Using pfSense with a L3 core switch

[sfx2000]

Interesting... same config? just moving from one box to another?

One of my gripes with pfSense is that they still keep dnsmasq around for DNS along side unbound - not sure why they made this decision, as this can lead to user confusion as to what is actually happened behind the scenes - this is an example of poor UI/UX design, IMHO...

Like many FOSS projects, it's always easier to add code than to remove code - and in the web user interface, there's a lot of work on both development and testing, to unwind the DNS functionality and make it solely unbound (might be worth it though, as unbound can do both forwarding and resolving).

 

[Christos]

One of my gripes with pfSense is that they still keep dnsmasq around for DNS along side unbound

This is true. Most -consumer- firewalls keep dnsmasq because they use it for DHSP alongside with dns.
But with pfsense this is not the case, as it uses ISC DHCP. They can remove dnsmasq anytime.

 

[coxhaus]

Well thank goodness for DNS forwarding. My L3 switch networks don't work using 2.7 RC with the default DNS resolver commands. None of my Apple devices are responding on my Apple vlan as they say there is no internet. I redid my gateway, routing statement, and firewall rules. They would not work. I changed my pfsense routers PCs kind of right before I left for a wine dinner I had last night. So, this morning I started working on it. I was almost ready to change back to the old pfsense PC. I switched from DNS resolver to DNS forwarding and everything started working. DNS resolver is faster now for the local lan but my routing lan quit. Any ideas?
It works in 23.05.

 

[coxhaus]

I posted on Netgate and you need to add networks that pfsense does not have an interface in to an Access list under DNSresolver for DNS to work. They have a fast response to questions.
It works now.

 

[coxhaus]

I really like my i3-6100T chip and for $15. My upper closet is much cooler. It is running at 32 degrees C.
I guess I should also state that I am using an SSD instead of a hard drive. I decided pfsense was worth it.

 

[coxhaus]

I have DNSresolver configured to forward to QUAD9. Here it is with caching. Better than my old PC and CPU. And release is official 2.7 of pfsense. I did an update a little while ago as it was an option today. I will jump to plus when it becomes option. Well, I just noticed plus is an option right now. Here we go again.

 

[coxhaus]

All seems well. I am running 23.05.1. It processed for a while after the upgrade. I hit 41 degrees C the highest I have seen on this new PC.

 

[sfx2000]

I really like my i3-6100T chip and for $15. My upper closet is much cooler. It is running at 32 degrees C.
I guess I should also state that I am using an SSD instead of a hard drive. I decided pfsense was worth it.

There should be an option in the WebUI for trimmng the SSD...

When you installed, did you do the ZFS option?

 

[coxhaus]

I pretty much take the defaults unless there is a reason to change it. I don't see it in the WebUI where would it be?

 

[ddaenen1]

There should be an option in the WebUI for trimmng the SSD...

When you installed, did you do the ZFS option?

Not sure where you would find that option. My installation is ZFS mirror on 2 100Gb SDD's but i have not seen any trimming option, at least, not until now.

 

[ddaenen1]

Not sure where you would find that option. My installation is ZFS mirror on 2 100Gb SDD's but i have not seen any trimming option, at least, not until now.

View attachment 51434

Apparently, this option is not available if you have 2 SSD's in ZFS mirror.

 

[Christos]

See this discussion about trim

SSD and Trim on current releases

SSD and Trim on current releases

forum.opnsense.org

 

[coxhaus]

Here is mine. It is working much better than the older 4th gen cpu.

 

[sfx2000]

Should note that pfSense CE 2.7 exited beta and went GA the other day...

pfSense CE 2.7.0 Software and pfSense Plus 23.05.1 Software Now Available for Upgrades

We are happy to announce that pfSense® CE version 2.7.0 and pfSense® Plus version 23.05.1 software are now available.

www.netgate.com

 

[coxhaus]

Should note that pfSense CE 2.7 exited beta and went GA the other day...

pfSense CE 2.7.0 Software and pfSense Plus 23.05.1 Software Now Available for Upgrades

We are happy to announce that pfSense® CE version 2.7.0 and pfSense® Plus version 23.05.1 software are now available.

www.netgate.com

Yes. I loaded the RC on Wednesday with no upgrades. Then on Thursday they released GA so I upgraded to 2.7 GA after I fixed my issue. Then later that same day they released 23.05.1 so I upgraded my GA 2.7 to 23.05.1. There were a lot of upgrades that day.

I am pretty happy with my i3-6100T cpu. I am going to load SNORT and see if I still like it. I need to replace my old Cisco L3 switch with my new Cisco layer 3 switch CBS-350-8P before I work on SNORT. And my NAS is giving me trouble right now that I am working on.

 

[sfx2000]

I am pretty happy with my i3-6100T cpu. I am going to load SNORT and see if I still like it. I need to replace my old Cisco L3 switch with my new Cisco layer 3 switch CBS-350-8P before I work on SNORT. And my NAS is giving me trouble right now that I am working on.

Yeah, I saw the NAS thread - might not be as bad as it sounds, but it would be good to get that data backed up somewhere...

FWIW - do you really need a layer 3 switch for a home network?

In my experience, likely not... it's just one more thing to maintain, and unless you have dozens of nodes, etc - it's likely overkill.

Same with Snort - yes, it provides some level of visibility into traffic, but like the Layer 3 switch, what's the time actually worth on a home network? More importantly - with Snort - what are you looking for? and how would you really respond if Snort were to find something of interest?

Lately these days - I'm more focused on providing "good enough" WiFi - putting bandwidth where it matters, and a 2.4Ghz backstop so everything works...

my thoughts - pfSense, as you have it now, it is good enough - moving to an unmanaged switch, and a couple of Cisco AP's - this will "just work" for the most part...

 

[Christos]

I agree with @sfx2000
Snort is more noise than "signal" nowadays with everything encrypted.

I am focused on DNS protection on my home. First of all to block ads without breaking sites and apps. OISD Blocklist is the best I have found so far.

Then I'm trying to find a single licence for Cisco Umbrella service in order to have a good malware protection. I don't have any cisco gear that has Umbrella embedded.
I have found this licence from amazon and Cisco support told me that they can add it to my account.
In order to use Umbrella with pfSense you must create dynamic dns service using the OpenDNS profile and adding your account in there. It is easy to do.

​

 

[ddaenen1]

I have looked at SNORT and also at Suricata and installed Suricata on my test pfSense box. After some playing around with it, i decided not to install on my main box. Too much time needed to really figure out what the best setup is. I know pfBlockerNG is not an IPS/IDS but it does block a great deal of crap and much easier to set up and tweak.

 

[coxhaus]

I am interested in SNORT mainly for the downloaded rule sets. I believe there is one for blocking DNS.txt that I read about. If I see a problem, I will track it down.

Cisco Umbrella looks good and I would have had it if I could have bought a Cisco baby Firepower. Cisco is very business oriented. I never tried it because Quad9 came out first. Cisco will not sell me TAC support. You need to be a business for Cisco to be happy. From my understanding Cisco Umbrella would be like using QUAD9 DNS.

Any time you push your network the layer 3 switch helps. I think my internet would have sucked last night when I had my NAS copying to a Windows workstation for hours from what I remember of running a flat network. I was streaming 4K and using the internet with no noticeable slowdowns last night. I have never had a Cisco L3 switch fail as they are great switches. I am on my second about to change out to my third over last 12 to 15 years.
I plan to add back my server segment vlan for my NAS. I had an issue with my L3 switch but it turned out to be a keyboard going bad when I changed the password so I didn't know it was. I had already changed my keyboard by the time I figured it out and I had to reset the switch so I did not add all the settings I had configured over the years.

The best way to improve your wireless is to add a lot of APs so you have good 5GHz everywhere rather than in 1 room. The Cisco CBS-350-8P has enough POE+ power to run 5 150 ax APs. Cisco has a switch model to run more APs if you need it. I think I paid $274 for it.

I want to see what software Cisco has for management for their L3 switches now. When I had my server rack running I had Cisco software running mapping out my network. I had a Cisco router, multiple Cisco APs and multiple switches running back then.

 

[sfx2000]

Any time you push your network the layer 3 switch helps. I think my internet would have sucked last night when I had my NAS copying to a Windows workstation for hours from what I remember of running a flat network. I was streaming 4K and using the internet with no noticeable slowdowns last night. I have never had a Cisco L3 switch fail as they are great switches. I am on my second about to change out to my third over last 12 to 15 years.

If both the source and destination are wired up and on the same switch, should be no impact on any other traffic - port to port on modern switches is non-blocking, the SoC/fabric should have more than enough BW to do max traffic across all the ports...