Pfsense/opnsense box with AX88U Merlin firmware

[jata]

You can enable smart connect when using Asus routers as APs. I personally do not and simply use the same SSID (and password) for 2.4Ghz and 5Ghz bands. This works fine/better in my opinion. No need to 'rename the network' when making this change.

In terms of parental controls, this will not work with asus kit in AP mode so you will need to something with opnsense (e.g. with a plugin or firewall schedule). One thing for sure is, what is possible with opnsense will be far more powerful than in asus firmware.

My advice with opnsense is to have a test setup in a VM (e.g. proxmox) and try plugins and config there before installing anything on the main opnsense router. My general rule is to keep the main router as clean/vanilla as possible.

Unifi gear is good but there are limitations if you are running an opnsense router/firewall as the Unifi default setup expects a unifi controller/router.

I will be in a mixed asus/unifi environment for a while as I want to make the most of all the investment I have in asus kit.

Hope this helps and happy to assist if you go down this path.

 

[jata]

Here is an example of my main issue with Unifi controller in my mixed environment. This view is supposed to show all network clients but for some reason I never have anything shown connected to my balcony or bedroom AP - but there are many. Both wired and wireless.

So not perfect 'visually' here but the way everything is actually connected and working is amazing.

 

[Jaded5542]

You can enable smart connect when using Asus routers as APs. I personally do not and simply use the same SSID (and password) for 2.4Ghz and 5Ghz bands. This works fine/better in my opinion. No need to 'rename the network' when making this change.

In terms of parental controls, this will not work with asus kit in AP mode so you will need to something with opnsense (e.g. with a plugin or firewall schedule). One thing for sure is, what is possible with opnsense will be far more powerful than in asus firmware.

My advice with opnsense is to have a test setup in a VM (e.g. proxmox) and try plugins and config there before installing anything on the main opnsense router. My general rule is to keep the main router as clean/vanilla as possible.

Unifi gear is good but there are limitations if you are running an opnsense router/firewall as the Unifi default setup expects a unifi controller/router.

I will be in a mixed asus/unifi environment for a while as I want to make the most of all the investment I have in asus kit.

Hope this helps and happy to assist if you go down this path.

From my understanding (I think in this thread and in general) is to turn off the internet to that "group" (if that makes sense) with a firewall settings.
I assumed the ASUS stuff would be null and void in AP mode.

The Pihole will handle the DNS/filtering side of things.

And I'm pretty sure there was a setting to stop MAC spoofing as well.

Merlin is great but I'm reading there's bugs in the current parental controls.


I just figured this be a nice little tinkering hobby.

Lucky enough to have a spare dell kicking around with a spare AP, so I can give that a crack

 

[Tech9]

The Pihole will handle the DNS/filtering side of things.

Why do you need separate Pi-hole? pfSense has pfBlockerNG extension, DNS/IP blocker. Not as pretty UI, but does the same thing. If you go for OPNsense you can have AdGuard Home with integrated dashboard... with a bit of more play installing it. Before you continue - research options.

I just figured this be a nice little tinkering hobby.

Experiment first, see if you like it, once comfortable replace your main router with it. There will be learning curve. Your home routers are not the best APs for VLAN capable appliance, unless you have Pro firmware (and working) or know how to script VLANs on whatever you have available.

 

[jata]

From my understanding (I think in this thread and in general) is to turn off the internet to that "group" (if that makes sense) with a firewall settings.
I assumed the ASUS stuff would be null and void in AP mode.

The Pihole will handle the DNS/filtering side of things.

And I'm pretty sure there was a setting to stop MAC spoofing as well.

Merlin is great but I'm reading there's bugs in the current parental controls.


I just figured this be a nice little tinkering hobby.

Lucky enough to have a spare dell kicking around with a spare AP, so I can give that a crack

Have fun. Start with proxmox on the dell. Then add opnsense and anything else you need as a VMs.

Does you dell have 2 network adapters?

Top tip is you can create virtual network adapters in proxmox so you can actually make it all work with just one physical network adapter! I was blown away when I learnt this. haha.

 

[jata]

Why do you need separate Pi-hole? pfSense has pfBlockerNG extension, DNS/IP blocker. Not as pretty UI, but does the same thing. If you go for OPNsense you can have AdGuard Home with integrated dashboard... with a bit of more play installing it. Before you continue - research options.



Experiment first, see if you like it, once comfortable replace your main router with it. There will be learning curve. Your home routers are not the best APs for VLAN capable appliance, unless you have Pro firmware (and working) or know how to script VLANs on whatever you have available.

Hey @Tech9 - hope all is well. Look what you started here. haha.

I already had 2 raspberry pi's setup as dedicated DNS adguard/unbound servers so I have continued to use these in my setup.

 

[Tech9]

make it all work with just one physical network adapter

You can have actually working pfSense on a single NIC PC with VLAN defined WAN/LAN to managed switch. I was running pfSense in this configuration for about a year, was working perfectly fine.

continued to use these

Your choice, but extra hardware in not needed. Unbound is the default DNS server, blockers are available.

 

[Tech9]

Hey @Tech9 - hope all is well. Look what you started here.

I actually don't want to start such a thing here because the forum is mostly about home routers, mostly Asus/Netgear, this is not for everyone, not the most cost effective option, complex router OS is almost impossible to explain/support with text messages, etc. We can do home routers with simple UI here. I can only provide general guidance for x86 appliances, but not going to do pages long screenshots with settings. This is a full time job.

Popular options like pfSense/OPNsense have own support forums, there are good videos online explaining the basics, etc.

 

[jata]

You can have actually working pfSense on a single NIC PC with VLAN defined WAN/LAN to managed switch. I was running pfSense in this configuration for about a year, was working perfectly fine.



Your choice, but extra hardware in not needed. Unbound is the default DNS server, blockers are available.

I didn't have a managed switch and/or the knowledge when I started on this a month ago. Now I get what you are saying and can see how you could get it working with a single physical network interface and managed switch.

I might also look at running adguard on opnsense and get rid of my two DNS rpi's.

 

[Tech9]

can see how you could get it working

It's not a secret nor my idea, documented in many places, called "router on a stick", one easy to follow explanation here:

https://www.joe0.com/2019/11/16/converting-single-nic-mini-pc-into-pfsense-router-firewall-by-using-virtual-lan-configuration-on-a-managed-switch/

Not a bad option because it works with virtually any mini-PC from eBay for $100 (or already available) and one switch for $40. I was running it on HP Elitedesk mini, Intel i5 CPU, 8GB RAM, Gigabit Intel NIC. Power draw under 20W along with the switch, managed + PoE can power few PoE APs as well.

 

[Tech9]

The main hurdle is home routers with no VLAN support as APs. You may not be able to create simple isolated Guest Network. This is what I usually warn folks going x86 appliance way with ideas to reuse the home routers. To get it going it's okay, but limits the configuration options down the road. This is the reason I'm interested in 3.0.0.6 firmware and if it works properly in AP Mode to VLAN capable router. May be a good low cost option.

 

[jata]

Thanks @Tech9

I can see that my asus APs are limited (no VLAN) without quite a bit of tinkering. At the moment I don't really have a need for VLANs or I will created a wired VLAN with a managed switch and add one of my APs - so there are some (limited) options.

Next big shift for my use will be wifi7 APs so I know I will be switching out my AX asus kit sooner or later.

Speak soon.

 

[DJones]

Hi all,

As ramsomware threats are emerging and I am switching to an IPv6-supporting ISP, I plan to install a pfsense box (made from my old Xeon W-2133 computer with 32GB DRAM, 512GB SSD) in my home network to act as a firewall with IDS/IPS.

Currently my network configuration is ISP optical fiber modem -> Asus RT-AX88U router -> Wired and wireless devices and IoTs (probably adding an NAS later). My Internet speed is 100/20 Mbps, but I plan to upgrade them to Gigabit in the next few years. Moreover, I am running several scripts on the router as in my signature, including Diversion, Skynet, ntpMerlin, BackupMON…

I have read pfsense/opnsense threads on the forum but still feel confusing. Therefore, may I have some questions:

1/ Is it worth adding a pfsense/opnsense box to my home network?

2/ Is my Xeon system capable of running pfsense/opnsense with IDS/IPS enabled? How much energy consumption should I expect?

3/ I know that a pfsense/opnsense box from their shops would be more energy-saving and quieter. However, the Netgear 4200, which seems more capable of handling IDS/IPS in a Gigabit network, costs me nearly a thousand dollars. Therefore, I prefer to use my existing system.

https://erp.etsau.com/shop

4/ Should I put the pfSense/opnsense box after or before the AX88U, regarding that I only want it to be a firewall?

5/ If I put the pfsense before the AX88U and set the Asus router to bridge/AP mode for wireless clients, will all of the existing scripts still be functional?

6/ I also read that pfBlockerNG works similarly to Diversion and Skynet. In case the scripts are still usable, should I leave them on to create a so-called multi-layer firewall, or delete them for more flawless system?

Thank you in advance.

I would suggest using Pfsense over OPNsense because Pfsense is more security hardened.

Also I would recommend you run Proxmox on baremetal which runs virtual machines this will save you a lot of headaches down the line as it’s very easy to backup or clone your virtual machine should you push a bad update.

It also allows you the flexibility to run LXE or docker containers, and additionally more than one operating system. Proxmox also comes with its own SDN if you want to use it or you can pass the traffic directly to PFsense.

Additionally if you have more than one machine you can run High Availability with at least 3 machines or cluster 2 or more machines for easy management or migration.

The proxmox community is very active, and I’ve pretty much solved any issues I’ve encountered which is rare aside from me being initially dumb and formatting the boot drive as btrfs, and later realizing you can’t install swap on the same drive unless it’s ext4 as CoW doesn’t like swap.

 

[dave14305]

I would suggest using Pfsense over OPNsense because Pfsense is more security hardened.

Can you elaborate?

 

[Tech9]

I wouldn’t recommend running virtualized firewall in first place. Dedicated hardware is better.

 

[DJones]

Can you elaborate?

Sorry I can’t. This is just what I’ve been informed by a cybersecurity researcher that goes by chiefgyk3d in his livestream.

Either is fine, but was told that in enterprise systems you may want to go with pfsense as it’s more security hardened or OPNsense if you want an out of the box solution. I didn’t ask for him to elaborate, but as cybersecurity isn’t my career I’ll take his word. Take what I said with at grain of salt as it’s word of mouth. Beyond occasionally checking for CVE’s and updating or patching what I can on my home lab; comparison what he does is witchcraft.

 

[dave14305]

Either is fine, but was told that in enterprise systems you may want to go with pfsense as it’s more security hardened or OPNsense if you want an out of the box solution.

As a “free” user, I’d personally prefer OPNsense 24.1.9 released yesterday versus pfSense CE 2.7.2 released in December 2023. Paying users might make different choices.

 

[DJones]

I wouldn’t recommend running virtualized firewall in first place. Dedicated hardware is better.

Proxmox at baremetal there is a datacenter firewall, PVE node firewall, VM firewall, and container firewall. Then within the VM or LXC container you can have an additional firewall. Certainly baremetal hardware has less overhead than virtualizing everything.

If he’s willing to benchmark either he might be able to weigh the pros and cons.

Only thing I would mention is if his dhcp server is going to be located on a VM ensure your configuration and boot order is correct. I would probably run two dhcp servers with different subnets one on proxmox just for management on its own bridge / nic, and the other on pfsense with it’s own bridge / nic just to keep you from getting locked out of the proxmox web interface. Theirs always the CLI over vga or hdmi or serial console, but that’s dusting off the server in person if something goes wrong.

Virtualized pfsense documentation: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

Virtualized OPNsense documentation:

OPNsense Firewall Installation - zenarmor.com

OPNsense Installation Tutorial

www.zenarmor.com

Anyways this is just a suggestion he can do what he wants.

 

[jata]

Thanks all.

I tried proxmox with opnsense on my minipc and had a couple of issues with the pc freezing up. Switched to bare metal opnsense and no issue since.

 

[Tech9]

@DJones, unnecessary complications.