HOW-TO: pfSense with Single NIC, VLANS and a Wifi-AP (Router on a Stick)

By Lyric
in Essential Guides

 Share

Recommended Posts

Experienced

Lyric

Posted
Posted

I had to revisit this the other day to help a friend and I have it written up on my blogspot (not going to advertise as I don't really post there anymore). I figured I'd share this for anyone looking to dink around with a Router on a Stick configuration. I had to use this awhile back when I only had one physical PC and still wanted pfSense to have a lot of oversight of my home network / security. Obviously RTR on a Stick is not the best setup, but it'll do in a pinch if you know what you're doing. 👌 Enjoy

 

 


Introduction

 


The current hardware configuration is setup to run on my PC in a virtualized environment using VirtualBox (64bit) for the Win10 Pro (x64) HOST PC.

      System Specifications:
 
Configuration
      VLAN Config(s):
  • VLAN99 (WAN) - DHCP @ ISP
  • VLAN10  (LAN) 192.168.10.1/24 (.5-.254 Range & .2-4 for Static IP Management)
  • VLAN20  (WIFI AP) 192.168.20.1/24 (.5-.254 Range & .2-4 for Static IP Management)
     TL-SG108E Config:
 
***NOTE*** The current firmware on the TP-LINK SG108E will only support one physical "Save Config", anything after that will not be held in the data until they release a firmware fix (**Source link**) - They also indicate here that you can actually flash the v3 firmware to the v2 version (the one I have) although I have elected to not do this. Whichever way, the bug is still persistent in all firmware versions as of 03/05/2018.
 
1.) Connect a laptop and set your IPv4 Address to the following:
 
ipv4.jpg


 
2.) Navigate to: 192.168.0.1 ---> login with usr: admin / pw: admin (I recommend to change these immediately)

3.) Change the IP Settings to what will be your new internal LAN sub-net for easier access. (192.168.10.2 - MGMT Interface - will be setup for easier management access via Ports 4-8 on your Switch).
 
switchconfig.png



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.) **DON'T FORGET TO SET IPv4 BACK TO DHCP**

5.) Navigate to VLAN --> 802.1Q VLAN --> Enable VLAN Config --> Apply

 

vlanconfig1.png


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Default VLAN --> Leave as is
  • VLAN ID: 10, VLAN Name: LAN, Port 1 Tagged, Not Member Port 2&3, Untagged Ports 4-8 --> Add/Modify.
  • VLAN ID: 99, VLAN Name: WAN, Port 1 Tagged, Untagged Port 2, Not member 3-8 -> Add/Modify
  • VLAN ID: 20, VLAN Name: OPT1 (Wifi-AP), Port 1 Tagged, Port 3 Untagged, Not Member 2, 4-8

 

6.) Navigate to 802.1Q PVID Setting (and set the following by typing the PVID (10,99,20) and selecting the corresponding ports.)

 

  • Port 1: 10, Port 2: 99, Port 3: 20, Port 4-8: 10

 

config2.png
**Now it's safe to use Save config** If you used it prior to getting all of this setup, then you'll unfortunately need to reset the switch and start over unless they've fixed this bug.
 
7.) Now you can continue to configuring the pfSense Installation. I'd recommend using Rufus if you need to create a bootable USB to proceed. I didn't need to as I virtualized my pfSense router and just downloaded the ISO on my host machine.
 
pfsenseintroscrn.png
pfsensevlansconfig.png
 
8.) Once you get to this step you need to proceed with a "y" and then configure all of the pfSense VLAN Interfaces or any other extra Interfaces needed. This could be skipped and done later manually in the GUI but I'd go ahead and do it here.
          
Your interface(s) may be different than mine.
 
ifaceassignments.png
pfsensevlans.png
pfsenseifcs.png
 
 
  • em1.99 (WAN) -> vlan99
  • em1.10 (LAN) -> vlan10
  • em1.20 (Wifi-AP / OPT1)
  • em0 (OPT2) -> (set on 192.168.30.1/24) Extra virtual interface which will be configured within VirtualBox to be "Virtual NIC Adapter 2" so my HOST PC (pfSense router) can access the internet as it also serves as a HTPC. This may be an unnecessary step depending on your desired configuration.
 
virtnic.png
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9.) Once you set this to your specifications, then you can go into your Network settings and adjust the Virtual Adapter to pull DHCP from the em0 Interface you setup @ 192.168.30.1/24 if you need to pull internet on your VM HOST Machine.
 
Physical Configuration:
  • Switch:P1 -> Phys NIC
  • Switch:P2 -> Cable Modem (ISP) 
  • Switch:P3 -> Wifi-AP (Configured to be 192.168.20.2 for MGMT and Set in AP Mode)
  • Switch:P4-8 -> LAN Ports for any wired devices you may have.
 
 
***Issue(s) with: Realtek PCIe GBE Family Controller NIC***
 
I had to spend hours upon hours trying to figure out why I could not get a WAN IP (DHCP from my ISP). It turns out that the Realtek PCIe GBE Family Controller is known for stripping vlan tags unless you perform the latest driver update, and also add the following registry edits:
  • Update drivers: Realtek PCIe GBE Family Controller
  • Find reg sub-key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  • Add/update the following DWORDs:

                  MonitorModeEnabled = 1
                  MonitorMode = 1
                  PriorityVLANTag = 0
                  SkDisableVlanStrip = 1

 

 

Tools:
https://www.wireshark.org/
https://wiki.wireshark.org/CaptureSetup/VLAN

***Issues with websites not resolving and ping requests timing out***

I spent a significant amount of time figuring out why some websites would resolve fine, and others would not. It ended up being that I needed to find the optimal MTU & MSS settings to input in pfSense. (My personal settings are notated below, and in my diagram as well.)

mtu%2526mss.png








 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Great tutorial on how to find your own optimal MTU & MSS Settings - https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895

This was my first technical write-up ever, and for a portion of my network setup. Here is an overview of the diagram I made as well:

pfsense.jpg


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Old Diagram from 2018, no longer my current network setup) - I change it up pretty regularly.

  • +hedleigh and Circaflex
  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • BBC threatens Perplexity with legal action over content scraping

      By zikalify · Posted

      BBC threatens Perplexity with legal action over content scraping by Paul Hill Image via Depositphotos.com The UK’s public broadcaster, BBC, has written a letter to Perplexity, the AI search startup, asking it to stop scraping articles from its websites, delete existing copies of content, and propose some sort of financial compensation if it would like to carry on scraping data. If the demands are not met, BBC may seek an injunction against the startup citing alleged misuse of its intellectual property. BBC is probably responding in this way because it has seen other news organizations cement deals with firms like OpenAI and Mistral. The income stream allows news organizations to raise more funds and also cover the costs of the extra load on their servers caused by AI scraping. For anybody not familiar with Perplexity, it’s a bit like ChatGPT but has a much stronger emphasis on searching the web to find information. You can ask it anything you want to know about and it very quickly searches online and constructs a specific response to your question based on what it has found. The company offers many of its features for free, but does have Perplexity Pro, which costs money. Essentially, Perplexity is making money from publishers by using their content to improve its own product, but not paying them all. Perplexity's defense and existing publisher programs In a statement to the Financial Times, Perplexity labeled the BBC’s claims as "manipulative and opportunistic". The startup accused the broadcaster of having “a fundamental misunderstanding of technology, the internet and intellectual property law.” This is not the first time Perplexity has had a run-in with the media. Forbes and Wired accused it of plagiarizing content from their websites and The New York Times sent the company a cease and desist notice to stop using its content for AI purposes. To assuage publishers, Perplexity has set up a revenue sharing program, which includes TIME, Fortune, Der Spiegel, and others. According to Digiday, the revenue share was up to 25%. It’s not clear if BBC has tried engaging through this avenue or if it wants to try to squeeze the startup for a bigger slice. The escalating battle over AI and intellectual property Even if you only keep up with AI developments in passing, you’ll likely have seen that AI models need to be trained on vast amounts of data, much of which is copyrighted. There is an ongoing debate about whether these companies should be allowed to train on this data, or first seek out permission from the copyright holders. The move from the BBC could spur other publishers on to try and get themselves a better deal from Perplexity. Alternatively, Perplexity could remove BBC content from its platform and stop pulling information from there. It could probably find most of the information elsewhere, but if Perplexity tried to pull this too much it would eventually end up pretty useless with not a lot of content. Overall, this is just one of many ongoing legal issues surrounding AI, but once a conclusion has been reached, it could set a precedent about how AI companies should go about getting content from publishers. Source: FT via Reuters
    • Steam overlay's FPS counter gets major upgrade to show CPU and VRAM usage, temps, and more

      By dustojnikhummer · Posted

      No, it's in fact not always there. You have to enable the FPS overlay first, either in Steam general settings or in the.... Steam Overlay... which is Shift+Tab. And what is that? A keyboard shortcut
    • Steam overlay's FPS counter gets major upgrade to show CPU and VRAM usage, temps, and more

      By dustojnikhummer · Posted

      Mangohud hasn't been built into anything but the Steam Deck until now, you had to set it up yourself.
    • Is the Start menu in Windows actually useful? Do we even need it?

      By Jdoe25 · Posted

      M$ Start Menu and its Oddities: What Do They Know? Do They Know Things?? Let's Find Out! Short answer is "you actually want Open-Shell or any of its paid alternatives".
    • Microsoft is removing legacy drivers from Windows Update

      By Jdoe25 · Posted

      Windoze 11 delivering whatever drivers to me in a recent laptop (2024) made me disable the ability to receive drivers altoghether. I was repeatedly losing the ability to have a lighted keyboard, because I'd install the most recent driver from the manufacturer, and Windoze would immediately "replace it" or "complement it" with a whatever "Component download" of its own. Wasted me a couple of days troubleshooting that crap. Windoze 11 wasting my time since like forever.

  • Recent Achievements

    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
    • Week One Done
      Wayne Robinson earned a badge
      Week One Done
    • One Month Later
      Karan Khanna earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      681
    2. 2
      ATLien_0
      274
    3. 3
      Michael Scrip
      220
    4. 4
      +FloatingFatMan
      171
    5. 5
      Steven P.
      160
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!