HOW-TO: pfSense with Single NIC, VLANS and a Wifi-AP (Router on a Stick)

By Lyric
in Essential Guides

 Share

Recommended Posts

Experienced

Lyric

Posted
Posted

I had to revisit this the other day to help a friend and I have it written up on my blogspot (not going to advertise as I don't really post there anymore). I figured I'd share this for anyone looking to dink around with a Router on a Stick configuration. I had to use this awhile back when I only had one physical PC and still wanted pfSense to have a lot of oversight of my home network / security. Obviously RTR on a Stick is not the best setup, but it'll do in a pinch if you know what you're doing. 👌 Enjoy

 

 


Introduction

 


The current hardware configuration is setup to run on my PC in a virtualized environment using VirtualBox (64bit) for the Win10 Pro (x64) HOST PC.

      System Specifications:
 
Configuration
      VLAN Config(s):
  • VLAN99 (WAN) - DHCP @ ISP
  • VLAN10  (LAN) 192.168.10.1/24 (.5-.254 Range & .2-4 for Static IP Management)
  • VLAN20  (WIFI AP) 192.168.20.1/24 (.5-.254 Range & .2-4 for Static IP Management)
     TL-SG108E Config:
 
***NOTE*** The current firmware on the TP-LINK SG108E will only support one physical "Save Config", anything after that will not be held in the data until they release a firmware fix (**Source link**) - They also indicate here that you can actually flash the v3 firmware to the v2 version (the one I have) although I have elected to not do this. Whichever way, the bug is still persistent in all firmware versions as of 03/05/2018.
 
1.) Connect a laptop and set your IPv4 Address to the following:
 
ipv4.jpg


 
2.) Navigate to: 192.168.0.1 ---> login with usr: admin / pw: admin (I recommend to change these immediately)

3.) Change the IP Settings to what will be your new internal LAN sub-net for easier access. (192.168.10.2 - MGMT Interface - will be setup for easier management access via Ports 4-8 on your Switch).
 
switchconfig.png



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.) **DON'T FORGET TO SET IPv4 BACK TO DHCP**

5.) Navigate to VLAN --> 802.1Q VLAN --> Enable VLAN Config --> Apply

 

vlanconfig1.png


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  • Default VLAN --> Leave as is
  • VLAN ID: 10, VLAN Name: LAN, Port 1 Tagged, Not Member Port 2&3, Untagged Ports 4-8 --> Add/Modify.
  • VLAN ID: 99, VLAN Name: WAN, Port 1 Tagged, Untagged Port 2, Not member 3-8 -> Add/Modify
  • VLAN ID: 20, VLAN Name: OPT1 (Wifi-AP), Port 1 Tagged, Port 3 Untagged, Not Member 2, 4-8

 

6.) Navigate to 802.1Q PVID Setting (and set the following by typing the PVID (10,99,20) and selecting the corresponding ports.)

 

  • Port 1: 10, Port 2: 99, Port 3: 20, Port 4-8: 10

 

config2.png
**Now it's safe to use Save config** If you used it prior to getting all of this setup, then you'll unfortunately need to reset the switch and start over unless they've fixed this bug.
 
7.) Now you can continue to configuring the pfSense Installation. I'd recommend using Rufus if you need to create a bootable USB to proceed. I didn't need to as I virtualized my pfSense router and just downloaded the ISO on my host machine.
 
pfsenseintroscrn.png
pfsensevlansconfig.png
 
8.) Once you get to this step you need to proceed with a "y" and then configure all of the pfSense VLAN Interfaces or any other extra Interfaces needed. This could be skipped and done later manually in the GUI but I'd go ahead and do it here.
          
Your interface(s) may be different than mine.
 
ifaceassignments.png
pfsensevlans.png
pfsenseifcs.png
 
 
  • em1.99 (WAN) -> vlan99
  • em1.10 (LAN) -> vlan10
  • em1.20 (Wifi-AP / OPT1)
  • em0 (OPT2) -> (set on 192.168.30.1/24) Extra virtual interface which will be configured within VirtualBox to be "Virtual NIC Adapter 2" so my HOST PC (pfSense router) can access the internet as it also serves as a HTPC. This may be an unnecessary step depending on your desired configuration.
 
virtnic.png
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9.) Once you set this to your specifications, then you can go into your Network settings and adjust the Virtual Adapter to pull DHCP from the em0 Interface you setup @ 192.168.30.1/24 if you need to pull internet on your VM HOST Machine.
 
Physical Configuration:
  • Switch:P1 -> Phys NIC
  • Switch:P2 -> Cable Modem (ISP) 
  • Switch:P3 -> Wifi-AP (Configured to be 192.168.20.2 for MGMT and Set in AP Mode)
  • Switch:P4-8 -> LAN Ports for any wired devices you may have.
 
 
***Issue(s) with: Realtek PCIe GBE Family Controller NIC***
 
I had to spend hours upon hours trying to figure out why I could not get a WAN IP (DHCP from my ISP). It turns out that the Realtek PCIe GBE Family Controller is known for stripping vlan tags unless you perform the latest driver update, and also add the following registry edits:
  • Update drivers: Realtek PCIe GBE Family Controller
  • Find reg sub-key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  • Add/update the following DWORDs:

                  MonitorModeEnabled = 1
                  MonitorMode = 1
                  PriorityVLANTag = 0
                  SkDisableVlanStrip = 1

 

 

Tools:
https://www.wireshark.org/
https://wiki.wireshark.org/CaptureSetup/VLAN

***Issues with websites not resolving and ping requests timing out***

I spent a significant amount of time figuring out why some websites would resolve fine, and others would not. It ended up being that I needed to find the optimal MTU & MSS settings to input in pfSense. (My personal settings are notated below, and in my diagram as well.)

mtu%2526mss.png








 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Great tutorial on how to find your own optimal MTU & MSS Settings - https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895

This was my first technical write-up ever, and for a portion of my network setup. Here is an overview of the diagram I made as well:

pfsense.jpg


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Old Diagram from 2018, no longer my current network setup) - I change it up pretty regularly.

  • +hedleigh and Circaflex
  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Meta is reusing old DDR4 RAM in its servers instead of buying new hardware

      By pookie62 · Posted

      Good think I still have SDRAM and FP RAM sitting around.
    • Fitbit Charge 6 fitness tracker with Google apps is now at its lowest price with 47% off

      By Fiza Ali · Posted

      Fitbit Charge 6 fitness tracker with Google apps is now at its lowest price with 47% off by Fiza Ali Amazon is currently offering the Fitbit Charge 6 fitness tracker at its all-time low price with a 47% discount. The device features an AMOLED touchscreen display protected by Corning Gorilla Glass 3 that should offer improved scratch resistance and durability. The Charge 6 is equipped with a range of sensors including an optical heart rate sensor, a 3-axis accelerometer, built-in GPS with GLONASS support, red and infrared sensors for SpO2 monitoring, a skin temperature sensor, an ambient light sensor, a vibration motor, NFC, and multipurpose electrical sensors compatible with the ECG and EDA Scan apps. Heart rate is recorded every second during exercise tracking and every five seconds during normal daily use. The device requires the Google Health app for setup and synchronisation. Furthermore, Bluetooth provides wireless connectivity for syncing and communication with devices running Apple iOS 16.4 or later and Android 11.0 or later. The tracker stores up to 7 days of minute-by-minute activity data and retains daily activity totals for the previous 30 days. In terms of water resistance, the Fitbit Charge 6 has a 5 ATM rating that should make it suitable for swimming and water activities. The tracker operates in temperatures ranging from 14°F to 113°F and at altitudes of up to 28,000 feet. Moreover, the included Infinity band is made from a flexible silicone material and features a loop-and-peg fastening. The small band fits wrists measuring 5.1 to 6.7 inches, while the large band fits wrists measuring 6.7 to 8.3 inches. Both small and large bands are included in the box. When it comes to battery performance, the Fitbit Charge 6 should deliver up to 7 days of battery life under typical usage conditions. Features such as the Always-On Display, built-in GPS, and SpO2 monitoring increase power consumption and may require more frequent charging. The rechargeable lithium-polymer battery should take approximately two hours to charge from empty to full. Fitbit Charge 6 Fitness Tracker with Google Apps: $85.45 (Amazon US) - 47% off Good to know This Amazon deal is U.S. specific, and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.
    • Google's new hand-wave reCAPTCHA can be bypassed with a stock photo

      By Jdoe25 · Posted

      google, meta, microsoft, true cancers of modern society
    • TeraCopy 4.0 Build 28

      By Copernic · Posted

      TeraCopy 4.0 Build 28 by Razvan Serea TeraCopy is a compact program designed to copy and move files at the maximum possible speed, also providing you with a lot of features. Copy files faster. TeraCopy uses dynamically adjusted buffers to reduce seek times. Asynchronous copy speeds up file transfer between two physical hard drives. Pause and resume transfers. Pause copy process at any time to free up system resources and continue with a single click. Error recovery. In case of copy error, TeraCopy will try several times and in the worse case just skips the file, not terminating the entire transfer. Interactive file list. TeraCopy shows failed file transfers and lets you fix the problem and recopy only problem files. Shell integration. TeraCopy can completely replace Explorer copy and move functions, allowing you work with files as usual. TeraCopy is free for non-commercial use only. For commercial use you need to buy a license. The paid version of the program includes the following features: Copy/move to your favorite folders. Save reports as HTML and CSV files. Select files with the same extension/folder. Remove the selected files from the copy queue. Features added since version 3.17: Enhanced speed graph. New multi-threaded copy engine. Support for copying to multiple targets. Queue system for managing multiple copy operations. Support for receiving files via the LocalSend protocol. TeraCopy entry in the modern Windows Explorer context menu. Integrated toolbar in the title bar. Why receive LocalSend transfers with TeraCopy? Handle file conflicts: Skip, overwrite, or rename files when a file with the same name already exists. LocalSend always creates another copy, which can waste time and disk space, especially when resuming an interrupted transfer. Filter unwanted files: Apply ignore lists or remove files manually before accepting a transfer, so unnecessary files are not downloaded. Better performance on fast networks: In tests over a 10 Gbps connection, TeraCopy received files several times faster than the standard LocalSend app on Windows. TeraCopy 4.0 Build 28 changelog: Fixed a bug where Overwrite behaved as Overwrite All during same-drive move operations. AdvancedInstaller fixed the installer’s security vulnerability: EXE Bootstrapper resolved the %appdata% location incorrectly for the System account. Download: TeraCopy 4.0 Build 28 | 14.6 MB (Freeware, paid upgrade available) View: TeraCopy Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft finally launches WSL Containers in public preview

      By BlueScreenJunky · Posted

      First exciting thing to come to Windows in a long time ! This is the kind of things they should focus on, instead of cramming as much AI as they can in everything.

  • Recent Achievements

    • Reacting Well
      NovaEdgeX earned a badge
      Reacting Well
    • Week One Done
      NovaEdgeX earned a badge
      Week One Done
    • One Year In
      BA the Curmudgeon earned a badge
      One Year In
    • Conversation Starter
      rosiecharles earned a badge
      Conversation Starter
    • First Post
      KMilenkoski1202 earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      536
    2. 2
      +Edouard
      269
    3. 3
      PsYcHoKiLLa
      150
    4. 4
      Steven P.
      97
    5. 5
      macoman
      61
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!