Home network configuration (PFsense)

[Discy]

Hi all,

After some great buying advice I'm ready for the next step .

Question
Could you provide some information/link to guides on how to properly configure PfSense and other devices for this setup? (picture attached). Maybe some terms, highlevel view or best practices would suffice to find what I need in the Netgate docs.

Equipment

• Switch: TL-SG108PE
• Cloud Controller: OC200
• AP: EAP245
• PFsense running on an x86 gateway

Personal experience

• Pretty broad consumer networking/all-in-one routers
• First glance of Pfsense
• As a programmer I seem to be a quick learner, but missing knowledge that might be considered as basics. For example, no idea about vlans or subnets.

Problem
I'm kinda lost in the terms, available guides and opinions while my setup seems pretty basic.
I'd like to do it according to best practices and be flexible without overcomplicating but don't know how/where to find the right information.

For example - when I dealt with sending all traffic via a VPN gw-group I found 3 guides that all used different methods. Some used tagfilters for everything. This didn't feel right to me and I solved it without - but I honestly couldn't be sure if it was a good or bad guide.

Example questions/network requirements:

• Where to enable/disable DHCP
• What IP's should be static?
  > I guess shared devices like my NAS, CC, AP's, PFSense and any device I want to create rules for. Via DHCP MAC binding.
• In what way (exact steps I can figure out) to set-up the NAT/Routing/Gateways/subnets(?)/vlans(?).

If possible:

• Add the TV as part of main network to access the NAS via modem
• Use my modem as a second switch in the livingroom
• Set bandwidth limit per device (NAS eats upload on backup)
  > trafficshaper?
• Route some devices/ips around my VPN Gateway-group directly to WAN (OC200/Netflix TV)
  > add fw-rule to LAN with IPs-alias in source seems clean?

I hope someone can help with this.

 

[Val D.]

I can give you some suggestions based on network picture:

- run your modem in Bridge mode to avoid double NAT, if possible
- if Bridge mode is not available, make pfSense IP static and put in DMZ to avoid port forwarding issues
- run pfSense as main router with DHCP server, default NAT/Routing/Gateways will auto-configure
- if run in double NAT, make sure you allow private networks on WAN in Interfaces -> WAN
- if you don't want to deal with manual port forwarding, enable UPnP in Services -> UPnP
- connect your TV to the main switch, you can't use your modem as extra switch
- assign static IPs to your devices, x.x.x.10-90, automatic assignment IPs x.x.x.100-200, for example**
- you can do selective routing per device or alias, an example how here:
https://support.nordvpn.com/Connectivity/Router/1136266682/pfSense-2-4-4-selective-Routing.htm
- I don't know what is your NAS doing on Internet, but you can limit bandwidth with Limiters
- I would run a Limiter in order to minimize bufferbloat, example video in the link below*
- QoS per application is available as well, in case you want to play with it
- pfBlockerNG for IP/DNS-based blocking, example video in the link below*
- Snort/Suricata for Intrusion Detection and Intrusion Prevention, example video in the link below*
- ntopng for network stats, example video in the link below*
- Guest Network, from Omada controller for all APs
- I wouldn't play with VLANs on such simple network for now, it's a full different discussion

* - https://www.youtube.com/user/TheTecknowledge/search?query=pfsense
** - pfSense always assigns the same IPs for same devices, the table never expire

Too many questions in the same time, don't get over-excited, go one step at a time. Otherwise you'll have to use restore or start-over at some point. It's different than consumer routers where you can't go catastrophically wrong by clicking WebUI options. In pfSense you have to follow the logic or things can go downhill fast if you change too many things at once. And it's very difficult to tell what happened by description only. It's an entire OS after all.

 

[Discy]

Too many questions in the same time, don't get over-excited, go one step at a time.

Thanks Val, this should definitely suffice for now. Unless someone has anything to add - feel free.
I will take a couple of days to digest and test. I also started doing regular backups with descriptive comments after I finished and tested a part.

 

[MichaelCG]

I pretty much agree with what Val D has provided already.

My notes:
- don't worry about IDS/IPS quite yet, get your network figured out first...IDS tuning is a big task and the logs are extremely chatty
- Guest...I don't know the features of the Omada controller...but I would have assumed guest would be done at pfSense? Several ways to approach this one, really depends on your needs and tools you want to use to support
- bandwidth limiters - that is pretty easy on pfSense...but you do need to think it through on your entire model since you have multiple tiers of buckets. I have not been on pfSense in a while so those config options may have changed. I used them extensively when I was on a cable modem and my upload speeds were quite limited.
** example, you set a bucket for upload, then within you define a sub-bucket for your NAS. That keeps the NAS from consuming all of the upload and then you can have a catch-all bucket for everything else to help keep latency in check for all other clients when things get busy.
- subnets/vlans - my only suggestion is related to guest at this point
** later on, when you get most figured out, you may look at IoT segmentation and/or DMZ if you want to host inbound....but don't fret on those right now...get the main use cases covered and then when ready to play more, look at this
- Static IPs - The only device that should have an actual static IP is the pfSense box itself on the LAN interface
** everything else should always use DHCP
** use DHCP reservations for your servers and/or systems of importance
- backups - make sure you keep backups of the pfSense config
** I always kept weekly snapshots of the config, it really makes system recovery soooooo much less painful...lose a HD and you will hope you have a good config backup

 

[Val D.]

- Guest...I don't know the features of the Omada controller...

Guest Network in Omada is one-click deal in OC200.
After playing with firewall/switch settings for quite some time I found myself in RTFM situation.

** everything else should always use DHCP

I have all my own devices in DHCP Static Mapping with x.x.x.10-90 range, automatic assignments in x.x.x.100-200 range. My personal preference. I can tell by IP only what device that is before even looking at description:

x.x.x.11-20 - computers
x.x.x.21-30 - tablets
x.x.x.31-40 - phones
x.x.x.41-50 - others

 

[Discy]

I think I've been diving too deep too quickly into Pfsense. Using trial and error to debug rules and routes.

Are there some high quality videos/lectures or reads to get a basic understand of how Pfsense works?

 

[Val D.]

Are there some high quality videos/lectures or reads to get a basic understand of how Pfsense works?

The pfSense Book is a good start:
https://docs.netgate.com/pfsense/en/latest/book/

Lawrence Systems have some practical advice/examples videos:
https://www.youtube.com/user/TheTecknowledge/search?query=pfsense

 

[L&LD]

I didn't find any other than what @Val D. suggests. But not helpful to my use back then, I hope you can make better use of them and come up with a real tutorial on how to get Asus/RMerlin and amtm functionality via pfSense without having a networking degree.

 

[Val D.]

I didn't find any other than what @Val D. suggests.

Just type your question in Google and many sources pop-up. Much more than if you type something about Asuswrt-Merlin, actually.

how to get Asus/RMerlin and amtm functionality via pfSense

You don't need to set limits based on what's available in consumer routers. It's actually the opposite - with the hardware advancements in recent years consumer products came closer to what's available in enterprise solutions. There is no such strict hardware limitations in x86-based routers and all the shrunk down to fit components and workarounds you find on a home router have full functionality versions with UI, stats, graphs, etc. and all is done in-house with no need of 3rd party services. Not only in pfSense, but also in Sophos XG and Untangle NG (the ones I checked lately). You just can't fit all this in a power efficient ARM hardware with 0.5/1GB RAM. You can't fit it even on some Netgate hardware like SG-3100, also ARM-based and with 2GB RAM.

without having a networking degree

This is why we have consumer products. Power efficient, easy to use, good balance of performance and features for what is needed in average home environment. The global trend in consumer products is "everything automatic", just connect the cables and push one button... if there is a button.

 

[L&LD]

I didn't set any limits. But my expectations were at least what RMerlin/Asus offered back then. pfSense failed hard. No amount of googling helped. (If you remember, the 1Gbps symmetrical Fibre connection got slower and slower with a default install - no fixing that).

I love learning and trying/testing new things. pfSense was a good test for a couple of weeks. But it hardly began to offer anything better than what RMerlin offered (even back then, just over a year ago).

 

[Val D.]

pfSense failed hard.

You already shared your experience with basic pfSense installation, all defaults, nothing changed, in this thread:
https://www.snbforums.com/threads/pfsense-computer-bulid.61903/
Then 2 more people in the same thread proved you wrong with brand new pfSense installations. Why continue here? If you feel more comfortable with Asuswrt-Merlin, that's totally fine. Just continue using it. As you know from your own recommendations, sometimes users fail hard, but refuse to admit it.

 

[coxhaus]

pfsense has a predefined setup. You just need to answer the questions correctly. Since you are not a network person it may take a few tries. Get a basic setup working then research adding your features one at a time. If you mess up start again. You will gain knowledge on setting up pfsense as you do this. pfsense basically sets up making itself the master router.

 

[MichaelCG]

I was already typing my response when coxhaus replied...with roughly the same response. Start simple, stabilize, then add in the next feature you are after.

1.) Get basic interfaces and routing functional
- determine if you will need more than one subnet
- determine if your guest will be done via pfSense or via your WiFi
2.) Get your DHCP scopes defined
3.) Tweak your DHCP static reservations for your specific important devices
4.) Start working on more advanced firewall features
- limit IoT egress
5.) Start working on QoS
6.) Start working on VPN
7.) Start working on IDS/IPS
- this will be a huge time sink to tune and learn what each alert really means
- I personally don't mess with IDS at home...i do not ever look at the logs/alerts...and they just fill my log server

The first 3-4 steps here are pretty straight forward in pfSense. It doesn't really start getting complicated until you get into step 5. If you find the first couple of steps challenging...I would highly recommend not making this your primary gateway for a while if you have others in the house using Internet and you not wanting to deal with the death glare from them.

Keep in mind that if/when you start toying with IPv6, lots of your DCHP and FW work will be thrown out. IPv6 is an entirely different beast and it just doesn't work the same way. So if you want to keep it simple for now, stick to just IPv4. So much simpler, documented so much better, but is nearing the end of its dominance.

 

[L&LD]

I don't know what is so hard to understand about this? If a default/no customization installation fails to give the consistent performance that a consumer router can give, there is something else wrong. As I've admitted, it may have been a bad release that I tried (and kept updated for at least two weeks). But simply installing pfSense, answering the questions in the only possible way (i.e. correctly) and then having the 1Gbps performance plummet further and further every day is not from my lack of knowledge or attempts at gaining it.

Nobody proved me wrong in any way either.

Over a year ago with very capable hardware with 2x Intel NIC's (the recommended brand) and no matter how many fresh installs via USB key (created that many times over too) did not fix the fact that it couldn't keep the 1Gbps symmetrical connection at that speed over a period of even a few days.

The complicated stuff wasn't even attempted if the basics couldn't be had.

Thank you for the step-by-steps... but I did that and it couldn't get past step 1 with that old release.

I may attempt it in the future again (which I've also already stated). But that is why I asked @Discy for a tutorial if he can get this working, today.

Keep safe everyone.

 

[Val D.]

But that is why I asked @Discy for a tutorial if he can get this working, today.

No one can give you a tutorial how to fine tune an entire OS. If you expect a quick 10-step setup deal that you can pass 1000 times after to others as a "knowledge", it's not going to happen here. There are 1000 different configurations to chose from. This "knowledge" works only when someone else already did the work for you, spending hours in creating firmware buttons and script menus. You probably noticed pfSence users can only give general recommendations. The reason is pfSense running on 10 different devices makes in fact 10 completely different routers.

 

[coxhaus]

If you run big enough CPUs then pfsense should have no problem running symmetrical 1 gig connection.

 

[L&LD]

@coxhaus, yes the CPU along with the rest of the hardware was more than up to the task.

https://www.snbforums.com/threads/rt-ax88u-swapfile.61649/#post-548228

https://www.snbforums.com/threads/ac86u-vs-edgerouter.55615/page-2#post-472689

https://www.snbforums.com/threads/ac86u-vs-edgerouter.55615/page-3#post-472923


Not asking for tuning an 'entire OS'. I just want what I asked for above. Otherwise? What is the point of running discrete networking devices?

 

[coxhaus]

Have you tried Untangle? It may be easier to setup. It is hard for me to tell as I am a network guy.

 

[Val D.]

What is the point of running discrete networking devices?

What's the point writing in this thread if you don't know the answer of this question? If you are trying to convince someone that ASUS router + Asuswrt-Merlin + Custom Scripts + USB stick + 2GB Swap File is the best thing in networking, then good. I believe most people got it already. Whoever is running something different has a chance think about it, I guess. There is no need to repeat same things 5000 times, really. Thank you.

Can we just continue with @Discy home network configuration discussion now?

Have you tried Untangle?

Don't make things worse, please. And it's not free, from $50/year subscription.

 

[coxhaus]

I guess you know there are people running 10 gig with pfsense. The problem is the NICs and getting them to preform. You need high end server boards with wide enough channels for them to move that much data. You are talking a lot of money.