Starting pfsense for New Users

[Elijahonli]

Thanks @TanKianW and the rest of the bros the guidance on the components and settings

Got my custom pfsense router up and running

Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
16GB RAM
400W Flex-ATX 80Plus Gold PSU
120GB SSD
Intel Gigabit ET Quad Port Server Adapter (E1G44ET) NIC

 

[TanKianW]

*Choosing a Motherboard that support IPMI for pfSense

Some asked about the reasons why I prefer a server motherboard with IPMI when building an enterprise class firewall like pfSense. The reason is simple. For example, due to some screw up you lost access to the webconfig or when you want to access your pfsense boot console (to restore a previous stable config) which in "normal circumstances" requires you to connect (kb+monitor) directly to the firewall appliance. With IPMI you could do all that remotely from another PC. The older motherboard's IPMI requires Java while the newer ones come with support for HTML5.

Wendell from Level1tech (previously Tek Syndicate) explains on the use of IPMI and why it is so useful and convenient.



How the IPMI management interface looks like. Direct access to the motherboard BIOS from IPMI. Take note that for the older JAVA based IPMI, you will need to use Firefox browser with JRE7u80 (Chrome will not work).

*Check on your boot mirror set up under Diagnostics -> GEOM Mirrors
Main advantage of a mirrored boot drive is when one drive fails, you could still retrieve all your firewall settings and keep it running before replacing the failed drive.

 

[TanKianW]

*(For Advanced pfSense Users ONLY) Hardware Tuning and Troubleshooting

For those that is building their own pfSense appliance (rack or desktop) using OTS DIY hardware, you might sometimes run into quirky performance issues which requires system tuning and trouble-shooting. Especially due to some hardware features that is not supported in the first place that requires "disabling". In contrast to that, hardware tuning could also help to optimise your overall pfSense appliance performance (Eg. HAproxy, memory allocation, MBUF, etc).

Warning: I will advise to back up your pfSense before trying out any of the settings, just in case there is any screw up. I also advise that such tuning are more suited for advanced pfSense users (that know what they are doing) or some who might be feeling adventurous to gain a deeper understanding of the firewall appliance. You should also possess some basic foundation in Linux/Unix command to make sure that you don't screw this up.

Feel free to read up here for more information and some of the NIC specific issues:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html​

Adding System Tunables under System -> Advanced:

Check/verify using "sysctl -a" command on Diagnostics -> Command Prompt

Access Shell through boot command:

 

[Java_Guru]

I looking for a 1U case that allows my ports to face front. This is so I can access all the ports easily and swap with my switch. Anyone seen one that can do this?

 

[TanKianW]

I looking for a 1U case that allows my ports to face front. This is so I can access all the ports easily and swap with my switch. Anyone seen one that can do this?

You can check out the offerings from Supermicro. It may come with a premium though. Can check out Taobao or Amazon.

You can also find some OEM rack chassis suppliers from taobao or aliexpress.

*For those interested in front facing 1U Chassis and with sufficient budget. I will recommend chassis from Supermicro:
https://www.supermicro.com/en/products/chassis/1u/505/sc505-203B

Techinn: https://www.techinn.com/en/super-micro-cse-505-203b-1u-barebone-server/138166455/p

 

[TanKianW]

*A Good Watch: A Simple Explanation on SD-WAN

Once in a while I received queries on SD-WAN. I think Tom (from Lawrence Systems) gives a simple and clear explanation on the often "over-marketed" SDWAN function. Take note that if the SD-WAN service/data-centres goes down, you might still be on your own, even though they usually provide sufficient redundancy (but hey, in the IT line, you should be prepared for everything to fail). You don't simply get SD-WAN by grabbing/setting up a router/firewall, it requires services to "orchestrate" it.​

 

[TanKianW]

*Trouble-shoot: For pfSense Users Experiencing High Memory Usage when using ZFS

Some users who selected/chose "ZFS" as the file format during the initial pfsense installation, could be experiencing high memory usage (close to 70%-90%). This might be due to your ZFS installation "memory caching" more than you expected. For concerned users, I will provide some "system tunables" to solve this using the boot menu interface which requires a reboot.​

You can access the pfSense boot menu by directly connecting it to your appliance or through an IPMI interface:

Typical pfSense Boot menu:

Step by Step:

Step 1: Select 8 to enter into Shell


Step 2: Access the boot folder
TYPE:

cd /boot


Step 3: Access the boot loader config file to edit
TYPE:

ee loader.conf


Step 4: Append the following parameter to specify the max arc size
TYPE:

vfs.zfs.arc_max="2048M"


Step 5: Press Esc and choose a) to SAVE.


Step 6: exit Shell and select 5 to reboot.

TAKE NOTE: To verify that the boot parameter has been appended. Log into your pfsense webgui, go to Diagnostics -> Command Prompt -> Type sysctl -a then follow by execute. You should see that the parameter under "vfs.zfs.arc_max" has been changed.

 

[TanKianW]

*Availability of the Netgate SG6100 and initial review

For those that is willing to pay for the local carrier to import the appliance in, SG6100 is a good start for those with their homelab or prosumer wanting to upgrade their router/firewall. I will say if you are familiar with pfSense, this is definitely more powerful than most consumer/prosumer routers out there, including UDM/Pro/USG if you are still unsure. This unit comes with 2x SFP+ 10G, capable to route at 10G for multiple streams, and do load balancing & failover for multiple WANs.




For jump ship personnel:



*WAN Load Balancing (2x 1G fibre) on pfSense:

 

[Trans-Am]

Those who using pfblocker NG, I have a question :

1) are we able to schedule the rules to off for certain a device? e.g Monday - Friday 10am-7pm?


Sent from A universe Where pink PWNED everything

 

[TanKianW]

Those who using pfblocker NG, I have a question :

1) are we able to schedule the rules to off for certain a device? e.g Monday - Friday 10am-7pm?


Sent from A universe Where pink PWNED everything

I don't use that. But I think you meant "time based rules".

Read: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html

You can find the video tutorial on scheduling of firewall rules on the first page of this thread. It should not be a problem since any rules created from pfblockerNG could be found under "floating" rules section. There is a setting under "schedule" where you can make changes and set routine schedules.​

​

 

[Trans-Am]

I don't use that. But I think you meant "time based rules".
Read:
https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html
You can find the video tutorial on scheduling of firewall rules on the first page of this thread. It should not be a problem since any rules created from pfblockerNG could be found under "floating" rules section. There is a setting under "schedule" where you can make changes and set routine schedules.

Thanks, will read on it


Sent from A universe Where pink PWNED everything

 

[TanKianW]

*Update on Post #7

*Setting up Telegram Notification on pfSense*
Some of the pfsense users asked me instead of using email notification, what could be another good way for pfsense appliance to send you notifications or alerts? Well, you could use pfsense to send you alerts through Telegram notifications too. The set up is pretty straight forward so you just need to follow the step by step guide below:

Step 1:
Install Telegram client on a computer, mobile (Android or iOS) or even use the web app through your browser. You will need to register a Telegram account. Do create a username for you telegram account.

Step 2:
Create API keys using the bot created with the help of the Telegram BotFather. (Yes, there is a bot to create a bot!)​

• Under the search, search for "BotFather". Send a message to BotFather and type "/start", follow by "/newbot".​
• Create a name for your bot followed by creating a username for your bot (username ends with Bot or _bot).​
• You will see a reply like below. Copy the API keys (yellow box) and save somewhere. It will look like: 1234567890:AETEGcnsf8735hhwhdfo2rhj9SFkjdnWDfg489604​

Step 3:
Start your bot by sending a message to the name of your bot. Take note that this is not your bot username. Send a message "/start" to start your bot.

Step 4:​

• Next we will need to get your Chat ID to input into the pfsense configuration. Go to your browser, under the URL, type: https://api.telegram.org/bot<<INPUTYOUR-API-KEYS-HERE>>/getUpdates​
• You will see your Chat ID below in the yellow box:​

Step 5:
Navigate to pfsense setting System -> Advanced -> Notification. Check Enable, cut & paste the API keys and your Chat ID accordingly, followed by testing the notification before saving. You will see the reply from your "pfSense.localdomain" shown in Step 3 above.​

 

[Eraserpencil]

Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

 

[firesong]

Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

1. Don't change to the ONR. Getting permission for bridging is a hit-and-miss, but it's also the exception rather than the norm. If you have the ONT, fight to stick to the ONT. The 2Gbs plan generally not benefit most people in terms of bandwidth - but perhaps you have 20 or more people staying at home with you and all using the bandwidth at the same time. If it's the normal 5 or fewer pax household, a 500Mbps/1Gbps plan is more than sufficient imo. (Just fwiw, Netflix streaming at 4k only requires 25Mbps). In any case, with the 2Gbps plan, it's split into 1+1: 1 Gbps bridged, and the other you're forced to be unbridged. It's "combined" by Singtel's proprietary router, so effectively you either remove your OPNsense box from the network, or you run it at 1Gbps anyway.

2. VLANs are the way to go so you will only need one set of infrastructure and VLAN tag appropriately. You don't need separate wireless equipment for that - just cofigure tags and switch as needed.

 

[UnusedCalculator]

1. Don't change to the ONR. Getting permission for bridging is a hit-and-miss, but it's also the exception rather than the norm. If you have the ONT, fight to stick to the ONT. The 2Gbs plan generally not benefit most people in terms of bandwidth - but perhaps you have 20 or more people staying at home with you and all using the bandwidth at the same time. If it's the normal 5 or fewer pax household, a 500Mbps/1Gbps plan is more than sufficient imo. (Just fwiw, Netflix streaming at 4k only requires 25Mbps). In any case, with the 2Gbps plan, it's split into 1+1: 1 Gbps bridged, and the other you're forced to be unbridged. It's "combined" by Singtel's proprietary router, so effectively you either remove your OPNsense box from the network, or you run it at 1Gbps anyway.

2. VLANs are the way to go so you will only need one set of infrastructure and VLAN tag appropriately. You don't need separate wireless equipment for that - just cofigure tags and switch as needed.

Hey, Eraserpencil here. Had the mods deactivate that in favor of this.

I just realise the Singtel devices for the 2Gbps and the 1 Gbps plans support up to wifi 5. I would probably get a 1Gbps plan then and use the free router as the common one for the house. Would you suggest getting a pair of XT8s or 2 stand alone APs (like an RT-AX86U) to do the wireless-backhauled mesh network for me to test out OPNSense.

Not really sure what the concern about bridging is...

 

[TanKianW]

Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

1) You should stick to an ONT if possible. But if you are replaced with ONR (for 2G plans), you need Singtel to bridge for you.

2) Yes, you can create VLANs on your OPNSense.

3) Not a Singtel Mesh user, some forumers here should be able to give you some advice.

My views on your set up: If you connect the ONT/ONR to the OPNSense, then to routers, you are creating Double NAT. If you want to play around with OPNSense firewall, you could connect it to the ONR port with a public IP address (which requires you to bridge the ONR). Another ONR port connecting to your MESH in AP mode.​

 

[xiaofan]

Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

Just wondering if you can talk to Singtel and not to upgrade to 2Gbps plan, that is the worst plan for you to play with pfSense/OPNSense/etc. I can even say it is the worst plan from Singtel. You simply can not bridge the ONR for the 2Gbps plan. (BTW, it is the same for Viewquest 2Gbps plan). And the free mesh comes with it is not good.

You should stick to the original 1Gbps plan with ONT if you want to play with two networks. You just need to buy a VLAN capable switch to create two seperate networks. I am doing that myself with the cheap TP-Link TL-SG105E. You can actually create three seperate networks but usually you do not need it. I use one network with RT-AX82U for family use and Singtel TV, then I use the other network to play with pfSense/OpenWRT/etc.

Ref: https://forums.hardwarezone.com.sg/...an-settings-with-tplink-sg108e.5746952/page-3

If you have already signed up for Singtel 2Gbps, try to negotiate with Singtel to change to 1+1 Gbps plan where you do get two seperate networks, one port bridged (you can play with OPNsense or pfSense here, no VLAN required) and the other three port unbriged (you can use the free RT-AX86U which comes free with the 1+1 plan). In this case, you do not need to setup VLAN.

 

[firesong]

Hey, Eraserpencil here. Had the mods deactivate that in favor of this.

I just realise the Singtel devices for the 2Gbps and the 1 Gbps plans support up to wifi 5. I would probably get a 1Gbps plan then and use the free router as the common one for the house. Would you suggest getting a pair of XT8s or 2 stand alone APs (like an RT-AX86U) to do the wireless-backhauled mesh network for me to test out OPNSense.

Not really sure what the concern about bridging is...

A router behind a router causes Double-NAT. The ONR does Routing, whereas the ONT does not. Double-NAT is all bad, primarly because it breaks point-to-point applications of the Internet. It may not be obvious sometimes, but these are the compromises made because of the explosion of devices that require internet access.
https://kb.netgear.com/30186/What-is-Double-NAT
Simply, your routher doing Network Address Translation (NAT) is a "telephone switchboard operator" that passes messages back and forth from the devices behind it (at home), and the Internet. Your ISP only gives you one IP address due to the scarcity of IP addresses and that goes to your Router/Gateway. This single device will handle translation and wrap packets accordingly to be sent to the respective device ("putting in a new envelope with the new internal address"). Having another NAT layer will break this because of various technical reasons that we won't explore here.

In order to avoid Double-NAT and to be able to use your own router, you either stick to the ONT (which will guarantee that you have removed one router in the network), or you ask for bridge ("bypass NAT"). As mentioned, bridging is not Singtel's default, so it is possible for them to a) Reject, or b) Revert. Both are bad. A simple software update pushed out can reverse bridging, and you cannot control this - and probably won't know it until you discover something broken when it's too late.

 

[UnusedCalculator]

Just wondering if you can talk to Singtel and not to upgrade to 2Gbps plan, that is the worst plan for you to play with pfSense/OPNSense/etc. I can even say it is the worst plan from Singtel. You simply can not bridge the ONR for the 2Gbps plan. (BTW, it is the same for Viewquest 2Gbps plan). And the free mesh comes with it is not good.

You should stick to the original 1Gbps plan with ONT if you want to play with two networks. You just need to buy a VLAN capable switch to create two seperate networks. I am doing that myself with the cheap TP-Link TL-SG105E. You can actually create three seperate networks but usually you do not need it. I use one network with RT-AX82U for family use and Singtel TV, then I use the other network to play with pfSense/OpenWRT/etc.


If you have already signed up for Singtel 2Gbps, try to negotiate with Singtel to change to 1+1 Gbps plan where you do get two seperate networks, one port bridged (you can play with OPNsense or pfSense here, no VLAN required) and the other three port unbriged (you can use the free RT-AX86U which comes free with the 1+1 plan). In this case, you do not need to setup VLAN.

I have not sign the recontract yet. Gonna fight for ONT.

If i understand correctly, I need 3 APs, 1 switch, 1 OPNSense box. Yea? ONT -> switch. 1 connection from the switch go to 1 AP(lets say whatever Singtel gives for free) for general home use. Another connection go to another lets say an RT-AX82U, which will act as a wireless extender to another RT-AX82U, then my devices connect to that.

i just need to setup the VLANs on the switch right?

 

[xiaofan]

I have not sign the recontract yet. Gonna fight for ONT.
If i understand correctly, I need 3 APs, 1 switch, 1 OPNSense box. Yea? ONT -> switch. 1 connection from the switch go to 1 AP(lets say whatever Singtel gives for free) for general home use. Another connection go to another lets say an RT-AX82U, which will act as a wireless extender to another RT-AX82U, then my devices connect to that.
i just need to setup the VLANs on the switch right?

If you just recontract the 1Gbps, you can continue using the ONT. They may or may not give you free SingTel Mesh Router (you need to check) which you need to self collect. And there will be no visit by the SingTel technician and no change of the ONT.

In that case, you only need two extra stuff other than your OPNSense box
1) a smart switch or managed switch with VLAN capability. Cheapest is probably TP-Link TL-SG105E. You only need to setup VLAN here.

2) another router for your general home use. That one can be your existing router or the SingTel Mesh Router if they give you for free. If you want to use mesh then it is up to you. Do not get the mesh solution from SingTel. You can buy whatever you like, say Asus AImesh (eg: RT-AX82U *2 is okay based on what you wrote), Asus Zenwifi or Netgear Orbi.

New users will get ONR. Existing users can continue using ONT. But if you move to a different place then they will consider you as a new signup. In that case you have to sign up with the 1+1 Gbps plan to have two separate networks (with two public IPv4 addresses as well).