Starting pfsense for New Users

[bert64]

how to configure the physical interface on pfsense to send untagged traffic ?

Oh you misunderstand..

The physical interface is ALWAYS untagged, but it won't actually send any traffic unless you configure addressing on the interface.

IE: leave the physical interface without any IPs assigned. Only configure and use the vlan interfaces.

 

[Elijahonli]

Oh you misunderstand..

The physical interface is ALWAYS untagged, but it won't actually send any traffic unless you configure addressing on the interface.

IE: leave the physical interface without any IPs assigned. Only configure and use the vlan interfaces.

oh I think i had configured my physical interface with an address

LAN 1 -> Static IP 10.xx.0.1 (with DHCP server turned on)
VLAN 10 on LAN 1 -> static IP 10.xx.10.1 (with DHCP server turned on)

devices on my switch that are on ports untagged with VLAN1 should be able to receive a 10.xx.0.x IP address?

 

[bert64]

oh I think i had configured my physical interface with an address

LAN 1 -> Static IP 10.xx.0.1 (with DHCP server turned on)
VLAN 10 on LAN 1 -> static IP 10.xx.10.1 (with DHCP server turned on)

devices on my switch that are on ports untagged with VLAN1 should be able to receive a 10.xx.0.x IP address?

Ports will have a default vlan for untagged traffic, its usually 1 but on most switches you can change it.

Each port can be configured for one untagged vlan, and any number of tagged vlans. Most switches will have every port set to vlan 1 untagged and no tagged vlans by default, which is why you get the behaviour you describe.

You should either have untagged ports (set to a single specific vlan) or tagged ports (all traffic tagged). You shouldn't mix things by sending untagged and tagged traffic on the same port.

 

[TanKianW]

Updated on Post #2

For those who want to configure ping and gateway monitoring/logging on pfsense. Especially when you want to track if your ISP (or which ISP) was down in order to trigger a WAN failover. Or even to lodge a complaint/case to your ISP about high packet loss or high latency during a certain period of time.

 

[TanKianW]

*VLAN Set-up for Different SSIDs from AP
pfsense users that are interested to set up VLANs for different wireless SSID (Eg. Segregate Mobile and IOTs VLANs into different SSIDs), do check if your AP, wireless router support this function. It should look something like this (Eg. on Ruckus Unleashed):

VLAN set up on pfsense:

Do check to ensure that the VLAN traffic is passed down from your main switch to your APs (Eg. on SwOS):

 

[TanKianW]

Netgate SG6100

Source from: https://www.servethehome.com/netgate-6100-firewall-appliance-launched-for-pfsense-plus/

 

[TanKianW]

Bridging Mikrotik HEX-S Router as a Managed Switch + Passive POE
Home users who only has a single RJ45 patch panel (HDB BTO) in every room and hope to connect to a managed switch (for LAN connection) and an AP (passive POE up to 57V). Can check out the Mikrotik HEX-S router. You can easily bridge (RouterOS) to a managed switch with VLANs, with the passive POE out to power an AP in your furthest bedroom (MBR).

Mikrotik HEX-S (Bought it at $90): https://mikrotik.com/product/hex_s

Bridging RouterOS to become a managed switch

Powering the AP (Ruckus R500) and the HEX-S from POE at my main switch side. No extra power cord required!

*NOTE: Do check the power requirements of your AP to ensure that it could be powered by the passive POE.

Check out here if you interested to set up VLANs and bridging on RouterOS:

 

[TanKianW]

*pfSense CE 2.5.2 Release Now Available
Just updated my test lab systems (on both VM & bare-metal) today. Will be testing it out and running it for a couple of days to see if there is any major bugs. Will also test out the experimental add-on WireGuard VPN that returned as a package.

Official News Release:
https://www.netgate.com/blog/pfsense-ce-2.5.2-release-now-available

Release Notes here:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-2.html

Initial testing from servethehome:
https://www.servethehome.com/pfsense-ce-2-5-2-released-with-updates/


NOTE:

• Do back up the older image/system before the update
• Do remove any previous setting of Wireguard VPN before the update
• Do not update the packages before the system update, it may break the plugins
• The WireGuard VPN returned as an experimental add-on

 

[xiaofan]

Just updated and it seems to have no issue for me. But I am only using a few features only (mainly pfBlockerNG, Singtel 6rd IPv6 and a few simple firewall rules, iperf3, etc).

 

[TanKianW]

Just updated and it seems to have no issue for me. But I am only using a few features only (mainly pfBlockerNG, Singtel 6rd IPv6 and a few simple firewall rules, iperf3, etc).

One of the major fixes is on Multi-WAN issue. Those deploying multi-WAN should go for this update. At the moment, seem stable on my homelab system.

For those who want to test out the Wireguard VPN package can update to this latest version too.

 

[TanKianW]

*For Testing ONLY: WireGuard VPN Package on pfSense CE 2.5.2 (On Win10 and iOS clients)

pfSense Tunnel Set-up (Copy the public key here and paste on the "peer" public key on your client)

pfSense Peer set-up (Copy the public key from your client to the peer setting here)

Win10 client set-up (Key in the setting using the format below. Copy the public key from pfsense tunnel setting to client [Peer] here. End point either key in your DDNS or your static IPs) Do uncheck “block untunneled traffic”. The Public key shown in the row below the “Name” will be the one you copy and paste on the “Peer” on pfsense. The private keys are self generated, do not alter!

Peer Settings on iOS:
When set to cellular for connection "On demand", you will automatically connect to your WireGuard VPN when you leave your home network. Set up is quite similar with using the WireGuard application on Win10. I experienced some crashes on iOS client app. You may need to disable the “on demand” setting and manually activate/deactivate it. Allowed IPs can just put 0.0.0.0/0.

NOTE:

• You do need to assign the WireGuard interface and set up the firewall rules like what you normally do when setting up a new interface
• You can set the WireGuard interface to assign IPs to the connections coming in (or assign IPs at client side) with/without the DHCP server running.
• Do ensure your assigned IPs for WireGuard do not clash with your other internal (VLAN) IPs. In my case, I assign the 192.168.40.XX and 192.168.80.XX for two separate tunnels.

SPEEDTEST: Close to Line Speed VPN
WireGuard OFF:

WireGuard ON:

 

[adderrs]

*For Testing ONLY: WireGuard VPN Package on pfSense CE 2.5.2 (On Win10 and iOS clients)

pfSense Tunnel Set-up (Copy the public key here and paste on the "peer" public key on your client)

pfSense Peer set-up (Copy the public key from your client to the peer setting here)

Win10 client set-up (Key in the setting using the format below. Copy the public key from pfsense tunnel setting to client [Peer] here. End point either key in your DDNS or your static IPs) Do uncheck “block untunneled traffic”. The Public key shown in the row below the “Name” will be the one you copy and paste on the “Peer” on pfsense. The private keys are self generated, do not alter!

Peer Settings on iOS:
When set to cellular for connection "On demand", you will automatically connect to your WireGuard VPN when you leave your home network. Set up is quite similar with using the WireGuard application on Win10. I experienced some crashes on iOS client app. You may need to disable the “on demand” setting and manually activate/deactivate it. Allowed IPs can just put 0.0.0.0/0.

NOTE:

• You do need to assign the WireGuard interface and set up the firewall rules like what you normally do when setting up a new interface
• You can set the WireGuard interface to assign IPs to the connections coming in (or assign IPs at client side) with/without the DHCP server running.
• Do ensure your assigned IPs for WireGuard do not clash with your other internal (VLAN) IPs. In my case, I assign the 192.168.40.XX and 192.168.80.XX for two separate tunnels.

SPEEDTEST: Close to Line Speed VPN
WireGuard OFF:

WireGuard ON:

Superb wireguard speed. What is your hardware?

 

[TanKianW]

Superb wireguard speed. What is your hardware?

The pfSense hardware I am running in homelab:

• Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
• Intel Xeon E3-1240Lv5 (tray) at 25W (4-cores, 8 threads)
• 2x 8GB Kingston unbuffered DDR4 ECC Memory
• OEM 500W Flex-ATX PSU (Platinum Rating)
• 2x 240GB Samsung 870EVO SSD in ZFS mirror
• Chelsio T520-LL-CR with 2x 10G SFP+ LAGG to main switch using DAC

Switches:

• Main Switch: Mikrotik CRS312
• Homelab Switch: Mikrotik CRS305

 

[TanKianW]

HI experts, im trying to setup pfblocker DNSBL, with 1 default list and 1 self added list. I reloaded the settings from the update tab but I am still able to ping the domain from the list ?

any assistance is greatly appreciated

There are 2 versions. One is pfblockerNG, another is pfblockerNG-devel.

You should use the later that has been actively developed. You will read about it on netgate forum.
https://forum.netgate.com/topic/156604/pfblockerng-vs-pfblockerng-devel

If you are using the correct version, try restarting "unbound" after update and reload your blocklist. Sometimes it will take a while to refresh the firewall table too.

If problem persist, reinstall the package.

 

[bujingai]

The pfSense hardware I am running in homelab:

• Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
• Intel Xeon E3-1240Lv5 (tray) at 25W (4-cores, 8 threads)
• 2x 8GB Kingston unbuffered DDR4 ECC Memory
• OEM 500W Flex-ATX PSU (Platinum Rating)
• 2x 240GB Samsung 870EVO SSD in ZFS mirror
• Chelsio T520-LL-CR with 2x 10G SFP+ LAGG to main switch using DAC

Switches:

• Main Switch: Mikrotik CRS312
• Homelab Switch: Mikrotik CRS305

nice build

 

[Elijahonli]

https://forums.lawrencesystems.com/t/pfsense-bufferbloat-fix-log-spam/1478/2
anyone facing the same issue this the one posted in this link?

 

[Elijahonli]

There are 2 versions. One is pfblockerNG, another is pfblockerNG-devel.

You should use the later that has been actively developed. You will read about it on netgate forum.
https://forum.netgate.com/topic/156604/pfblockerng-vs-pfblockerng-devel

If you are using the correct version, try restarting "unbound" after update and reload your blocklist. Sometimes it will take a while to refresh the firewall table too.

If problem persist, reinstall the package.

Thanks I managed to get it working already. Actually i thought that i would be getting a block request from pfsense but it turns out it just resolve the blacklisted domain to the 172.x IP that I specified LOL.

Can i check should i be expecting to see at the reports section for DNSBL blockstats?
Im am looking at mine and it seems like it is not blocking much???

 

[TanKianW]

https://forums.lawrencesystems.com/t/pfsense-bufferbloat-fix-log-spam/1478/2
anyone facing the same issue this the one posted in this link?

You can read up the bufferbloat thread here in this forum:

https://forums.hardwarezone.com.sg/threads/fyi-a-bufferbloat-101.6427979/

 

[TanKianW]

Thanks I managed to get it working already. Actually i thought that i would be getting a block request from pfsense but it turns out it just resolve the blacklisted domain to the 172.x IP that I specified LOL.

Can i check should i be expecting to see at the reports section for DNSBL blockstats?
Im am looking at mine and it seems like it is not blocking much???

Maybe it means you are doing good?

Let it run a few days......you can go explore around less "decent" sites....if you know what I mean.

You can try adding more blocklist if you like. Just don't overdo it.

Maybe can play around with basic old school "SHIELD UP" after securing your network.
https://www.grc.com/x/ne.dll?bh0bkyd2

 

[TanKianW]

*SHARING* Recent Rack Setup for pfSense
Received some queries on 1U rack pfSense set up. Below showing a more "recent" system for a WFH financial project. For your reference:

Specs I have shared earlier here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-135211019
*Take note that I am using a Supermicro 1U PCIEx8 riser card. The unit also comes with a dual mirrored (zfs) SSD boot drives.

How it looks like if you are considering to house it in a 1U chassis:
Rear I/Os and cooler height (just clear)

Top view:

Front view:

Single Stream Performance Test on the pfSense unit:

Multiple Streams Performance Test on the pfSense unit (Close to 10G routing):