HOW-TO: pfSense with Single NIC, VLANS and a Wifi-AP (Router on a Stick)

[Lyric]

I had to revisit this the other day to help a friend and I have it written up on my blogspot (not going to advertise as I don't really post there anymore). I figured I'd share this for anyone looking to dink around with a Router on a Stick configuration. I had to use this awhile back when I only had one physical PC and still wanted pfSense to have a lot of oversight of my home network / security. Obviously RTR on a Stick is not the best setup, but it'll do in a pinch if you know what you're doing. 👌 Enjoy

 

 

Introduction

 

The current hardware configuration is setup to run on my PC in a virtualized environment using VirtualBox (64bit) for the Win10 Pro (x64) HOST PC.

      System Specifications:
 

• Processor: Intel G3258 Pentium 4 @ 4.2GHz
• CPU Heatsink: Stock Intel Cooler
• RAM: EVGA 8GB (2x4) Superclocked @ 2133MHz
• Graphics: Sapphire R9 380 Nitro 4GB GDDR5
• HDD: PNY 240GB SSD
• Motherboard: Gigabyte H81M-H mATX
• PowerSupply: EVGA 500W
• Case: Fractal Design Core 1100 MATX Mini
• Monitor (Living room TV): Magnavox 55" HDTV
• Operating System: Win10 Pro (x64)

Configuration

• pfSense
• switch: TL-SG108E v2
• wifi-ap: NG-N300 (wnr2000v5)

      VLAN Config(s):

• VLAN99 (WAN) - DHCP @ ISP
• VLAN10  (LAN) 192.168.10.1/24 (.5-.254 Range & .2-4 for Static IP Management)
• VLAN20  (WIFI AP) 192.168.20.1/24 (.5-.254 Range & .2-4 for Static IP Management)

     TL-SG108E Config:

 

***NOTE*** The current firmware on the TP-LINK SG108E will only support one physical "Save Config", anything after that will not be held in the data until they release a firmware fix (**Source link**) - They also indicate here that you can actually flash the v3 firmware to the v2 version (the one I have) although I have elected to not do this. Whichever way, the bug is still persistent in all firmware versions as of 03/05/2018.

 

1.) Connect a laptop and set your IPv4 Address to the following:
 

 

2.) Navigate to: 192.168.0.1 ---> login with usr: admin / pw: admin (I recommend to change these immediately)

3.) Change the IP Settings to what will be your new internal LAN sub-net for easier access. (192.168.10.2 - MGMT Interface - will be setup for easier management access via Ports 4-8 on your Switch).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.) **DON'T FORGET TO SET IPv4 BACK TO DHCP**

5.) Navigate to VLAN --> 802.1Q VLAN --> Enable VLAN Config --> Apply

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

• Default VLAN --> Leave as is
• VLAN ID: 10, VLAN Name: LAN, Port 1 Tagged, Not Member Port 2&3, Untagged Ports 4-8 --> Add/Modify.
• VLAN ID: 99, VLAN Name: WAN, Port 1 Tagged, Untagged Port 2, Not member 3-8 -> Add/Modify
• VLAN ID: 20, VLAN Name: OPT1 (Wifi-AP), Port 1 Tagged, Port 3 Untagged, Not Member 2, 4-8

 

6.) Navigate to 802.1Q PVID Setting (and set the following by typing the PVID (10,99,20) and selecting the corresponding ports.)

 

• Port 1: 10, Port 2: 99, Port 3: 20, Port 4-8: 10

 

**Now it's safe to use Save config** If you used it prior to getting all of this setup, then you'll unfortunately need to reset the switch and start over unless they've fixed this bug.

 

7.) Now you can continue to configuring the pfSense Installation. I'd recommend using Rufus if you need to create a bootable USB to proceed. I didn't need to as I virtualized my pfSense router and just downloaded the ISO on my host machine.

 

 

8.) Once you get to this step you need to proceed with a "y" and then configure all of the pfSense VLAN Interfaces or any other extra Interfaces needed. This could be skipped and done later manually in the GUI but I'd go ahead and do it here.

          

Your interface(s) may be different than mine.

 

 

 

• em1.99 (WAN) -> vlan99
• em1.10 (LAN) -> vlan10
• em1.20 (Wifi-AP / OPT1)
• em0 (OPT2) -> (set on 192.168.30.1/24) Extra virtual interface which will be configured within VirtualBox to be "Virtual NIC Adapter 2" so my HOST PC (pfSense router) can access the internet as it also serves as a HTPC. This may be an unnecessary step depending on your desired configuration.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

9.) Once you set this to your specifications, then you can go into your Network settings and adjust the Virtual Adapter to pull DHCP from the em0 Interface you setup @ 192.168.30.1/24 if you need to pull internet on your VM HOST Machine.

 

Physical Configuration:

• Switch:P1 -> Phys NIC
• Switch:P2 -> Cable Modem (ISP) 
• Switch:P3 -> Wifi-AP (Configured to be 192.168.20.2 for MGMT and Set in AP Mode)
• Switch:P4-8 -> LAN Ports for any wired devices you may have.

 

 

***Issue(s) with: Realtek PCIe GBE Family Controller NIC***

 

I had to spend hours upon hours trying to figure out why I could not get a WAN IP (DHCP from my ISP). It turns out that the Realtek PCIe GBE Family Controller is known for stripping vlan tags unless you perform the latest driver update, and also add the following registry edits:

• Update drivers: Realtek PCIe GBE Family Controller
• Find reg sub-key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
• Add/update the following DWORDs:

                  MonitorModeEnabled = 1
                  MonitorMode = 1
                  PriorityVLANTag = 0
                  SkDisableVlanStrip = 1

 

 

Tools:
https://www.wireshark.org/
https://wiki.wireshark.org/CaptureSetup/VLAN

***Issues with websites not resolving and ping requests timing out***

I spent a significant amount of time figuring out why some websites would resolve fine, and others would not. It ended up being that I needed to find the optimal MTU & MSS settings to input in pfSense. (My personal settings are notated below, and in my diagram as well.)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Great tutorial on how to find your own optimal MTU & MSS Settings - https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895

This was my first technical write-up ever, and for a portion of my network setup. Here is an overview of the diagram I made as well:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Old Diagram from 2018, no longer my current network setup) - I change it up pretty regularly.