Starting pfsense for New Users

[bert64]

Okay, I will try this.

Other than the cheap TL-SG105E/108E smart swich, what will be a good managed 5 port or 8 port switch around S$100?

For 5 port Unifi USW Flex Mini is pretty cheap at S$69 from MediaPro Lazada. Not so sure if it is good enough or not.

Or I should go with Mikrotik CSS106-5G-1S (RB260GS) with potentially better switch yet still below S$100.

Interesting, i wasn't familiar with the USW flex mini, and powered by PoE or USB too. I've just ordered one for the hell of it as it could be useful.

I've used the HP 1810 and 1820 series switches, they are managed, relatively cheap, rackable and fanless. Not sure how easily available or costly they are here. A few years ago i got a 24+2 port brand new for GBP100 in the UK (roughly S$180) so should be cheaper these days.
They lack 802.1x, but support vlan and trunking etc, still pretty good value and very reliable.

 

[creator88]

Just wondering if this is the idea?
1) pfsense side
WAN : igb0 default VLAN
LAN: igb1 -- TP-Link Smart Switch
LAN Backup: igb3, for access to pfsense

Create VLAN tag 10/20 with the parent igb0.

All the default VLAN, VLAN 10 and 20 will go down the LAN line (Single line).

2) On the TP-Link Smart Switch side
Port 1: to pfsense igb1 LAN port, default VLAN

Port 2: untagged VLAN 10, PVID10, to connect to other wireless router like my Asus RT-AX82U

Port 3: untagged or tagged VLAN 20, PVID 20 or default, to SingTel TV box (trying different combinations)

Port 4: default VLAN, connect to Singtel mesh router if needed

Port 5: default VLAN, for access to smart switch web GUI

I managed to get my Singtel IPTV working with MyRepublic broadband via a common single LAN cable using two TP-Link smart switches. See diagram attached below.

VLAN 20, Priority=4, PVID=1, IGMP Snooping Enabled

May be useful for your configuration.

 

[TanKianW]

I managed to get my Singtel IPTV working with MyRepublic broadband via a common single LAN cable using two TP-Link smart switches. See diagram attached below.

VLAN 20, Priority=4, PVID=1, IGMP Snooping Enabled

May be useful for your configuration.

I think you can do without Smart Switch A if your 8 port switch is a managed/smart switch.

OR

Replace 8 port switch with Smart Switch A.

 

[xiaofan]

I managed to get my Singtel IPTV working with MyRepublic broadband via a common single LAN cable using two TP-Link smart switches. See diagram attached below.

VLAN 20, Priority=4, PVID=1, IGMP Snooping Enabled

May be useful for your configuration.

Thanks. For people with SingTel TV only and use other ISPs, ONR will be used. I tend to think ONR situation is a bit different than ONT. Basically ONR already handles the VLAN stuff.

Between ONR and SingTel TV box, a dummy switch can be used as long as IGMP Snooping is ON (based on the SingTel ONR AP Issue thread). Basically between ONR and SingTel TV box, no other things should be mixed in (unless you use SingTel issued router which has some magic built-in to allow that).

So the above setup create a dedicated and isolated path between SingTel ONR and the SingTel TV box, using VLAN. You can see VLAN 20 is tagged all the way, to isolate it from the internet from other ISP.

 

[creator88]

I think you can do without Smart Switch A if your 8 port switch is a managed/smart switch.

OR

Replace 8 port switch with Smart Switch A.

The 8 port switch is unfortunately an unmanaged / dumb switch.

As I have more than 4 LAN points in the home, I need to use the 8 port dumb switch to provide Internet access to all the remaining LAN points. Smart Switch A does not have enough ports for my purposes.

But to your point, if the user does not require so many LAN points, it is fully possible to replace the 8 port switch with Smart Switch A.

 

[xiaofan]

Some heads up on Mikrotik switch:

Option 1: If you want more options and advanced settings, ROS is the way to go. But when you go into high level advanced switching using ROS, honestly, the hardware capability might be the limiting factor. Nevertheless, a good way to play around with ROS.

Option 2: If only want basic (managed) switching functions, you can just go with SwOS. First time setting it, you have to select SwOS then reboot into it.

Initial set up might require you to use the “Winbox” application to set a static ip for the switch.

Hope it helps.

CSS610-8G-2S only supports SwOS.
"MikroTik Routers and Wireless - Products: CSS610-8G-2S+IN" https://mikrotik.com/product/css610_8g_2s_in

If I do not need 10G network as of now and only require 1Gbps, do you think an ROS capable router is better?

HEX, HEX S, hAP ac2 and hAP ac3 are all within my budget (even though I have no interests in the wireless function of the two hap router).

Check out MikroTik hAP ac³ for $159.00. Get it on Shopee now! https://shopee.sg/product/325818988/4670937922?smtt=0.190081821-1614739434.9

But for my purpose, hAP ac3 seems to be no better than hAP ac2.

 

[xiaofan]

Still going through the internet, most of the info of using pfsense and managed switches are using the Ubiquiti managed switches as the examples.

So I am not so sure if I should go to the US-8 switch or not (assume I do not need PoE). It is about S$158.

Ubiquiti US-8 UniFi Switch 8 Fully Managed Gigabit Switch - Local Online Register Distributor Warranty | https://s.lazada.sg/s.ZcnLJ

 

[xiaofan]

First 10 days with pfSense: pretty positive experiences in general.

SingTel Fibre Internet: no problem

SingTel TV box support: not successful yet but not a problem.

SingTel 6rd IPv6: no problem

pfBlockerNG: so far so good even with the basic setup

DNS server: DNS over TLS, no problem with both IPv4 and IPv6

Web GUI: nice and intuitive

Nice features: pftop, iperf3

Next things to learn:
1)more VLAN and firewall stuff
2) wireguard VPN server
3) packet capture
4) play with the traffic shaper since the ZTE ONT is not good for bufferbloat
5) SSH into the box and look at the configuration files as well (note: I am pretty comfortable with command line and I have used FreeBSD before).

 

[hwzlite]

Nice features: pftop, iperf3

Check out ntopng which included in the package too .

 

[bert64]

Still going through the internet, most of the info of using pfsense and managed switches are using the Ubiquiti managed switches as the examples.

So I am not so sure if I should go to the US-8 switch or not (assume I do not need PoE). It is about S$158.

Ubiquiti US-8 UniFi Switch 8 Fully Managed Gigabit Switch - Local Online Register Distributor Warranty | https://s.lazada.sg/s.ZcnLJ

The unifi stuff is decent, but to manage it properly you need the controller whereas most other devices can be managed directly via cli or http. The unifi controller system works better if you have multiple devices, as you can manage them all centrally. To install the controller you either need a system on which to install it (a raspberry pi will do), or you can buy their dedicated cloud key device. I believe the UDM series also include a built in controller.

Here i have the unifi switch with poe, plus an access point (powered via poe) and a mini pc running linux which hosts the controller among other things, although using pfsense instead of the unifi firewall.
I also manage other environments, one has 2x access points but an HP switch provides poe, the other has 30+ access points but cisco switches providing poe.

If just using a single switch and not intending to use other unifi equipment i'd probably not bother, and go for a switch from another vendor.

 

[xiaofan]

...
If just using a single switch and not intending to use other unifi equipment i'd probably not bother, and go for a switch from another vendor.

Okay, thanks for the advice. I will probably go with Mikrotik then. Not decided yet on pure SwOS switches or those dual function ROS type.

Not so urgent though. I have just bought one TL-SG108E to play with pfSense first. I do not want to touch the TL-SG105E now that it help on the pfSense experiments a lot by sorting our the SingTel TV box issue.

 

[TanKianW]

CSS610-8G-2S only supports SwOS.
"MikroTik Routers and Wireless - Products: CSS610-8G-2S+IN" https://mikrotik.com/product/css610_8g_2s_in

If I do not need 10G network as of now and only require 1Gbps, do you think an ROS capable router is better?

HEX, HEX S, hAP ac2 and hAP ac3 are all within my budget (even though I have no interests in the wireless function of the two hap router).

Check out MikroTik hAP ac³ for $159.00. Get it on Shopee now! https://shopee.sg/product/325818988/4670937922?smtt=0.190081821-1614739434.9

But for my purpose, hAP ac3 seems to be no better than hAP ac2.

Kind of surprised they shipped with SwOS only. Coz both my Mikrotik switches (even the CRS305) shipped with ROS.

I will think SwOS should meet your needs. Whether you need 10G or not, at least it is future proof.

If you want to have fun (homelab) with ROS at the same time, then HEX series makes sense.

Decision is up to you.

 

[TanKianW]

Still going through the internet, most of the info of using pfsense and managed switches are using the Ubiquiti managed switches as the examples.

So I am not so sure if I should go to the US-8 switch or not (assume I do not need PoE). It is about S$158.

Ubiquiti US-8 UniFi Switch 8 Fully Managed Gigabit Switch - Local Online Register Distributor Warranty | https://s.lazada.sg/s.ZcnLJ

To be fair, Ubiquiti makes good switches too. I owned a few of their Edge switches.

Can also consider.

 

[TanKianW]

Check out ntopng which included in the package too .

Yes, ntopng is a great install package too. Do try it out.

 

[Mach3.2]

To be fair, Ubiquiti makes good switches too. I owned a few of their Edge switches.

Can also consider.

Feature wise I find it a bit lackluster, but generally it works well for a basic environment.

The problem only comes when you try to experiment with more advanced features. You would quickly realise the switch doesn't really provide you some granular options that exist on enterprise hardware. The inability to configure passive LACP comes to mind. I hit this road block when I was trying to load balance my ESXi host, since the standard vSwitch doesn't support active LACP.

As with other ubiquiti products, it just some small quirks here and there, and those really add up if you like to experiment around.

 

[xiaofan]

Check out ntopng which included in the package too .

Thanks. This is indeed interesting.

Actually Lawrence Systems has an old 2016 Youtube video too on ntopng under pfsense.

The more recent 2018 video talks about pftop, packet capture and ntopng.

 

[xiaofan]

Feature wise I find it a bit lackluster, but generally it works well for a basic environment.

The problem only comes when you try to experiment with more advanced features. You would quickly realise the switch doesn't really provide you some granular options that exist on enterprise hardware. The inability to configure passive LACP comes to mind. I hit this road block when I was trying to load balance my ESXi host, since the standard vSwitch doesn't support active LACP.

As with other ubiquiti products, it just some small quirks here and there, and those really add up if you like to experiment around.

Interesting to know that. Unifi AP and Switches seem to be highly recommended by Lawrence of the Lawrence Systems YouTube channel. He does not care much about routers from Ubiquiti though.

Haha, so you are the more advanced users. I am just a beginner who just starts to look beyond the typical consumer grade Linksys, TP-Link and Asus stuff.

To me my Asus RT-AX82U seems to be pretty good for my simple use cases with the help of Pi-hole. Still to look deeper inside, I can ssh into the Asus box and explore what is inside but I can not do much to change the behaviors. Installing Merlin and Entware may enable me to do more things but the CPU is still a limiting factor.

With pfSense it seems to be pretty good and open up much more for me to explore. I am not into the prosumer or enterprise AP though, since the existing routers like Asus RT-AX82U AX5400 and Huawei AX3 Pro AX3000 are good enough as an AP. Even the free SingTel Mesh Router AC1900 is a decent AP to use with pfSense as well since it is just plug and play (automatically runs in AP mode if connected to other router).

 

[TanKianW]

First 10 days with pfSense: pretty positive experiences in general.

SingTel Fibre Internet: no problem

SingTel TV box support: not successful yet but not a problem.

SingTel 6rd IPv6: no problem

pfBlockerNG: so far so good even with the basic setup

DNS server: DNS over TLS, no problem with both IPv4 and IPv6

Web GUI: nice and intuitive

Nice features: pftop, iperf3

Next things to learn:
1)more VLAN and firewall stuff
2) wireguard VPN server
3) packet capture
4) play with the traffic shaper since the ZTE ONT is not good for bufferbloat
5) SSH into the box and look at the configuration files as well (note: I am pretty comfortable with command line and I have used FreeBSD before).

Wah, steady leh.

"comfortable with command line" means getting old liao!

 

[xiaofan]

Wah, steady leh.

"comfortable with command line" means getting old liao!

Haha, indeed.

I use Linux since 2005 with Ubuntu 5.04. Then I started to use macOS since 2011 but I ran Linux and BSD VMs inside my Mac Mini 2011. I use my Mac Mini M1 now and not so much on Linux or Windows. For me the two most used applications are actually Chrome and Terminal.

 

[bert64]

Haha, indeed.

I use Linux since 2005 with Ubuntu 5.04. Then I started to use macOS since 2011 but I ran Linux and BSD VMs inside my Mac Mini 2011. I use my Mac Mini M1 now and not so much on Linux or Windows. For me the two most used applications are actually Chrome and Terminal.

Often the CLI is the quickest and easiest way to do things. Often there is also a graphical way which is more convoluted or more limited.

Even Microsoft, who for years pushed the "gui for everything" are now moving increasingly to powershell for their server products.