4 virtual NICs, 2 in the WAN port group, 1 in the LAN and one in the LAN_2. This way (if your ISP uses DHCP to allocate you IPs) you can actually get 2 public IPs since both WAN vNIC will be visible at the ISPs DHCP. I use this setup to route my LAN traffic through one WAN, and the LAN_2 traffic through WAN_2 which is server traffic of virtualized servers running on the same ESXi. This way LAN_2 (that is exposed to the world) is open for some server ports through WAN2 and WAN1 is entirely my home network traffic. LAN2 is also reachable from LAN but LAN2 can not go anywhere other than WAN2.

    I have a 100/100 fiber connection, no issues in terms of performance. Machine is a 4th gen i5 with 8GB RAM.

    I hope this helps.

    Lat night I started experimenting with this setup. I got ESXi running on an old laptop (4 threads i5 / 8GB / 64GB SSD / Intel Gb NIC). Setup the virtual interfaces with the right VLAN's, Installed pfSense 2.3.1. For some reason the 2 WAN interfaces are not getting an IP from the cable modem.

    I use a Netgear GS108T switch and the VLAN terminology is different from Cisco, but the functionality is the same. I have the following ports configured:

    VLAN 1: default LAN
    VLAN 100: WAN from cable modem
    VLAN 200, 300, 400: WiFi networks

    • Port 1 (going to the ESXi server): Tagged member of VLAN 100, 200, 300, 400. Untagged member of VLAN 1 , PVID 1
    • Port 2 (going to the cable modem: Untagged member of 100, PVID 100
    • Port 3 to 7 (various LAN devices): Untagged member of 1, PVID 1
    • Port 8 to Wireless Access Point: Untagged member of 1, Tagged member of 200, 300, 400, PVID 1

    In theory that should work, but it doesn't. I'll do more connectivity testing and verify if port 1 and 2 talk to each other on VLAN 100 just to cover the basics.

    On the ESXi virtual switch, do you need to enable promiscuous mode?



  • @MaxPF:

    Lat night I started experimenting with this setup. I got ESXi running on an old laptop (4 threads i5 / 8GB / 64GB SSD / Intel Gb NIC). Setup the virtual interfaces with the right VLAN's, Installed pfSense 2.3.1. For some reason the 2 WAN interfaces are not getting an IP from the cable modem.

    I use a Netgear GS108T switch and the VLAN terminology is different from Cisco, but the functionality is the same. I have the following ports configured:

    VLAN 1: default LAN
    VLAN 100: WAN from cable modem
    VLAN 200, 300, 400: WiFi networks

    • Port 1 (going to the ESXi server): Tagged member of VLAN 100, 200, 300, 400. Untagged member of VLAN 1 , PVID 1
    • Port 2 (going to the cable modem: Untagged member of 100, PVID 100
    • Port 3 to 7 (various LAN devices): Untagged member of 1, PVID 1
    • Port 8 to Wireless Access Point: Untagged member of 1, Tagged member of 200, 300, 400, PVID 1

    In theory that should work, but it doesn't. I'll do more connectivity testing and verify if port 1 and 2 talk to each other on VLAN 100 just to cover the basics.

    On the ESXi virtual switch, do you need to enable promiscuous mode?

    I don't have promicuous mode enabled. However I have the LAN VLAN tagged on the ESXi port. So the ESXi will know on the trunk port which traffic comes from the LAN VLAN and passes to the pfsense vNIC that is in the LAN VLAN and your traffic will reach pfsense. Port 3-7 can remain untagged.



  • Quick update. Everything works perfectly! After banging my head against the wall for few hours, I remembered that a while ago I enabled DHCP filtering on some ports the switch and forgot about it. Once I took care of that the WAN interfaces got their IPs and everything worked.

    The speed improvement over the Alix 2D13 is significant. Thanks for the help!



  • @dreamslacker:

    I'm using VLANs on a LAGG group (aggregated physical NICs)…

    Did you have any issues with VLANs on LAGG in any of the previous versions?
    Also, what swhich are you using with this setup?



  • It can be done and if your WAN speed is slow enough you might not even have any performance issues due to the VLAN's, (even without overhead, you will - of course - be limited to half your interface speed, which is unlikely to be an issue at your WAN speeds) but here are some things that would concern me:

    1.) Laptops rarely have really good wired Ethernet implementations.  Even on my rather high end Dell Latitudes in the past, despite using Intel Ethernet chips, I could rarely get good iperf performance out of them.

    2.) Laptops generally have better power use than Desktops, but something from the Core Duo era is still going to use a rather high amount of power by modern standards, for something that is left on 24/7.  If power cost is a concern in your area (different places have varyin electricity costs) or if you have an interest in running green, this may not be the best choice.

    3.)  Do you really trust the VLAN implementation of your managed switch?  How often does the switch firmware receive security patches?  Are you running on the latest?  I love my managed switch (HP Procurve 1810G-24), but I'm not convinced I'd want to expose it to my WAN.  You'd be surprised how much the typical WAN connection gets hit by various attempts, if you turn on and examine verbose logging…

    So, long story short, it's certainly very possible to do this method, but it's not necessarily best practice.



  • @robi:

    Did you have any issues with VLANs on LAGG in any of the previous versions?
    Also, what swhich are you using with this setup?

    Never quite had to muck around with VLANs on LAGG with the previous versions but there is no reason to believe it wouldn't work - not with decent NICs anyway.

    I'm running a split-switch LACP with 2 units of  Netgear S3300-28X in a stack. It's possible to do the same with any other true stackable switch, the next best option being the HP Procurve 1950 series running IRF.



  • @mattlach:

    3.)  Do you really trust the VLAN implementation of your managed switch?  How often does the switch firmware receive security patches?  Are you running on the latest?  I love my managed switch (HP Procurve 1810G-24), but I'm not convinced I'd want to expose it to my WAN.  You'd be surprised how much the typical WAN connection gets hit by various attempts, if you turn on and examine verbose logging…

    So, long story short, it's certainly very possible to do this method, but it's not necessarily best practice.

    If you configure the switch properly, at least where the WAN VLAN(s) are concerned, the switch core shouldn't interact with the WAN traffic other than an ASIC level tag-untag.


Log in to reply