Starting pfsense for New Users

[xiaofan]

You tried ont -> pfsense -> tplink switch -> miotv setup?

Or tried and it don’t works?

No I have not. I will learn more about pfsense and try again later.

I tried transparency switch under pfsense and it does not seem to work.

WAN: igb1
LAN: igb2
Bridge: igb3 and igb4

ONT -- igb3 -- igb4 -- Singtel Mesh Router -- Singtel TV box
Allow all traffic on the bridge

The idea is to look at the traffic if that works.

 

[Mach3.2]

No I have not. I will learn more about pfsense and try again later.

I tried transparency switch under pfsense and it does not seem to work.

WAN: igb1
LAN: igb2
Bridge: igb3 and igb4

ONT -- igb3 -- igb4 -- Singtel Mesh Router -- Singtel TV box
Allow all traffic on the bridge

The idea is to look at the traffic if that works.

If you're just trying to do an inline wireshark inspection of the link between your ONT and Singtel router, just use the port mirror function on your smart switch.

 

[xiaofan]

6RD IPv4 Prefix length - should be 0
Gateway - singtel's tunnel server doesn't respond to pings (annoying, why would they do that?) so the gateway will always show as down, you can specify a different "monitor ip" for the ping check in the gateway settings - 2400:d800:a::1 is the next router upstream so it's as good as any for this purpose.

Thanks. This seems to work now, at least for device directely connected to LAN, which get a proper IPv6 address. Asus router does not support IPv6 in AP mode so I can not test that one.

6RD Prefix: 2400:d803::/32
6RD Border relay: 202.166.127.6
6RD IPv4 Prefix length: 0

For the LAN interface, IPv4 DHCP is enabled. IPv6 DHCP is disabled but Router Advertisement needs to be set as Unmanged.
****
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html#services-ipv6-ra
The firewall will send out RA packets and clients are directed to assign themselves IP addresses within the interface subnet using SLAAC. DHCPv6 is disabled in this mode.
****

From my Mac Mini which connects to the pfsense LAN using a power line adapter.

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 4c:20:b8:e3:9d:52
inet6 fe80::10ca:5300:4082:fd51/64 secured scopeid 0x7
inet 192.168.55.11/24 brd 192.168.55.255 en0
inet6 2400:d803:7906:xxxx:5f:e69f:60e4:d6ec/64 autoconf secured
inet6 2400:d803:7906:xxxx:211c:8f62:2a22:de70/64 autoconf temporary

pfsense Singtel public IPv4 is 127.06.xx.xx which is encoded as 7906.xxxx.

mcuee@mcuees-Mac-mini ~ % ping6 -c 4 ipv6.google.com
PING6(56=40+8+8 bytes) 2400:d803:7906:44b9:211c:8f62:2a22:de70 --> 2404:6800:4003:c03::65
16 bytes from 2404:6800:4003:c03::65, icmp_seq=0 hlim=105 time=6.668 ms
16 bytes from 2404:6800:4003:c03::65, icmp_seq=1 hlim=105 time=6.992 ms
16 bytes from 2404:6800:4003:c03::65, icmp_seq=2 hlim=105 time=9.059 ms
16 bytes from 2404:6800:4003:c03::65, icmp_seq=3 hlim=105 time=8.763 ms

--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 6.668/7.870/9.059/1.052 ms

 

[xiaofan]

In router mode, Asus RT-AX82U IPv6 passthrough works behind pfSense. Now my wireless client can have working IPv6 address as well. For IPv4, it is double NAT. But this is not an issue for my current testing.

Edit to add: RT-AX82U IPv6 seems to work in AP mode as well.

So final configuration as of now.

TP-Link TL-SG105E smart switch

Port 1 -- connect to Singtel ZTE ONT (Default VLAN)

Port 2 -- unused (VLAN 10), I can connect the Asus here as well if needed.

Port 3 -- pfSense with public IP 2 (VLAN 10)
-- LAN -- Power Line adapter -- my Mac Mini if needed
-- LANbackup: Asus RT-AX82U in AP mode to wireles client
-- LAN for MIOTV, not working, unused now

Port 4 -- meant for Singtel TV box but not working (VLAN 20), unused now.

Port 5 -- Singtel Mesh router with public IP 3 -- Singtel TV Box and Xbox One S (default VLAN 1)

Next task will be setting up the DNS server. And after that, try out pfBlockerNG.

 

[xiaofan]

Just watched the video on DNS over TLS to set up 1.1.1.3/1.0.0.3 as the upstream DNS. And DNS leak test shows it works fine.
https://www.dnsleaktest.com/

The following test shows that it passed the tests for Secure DNS, DNSSEC and TLS 1.3.
https://www.cloudflare.com/ssl/encrypted-sni/

Edit to add:
I actually set up IPv6 as well, so the upstream DNS servers are the following.
https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families

1.1.1.3
1.0.0.3
2606:4700:4700::1113
2606:4700:4700::1003

 

[xiaofan]

Now I am in the process to try out pfBlockerNG. I watched the video in the first page and then follow the wizzard to setup the basics. The default configuration seems to be not bad already.

A simple test by going to SpeedTest website and the advertisement is blocked.

I will compare this with my current Pi-hole sever on the Google Cloud.

 

[xiaofan]

https://forums.hardwarezone.com.sg/...-blocking-google-cloud-compute-6375286-2.html

If I compare the Pi-hole with pfBlockerNG, one of the first noticable missing feature in pfBlockerNG is the regex support. Google seems to indicate this is a long desired feature.

 

[hwzlite]

https://forums.hardwarezone.com.sg/...-blocking-google-cloud-compute-6375286-2.html

If I compare the Pi-hole with pfBlockerNG, one of the first noticable missing feature in pfBlockerNG is the regex support. Google seems to indicate this is a long desired feature.

Check out AdGuard Home on PFSense too, as well DNS-over-QUIC (DoQ) support

 

[xiaofan]

Check out AdGuard Home on PFSense too, as well DNS-over-QUIC (DoQ) support

Somehow I just do not like Adguard after a few tries and settled down for Pi-hole. But my Pi-hole installation has DNS Leak if I enable IPv6 for at least the Android clients. macOS seems to be okay.

Initial impression with pfBlockerNG is very good so I have deployed to my family members to see how it goes. With Pi-hole my lists are too aggressive and I needed to add quite some white list entries. This time I will use the default list first with pfBlockerNG.

Right now I have two wireless routers. For the SingTel Mesh Router (not possible to set up DNS in the router), I have setup Pi-hole as the main DNS with 1.1.1.3 as the secondary DNS on the client side. This SingTel Mesh Router is still needed to provide access to SingTel TV box as of now. And I also use it with legacy 2.4GHz only clients. Most of the devices at home will support 5Gz and mostly use the RT-AX82U but they will use this Singtel Mesh Router as well if I screw up the pfSense side now.

For the Asus RT-AX82U (5GHz only, 2.4GHz disabled), previously it was the main router and I used the the same setup in the router as mentioned above, Pi-hole is the main DNS and 1.1.1.3 is the backup. Then the Singtel Mesh Router is used as an AP.

Now I just set the Asus up as an AP after the pfSense router. pfBlockerNG will be the one in charge now.

 

[xiaofan]

One of the reasons I set up Pi-Hole on the cloud (also Wireguard server and V2ray server) on the free cloud is that it is pretty easy to acces them outside home. And then I do not need to set up VPN server on the home router. I am very reluctant to access my home network from outside as of now since I am not experienced enough yet just dangerous enough to mess up things.

Let's see. I may try to set up wireguard server at the pfsense box in the end to play with.

 

[TanKianW]

*Updated on Page 1*

WireGuard on other Operating System:
Removed

 

[xiaofan]

You tried ont -> pfsense -> tplink switch -> miotv setup?

Or tried and it don’t works?

Just wondering if this is the idea?
1) pfsense side
WAN : igb0 default VLAN
LAN: igb1 -- TP-Link Smart Switch
LAN Backup: igb3, for access to pfsense

Create VLAN tag 10/20 with the parent igb0.

All the default VLAN, VLAN 10 and 20 will go down the LAN line (Single line).

2) On the TP-Link Smart Switch side
Port 1: to pfsense igb1 LAN port, default VLAN

Port 2: untagged VLAN 10, PVID10, to connect to other wireless router like my Asus RT-AX82U

Port 3: untagged or tagged VLAN 20, PVID 20 or default, to SingTel TV box (trying different combinations)

Port 4: default VLAN, connect to Singtel mesh router if needed

Port 5: default VLAN, for access to smart switch web GUI

 

[TanKianW]

Just wondering if this is the idea?
1) pfsense side
WAN : igb0 default VLAN
LAN: igb1 -- TP-Link Smart Switch
LAN Backup: igb3, for access to pfsense

Create VLAN tag 10/20 with the parent igb0.

All the default VLAN, VLAN 10 and 20 will go down the LAN line (Single line).

2) On the TP-Link Smart Switch side
Port 1: to pfsense igb1 LAN port, default VLAN

Port 2: untagged VLAN 10, PVID10, to connect to other wireless router like my Asus RT-AX82U

Port 3: untagged or tagged VLAN 20, PVID 20 or default, to SingTel TV box (trying different combinations)

Port 4: default VLAN, connect to Singtel mesh router if needed

Port 5: default VLAN, for access to smart switch web GUI

Yap. That is what I mean.

 

[xiaofan]

Yap. That is what I mean.

Okay, I will try this.

Other than the cheap TL-SG105E/108E smart swich, what will be a good managed 5 port or 8 port switch around S$100?

For 5 port Unifi USW Flex Mini is pretty cheap at S$69 from MediaPro Lazada. Not so sure if it is good enough or not.

Or I should go with Mikrotik CSS106-5G-1S (RB260GS) with potentially better switch yet still below S$100.

 

[hwzlite]

Or I should go with Mikrotik CSS106-5G-1S (RB260GS) with potentially better switch yet still below S$100.

Or MikroTik CSS610-8G-2S, under US$100 can?

 

[xiaofan]

Or MikroTik CSS610-8G-2S, under US$100 can?

Looks like the Unifi USW Flex Mini is too limited. Maybe I will consider MikroTik instead. This CSS610-8G-2S seems to be fine.

SG pricing seems to be expensive. MikroTik official representative in China seems to offer good pricing at RMB589.

https://m.tb.cn/h.4lyHPkf?sm=b09f51
MikroTik CSS610-8G-2S+IN 十口智能网管万兆交换机

 

[TanKianW]

Or MikroTik CSS610-8G-2S, under US$100 can?

I like this switch too!

But my current switch still working so no excuse to buy.

 

[TanKianW]

Okay, I will try this.

Other than the cheap TL-SG105E/108E smart swich, what will be a good managed 5 port or 8 port switch around S$100?

For 5 port Unifi USW Flex Mini is pretty cheap at S$69 from MediaPro Lazada. Not so sure if it is good enough or not.

Or I should go with Mikrotik CSS106-5G-1S (RB260GS) with potentially better switch yet still below S$100.

I will up a little budget to get the CSS610. Quite an interesting switch.

You want warranty get local. You dun care, you get from China. But do get from reputable sellers.

 

[xiaofan]

I will up a little budget to get the CSS610. Quite an interesting switch.

You want warranty get local. You dun care, you get from China. But do get from reputable sellers.

Thanks. I will buy this then from the official Mikrotik China Representative. The price seems to be okay.

In the mean time, actually I will also try to configure my OpenWRT based Linksys WRT1900AC as a managed switch (not using the WAN port and disable wireless, dhcp, etc).

"How to setup VLANs on OpenWrt for Linksys WRT1900AC - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum" https://forum.openwrt.org/t/how-to-setup-vlans-on-openwrt-for-linksys-wrt1900ac/81147

"Turn router into switch - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum" https://forum.openwrt.org/t/turn-router-into-switch/9739

 

[TanKianW]

Thanks. I will buy this then from the official Mikrotik China Representative. The price seems to be okay.

In the mean time, actually I will also try to configure my OpenWRT based Linksys WRT1900AC as a managed switch (not using the WAN port and disable wireless, dhcp, etc).

"How to setup VLANs on OpenWrt for Linksys WRT1900AC - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum" https://forum.openwrt.org/t/how-to-setup-vlans-on-openwrt-for-linksys-wrt1900ac/81147

"Turn router into switch - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum" https://forum.openwrt.org/t/turn-router-into-switch/9739

Some heads up on Mikrotik switch:

Option 1: If you want more options and advanced settings, ROS is the way to go. But when you go into high level advanced switching using ROS, honestly, the hardware capability might be the limiting factor. Nevertheless, a good way to play around with ROS.

Option 2: If only want basic (managed) switching functions, you can just go with SwOS. First time setting it, you have to select SwOS then reboot into it.

Initial set up might require you to use the “Winbox” application to set a static ip for the switch.

Hope it helps.