pfSense first time build question


Recommended Posts

Hey guys!

 

I've been trying to find an informative video on how to build a pfsense router and while doing so, have come across some issues in actually formulating the build specifically the networking hardware I'm going to need.

 

Objective:

Is to create a router that can handle both a wired connection to my fathers computer and a wireless connection to the various electronics I have around the house.

 

Problem:

How many NICs do I need for this? I have been looking online and there seems to be a general consensus of around 2 or more NICs for a pfSense router, but looking at my computer I only have 1. Do I need the other one? If so why?

There is also a bunch of lingo regarding WAN, LAN, and WLAN and although I know the acronyms meaning, I have no clue as to what is truly going on. This is something I plan on fully understanding throughout my time working on the router.

 

End of the day to actually get the build on it's feet, the NIC question is an answer I can't clearly find or understand. I would love some input or any resource that can point me in the right direction.

 

Thank you!

 

Link to comment
Share on other sites

Simple answer to your question is 2 NICs. The first NIC would be for your WAN connection, the second would be for your LAN connection. Think of it that pfsense connects the internet to your home network - so you'll need two NICs to do so.

 

Your modem would connect to the WAN socket and provide your router with the internet connection. If you don't have internet and just want an internal network then you don't need this socket (although that would be rare for a home user).

Everything on your home network would connect to the LAN socket.

 

Typically, you would connect a network switch to your LAN socket turning that one socket into multiple. (Tip: Always use a switch, don't use more NICs as that will cause performance losses unless you have a real need for separate sockets). Into your network switch you would the connect your PC and a Wireless Access Point (WAP) which would provide your home with WiFi (or WLAN). Pfsense can do wifi itself, but it's fairly limited so the general consensus is to stick with a WAP. Most simple home wireless routers can be configured to act as a WAP - so you don't necessarily need to buy new hardware.

Link to comment
Share on other sites

Yes at min you would want 2 nic as biohead has nicely laid out.  You could do it with 1 and vlans, but 2 is really the min you should do if building out a pfsense box.

 

Here is your typical entry level home.

 

tyical.png

 

There is the 1 nic connected to your isp device/modem that is the WAN or Internet.  Then another nic connected on your LAN side or your local network, that sure you connect wifi with AP too. And everything is on 1 network.  This is fine if you have a few devices and don't want different wifi for you and your guest or iot devices, etc etc.

 

In the current age of lots of different devices, many of them iot devices and or guest coming over to your home with their phones and tablets, laptops - infected with who knows what?  Network separation is better idea..  I personally would do 3 if not 4 nics in router/firewall box.  You can pick up dual port or even quad port nics for cheap.

 

https://www.amazon.com/HP-NC364T-Gigabit-Server-Adptr/dp/B000P0NX3G/

Quad nic for $45..  This is NOT a switch.. It is 4 different network interfaces on same card - again this is NOT a switch.. This is to allow for multiple networks either wan or lan..   Or you could get a dual port that gives you 3 total with the current 1 you have.  For like $25

 

You would also want to go with a smart switch, doesn't have to be fancy - but you want something that supports vlans. Ie the ability to run multiple isolated networks on the same switch.  So while you might be able to leverage your old wifi router as your AP.. Unless your running 3rd party firmware and the actual hardware supports vlans you would want to a real AP that allows for different vlans based upon your ssid, etc.  So now you can have a normal wlan for your devices, guest and even a iot segment..

 

So cheap vlan switch can be had for under $40 Here is a 8 port gig smart switch for $25

https://www.amazon.com/TP-Link-8-Port-Gigabit-Ethernet-TL-SG108E/dp/B00K4DS5KU

 

Its doesn't have all the bells and whistles - but its gig and does vlans.  You would then want an AP that does vlans.  So for example here is a entry level AC model from unifi under the $100 mark..

https://www.ubnt.com/unifi/unifi-ap-ac-lite/

 

http://www.balticnetworks.com/ubiquiti-unifi-802-11ac-lite-indoor-2-4-5ghz-ap.html

$82.50 for the lite here, they do have other models - These are true AP,  power over ethernet (POE) designed to be mounted in the ceiling or wall for best wifi coverage of the area you need.  Depending on your house, you prob going to end up with more than 1 in the long run.  I have 3 AP in my house (lite, pro and LR).   And its not all that big..  But then my devices always normally see a +90 signal from no matter where are at in the house or even out on the patio.

signal.png

 

These are 5ghz signal too for most everything, so of the devices do not support 5.. which is just nonsense in this day and age..  These devices are spread across 3 different ssid's and 3 different vlans - nothing currently connected to guest network.  And as you see using 802.1x for some devices to auth. I use eap-tls to get on my normal wlan which has more access than say iot or guest networks.  But its still isolated from my normal lan network, etc..

 

So if your wondering what a modern home might look like..  You should have multiple networks that allow you to control traffic between your different sorts of devices.  Do your iot devices need access to your file server your pc, etc.  While sure you might want to be able to manage them via a web gui or something, You do not want them to be able to create unsolicited connections to you, etc.

 

newhomenetwork.png

 

So while sure you can get started with the 2 nics in your pfsense box.  Having 3, 4 or more just gives you more options.  But that for sure could be added onto later.  What I would suggest is you have 2 at min one for wan and other for lan.  And get a smart switch so you can do vlans.  And if your wifi router your currently using and will be if your wifi AP.. If it does not have vlan support, not talking guest network.  Talking true vlan support then I would suggest getting a real AP to start with.  You can always grow your network ad more nics, add more AP add more switches or smarter ones, etc.

 

 

 

 

 

 

Link to comment
Share on other sites

Tldr version

a router works off the theory of an unsecured network and secured network. 

 

1 nic for the unsecured internet of which you have no control of the traffic going across

 

1 nic for the secured home network where you have control of what equipment and sites being used. 

 

If you don't have this in place, can't really have a router.  There are ways around this but in the most simplest form you need physical ports but something will need two ports or more. Even your routers you buy at the store have 1 internet port (unsecured network) and 4 local network ports (and wireless) for your secured network....essentially 2 nics 

Link to comment
Share on other sites

While I agree with you sc302 on the unsecure and secured.  Not really sure I 100% on board with the term "router"

 

Routers don't really give 2 ###### about secure or unsecure or whatever.. They just route.. Packet A wants to go to here.. The term has become synonymous with what these devices are that you buy at your local computer store to get your home network on the internet.  But as you mention they do more than just route, they have a AP, they have a switch.  They do NAPT, some of them have limited firewall functionality from local unsecured side and secured side.. Rarely do they support multiple local networks and or any sort of firewall features between say wifi and wired..   If so its normally all or nothing sort of access.

 

Gateway might be a better term, but many of them do not have the "modem" feature so not sure that is the correct term as well ;)

 

Soho Router would be more descriptive or maybe Integrated Services Router?  But these devices are really starting to blur the line of what their role is.  More like a UTM, etc..

Link to comment
Share on other sites

Firewall. :p  

gateway I guess.  

 

Router is just the crappy marketing term that was used for the longest time.  I too don't agree with that term or gateway, really. 

 

They are firewalls, and always will be in my eyes.  Routers don't do stateful inspection.  Gateways don't do any sort of deep packet inspection. Firewalls do all of that. Firewalls also separate your local network from the exterior/internet network.  Marketing can call them whatever they want, but they are firewalls...maybe not as feature rich as a business grade firewall, but a firewall none the less. 

Link to comment
Share on other sites

This is true.. Kind of like all bourbons are whiskeys but not all whiskeys are bourbons ;)

 

Firewall by its very nature has to be able to route ;) Unless it was say a transparent firewall (bridge).. But if you say its a firewall, it can route..   Might not route as fast because its doing other ###### with that packet vs just sending it on its way, etc.

 

So I guess firewall would be a better term.. But many of them as "firewall" really suck ;)  guess the term router is good as anyway but not really good descriptive term for its feature set.. 

Link to comment
Share on other sites

Alright, this makes sense to me. Thank you Budman,sc302 and Biohead for taking the time out of your Christmas holidays to post such long and informative details on the pfSense pc, and BudMan I greatly appreciate the flow charts. :)

 

I'm getting started on my build, but currently my hardware is limited (as I can't shell out the money until I've completed a simple project) but I have an on-board Ethernet port and a seperate NIC but it is only 10/100. I'm not too sure how that speed will affect my home network but we'll see how it goes.

 

With the switch does it need to be a smartswitch, or can I go for something along the lines of this? My father received a Staples gift card with $50 on it but I don't want to use it all up as he'll probably need to grab a few supplies for himself. (He'll let me use it all but I feel bad)

First one:
http://www.staples.ca/en/D-Link-DGS-1005G-5-Port-Gigabit-Desktop-Switch/product_891411_2-CA_1_20001
 

Second one:

http://www.staples.ca/en/D-Link-DGS-105-5-Port-Gigabit-Switch/product_744169_1-CA_1_20001

 

 

Link to comment
Share on other sites

Your internet connection to your home - is it greater than 100mb? If not, you can use the 10/100 for the WAN and the gigabit port on the motherboard for your LAN. This ensures your home network is running at it's highest capability (if you want to think about file sharing inside your home network) and your internet connection to your home isn't going to be limited by the 10/100 card.

 

If you're only just starting, you don't need a smart switch. A bog standard one will do like the ones you linked. I'm not quite sure on those prices, but a very quick comparison with ones in the UK tell me you might be able to get one for even less (albeit not from Staples - https://www.amazon.co.uk/NETGEAR-GS205-100UKS-Gigabit-Ethernet-Desktop/dp/B00AYRZYG4/ref=sr_1_2?ie=UTF8&qid=1482795383&sr=8-2&keywords=switch). In future, it would be something to consider, but for now you'll likely be looking at a single internal network and to try get to grips with the basics first.

Link to comment
Share on other sites

Sorry but to me smart switch is the very basic.. Once you move past those ###### soho routers, not having a smart switch is pointless.  Without a smart switch you can not segment your network.  If your not going to segment your network might well just use stupid soho router.

 

I am not suggesting he needs a Cisco 7K at $$$$, or even something as feature rich as you can get with $200, etc.  Talking about $25 switch vs the $20 version ;)  If you can not afford the difference then shouldn't be doing this stuff in the first place.. How and the hell do you afford anything to even connect to the internet?

 

The switch I linked to was 8 ports, and smart.. The 2 you linked to are only 5 and dumb and more expensive???  Shoot the one I linked too is only 25 for the smart and 30 for the dumb ;)  Why would you not get the smart switch - here is the thing if you don't want to use it as smart just plug it in, and there you go dumb switch..

 

Staples sure wouldn't be the place to buy network equipment anyway ;) heheeh

 

Here is the thing if you have no budget for this until after you complete something else, wait til you complete the something else - do not go buying stuff that is pointless to by to save a couple of $..  Not talking huge amounts of money here.. A single port gig nic can be had for like $10..  The 4 port I linked to is very budget friendly... Not saying you need the $1000 server nic ;)

 

But if your internet is less than 90 mbps then sure that 10/100 could be your wan nic.. ..   If you paying for 100, I would use a gig a 10/100 is not actually capable of 100.. Might get you 95 but never going to see 100..

Link to comment
Share on other sites

10 hours ago, BudMan said:

Sorry but to me smart switch is the very basic.. Once you move past those ###### soho routers, not having a smart switch is pointless.  Without a smart switch you can not segment your network.  If your not going to segment your network might well just use stupid soho router.

 

I am not suggesting he needs a Cisco 7K at $$$$, or even something as feature rich as you can get with $200, etc.  Talking about $25 switch vs the $20 version ;)  If you can not afford the difference then shouldn't be doing this stuff in the first place.. How and the hell do you afford anything to even connect to the internet?

 

The switch I linked to was 8 ports, and smart.. The 2 you linked to are only 5 and dumb and more expensive???  Shoot the one I linked too is only 25 for the smart and 30 for the dumb ;)  Why would you not get the smart switch - here is the thing if you don't want to use it as smart just plug it in, and there you go dumb switch..

 

Staples sure wouldn't be the place to buy network equipment anyway ;) heheeh

 

Here is the thing if you have no budget for this until after you complete something else, wait til you complete the something else - do not go buying stuff that is pointless to by to save a couple of $..  Not talking huge amounts of money here.. A single port gig nic can be had for like $10..  The 4 port I linked to is very budget friendly... Not saying you need the $1000 server nic ;)

 

But if your internet is less than 90 mbps then sure that 10/100 could be your wan nic.. ..   If you paying for 100, I would use a gig a 10/100 is not actually capable of 100.. Might get you 95 but never going to see 100..

Budman quick question, what is the difference between a smart switch and a dumb one. I've returned my old switch and I'm ordering the smart switch right away. I have to grab it from Staples because I have a ton of gift cards given to my father by colleagues so it's pretty much a "free" purchase.

 

This is the one I'm purchasing:

http://www.staples.ca/en/TP-LINK-SG105E-8-Port-Gigabit-Easy-Ethernet-Smart-Switch/product_1178454_2-CA_1_20001

I found it at $54.99 but have a price match to $46.99

 

And my Internet is only 50 Mbps so I will use the 10/100 as the WAN.

 

Edited by suprNOVA
Link to comment
Share on other sites

A smart switch can create multiple virtual sub-networks behaving like it is more than one switch so you can have traffic moving around your network which cannot interfere with other traffic.  The technology that usually underpins this is VLANs, although they also suffer from scalability issues in larger networks, leading to Q in Q and VxLAN to come about - your home network isn't going to suffer from such scalability issues in a very long time, though.

 

A dumb switch just can't do that.

 

https://en.wikipedia.org/wiki/Network_segmentation

  • Like 1
Link to comment
Share on other sites

24 minutes ago, Fahim S. said:

A smart switch can create multiple virtual sub-networks behaving like it is more than one switch so you can have traffic moving around your network which cannot interfere with other traffic.  The technology that usually underpins this is VLANs, although they also suffer from scalability issues in larger networks, leading to Q in Q and VxLAN to come about - your home network isn't going to suffer from such scalability issues in a very long time, though.

 

A dumb switch just can't do that.

 

https://en.wikipedia.org/wiki/Network_segmentation

Thank you, reading up on it now.

Link to comment
Share on other sites

That is a very basic entry level smart switch..  It does vlans which is basic requirement as you move into segmentation of your network.  Unless your going to use a bunch of dumb switches for each network segment.

 

It has some other basic functions as well like prob allows you to set interface speed and duplex, maybe set rate limits.  Can prob show you counters on the interfaces for traffic/errors.  Prob do port mirroring/span port.  But doubt it has any snmp support, etc.  So for example you can not monitor interface traffic counters remotely.  Prob can not do igmp snooping or port security or dynamic vlans, etc..

 

But at the price point you can not expect a full enterprise managed switch, nor does the average joe user moving into networks need.. The feature you need is to create vlans on the switch.. Fahim states it correctly "behaving like it is more than one switch"  Which is correct you can create multiple layer 2/broadcast domains on the same physical switch so you can run multiple networks over the same switch..

Link to comment
Share on other sites

  • 2 weeks later...

Okay so today I was able to set up the most basic parts of my pfsense box.

 

So far based on your networking diagrams I have set up the modem to the  pfsense WAN port (DHCP) and the LAN port set to 192.168.1.1. The internet works. Now, the problem is that I cannot connect to the switch portal nor the wifi router gateway. Is this normal? I would assume that I have to connect to the switch portal to create VLANS and connect to the router to change the settings up so it can act like a AP.

 

I connected the router (soon to be switched out with the Unifi AP you linked me) to the switch and it broadcasts WLAN fine but it is still broadcasting through the SSID I set up previously. Is this also normal?

 

Edit: I double checked the wireless networks my Wifi devices are connected to and it seems like the downstairs router is not showing up, but the repeater I have upstairs is. I don't know if this helps in any way but I find it rather weird that I can connect to pfsense dashboard from any computer wifi or ethernet.

 

Thanks :)

Edited by suprNOVA
Link to comment
Share on other sites

Ok can you create a drawing.  This way it will be easy to determine what is what.  You are talking jibberish, not using correct terms or indentifying the devices properly. 

  • Like 1
Link to comment
Share on other sites

Sorry! Will definitely try to use the right terms but here is the picture (i drew it on paint lol)

 

 

 

 

ugly picture.png

Link to comment
Share on other sites

LAN side of pfsense 

 

Smart switch

 

old router (do not use the wan/internet port, put a piece of tape over that port)

 

power line adapter(s) 

 

for simplicity use vlan1 and do not create vlans  yet. 

 

Get base functionality first first then worry about other stuff, esp when unfamiliar. 

Link to comment
Share on other sites

LAN pfSense: 192.168.1.1

 

For the next 3 devices I don't know the current ip address if they are assigned one but I have the default ip address to connect to them if I need to use the GUI

 

Modem: 192.168.0.1

Smart Switch: 192.168.0.1

Old Router: 192.168.0.1

PowerLine - Not sure. Never needed to connect to it.

 

While typing out the above and actually checking the devices physically, I feel that the three default gateways above would cause a conflict? I don't know though but it seems very weird for all three to be the same.

 

Can I check somehow.
 

Link to comment
Share on other sites

If your pfsense is on 192.168.1 all other devices have to be on that network for them to function. Change the ips

 Smart switch 192.168.1.2

old router 192.168.1.3 (disable dhcp)

dont touch the modem

powerlines may need to reboot. 

 

Make sure pfsense is handing out ips above 50. Leave below 50 for static addresses

 

Link to comment
Share on other sites

Okay that's what I was thinking, but when I try to connect to those devices from the current network configuration, I just get a can not connect screen on my browser. Should I unplug it all and configure each device separately and then put it all back together?

Link to comment
Share on other sites

Alright nice! I was able to create seperate IPs on each device so I can access them on the network I am on.

 

So essentially what is this doing? This will probably not make sense but I'll lay my head onto the forum:

 

I have two gateways? One that gives me internet connection from the ISP and another that redirects that traffic to the various devices connected to my network? And the switch helps me manage that traffic?

If I have two gateways why wouldn't I just connect all the devices to the WAN gateway IP address? Would that scenario mean that I would have all computers bypassing a firewall/filter and connecting directly to the internet unsecured?

 

Thanks!

 

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.