Starting pfsense for New Users

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
Hi All, decided to start a new thread on helping forumers to give them a head start using pfsense firewall.

Below are my reasons for doing so:
  1. As working from home becomes the default mode of working for many of us, securing your home network becomes a major task. In fact, if you have read the recent reports on spike in network vulnerability, more home networks are compromised during this WFH period. Therefore, by deploying a quality firewall, our home network becomes more secure and safe. Of course, having a firewall is only one piece of puzzle to secure your home network.​
  2. Provide an alternative to the more advanced mikrotik and ubiquiti routers. Actually pfsense is a "Step Up" comparing with these alternatives.​
  3. Change the perception that pfsense is hard to configure and only exclusively to advanced users.​
  4. With our increase demand for internet speed, IOTs, multiple home mobile devices and awareness of network security increases, OTS consumer product just lacks the capability to protect our home network​
  5. OTS routers or even some lower end Mikrotik/Ubiquiti routers are not really build/capable for Dual-WAN. Therefore, as more subscribed to 2x 1Gbps plans or 2x ISPs plans, the demand for a multi-WAN capable router fit into place.​
  6. An "always on" router, no need to power cycle, no need for reboot (maybe except for major updates). Enterprise class routing solutions are suited for 24/7 operations. Compare this with any top range consumer routers, where after a long period of operation, consumer routing solutions tend to "ghost" on the connection and behave extremely sluggish for most cases.​

What I will try to do is:
  • Provide some hardware recommendations for building your pfsense box​
  • What could be my personal preferred pfsense set up. This could be subjective.​
  • Provide good YouTube links for setting up your pfsense and some step by step configurations complementing the online resources (if any). Most of the time I will be quoting YouTube links from Tom of Lawrence System since his online tutorials are the most extensive and in my opinion...honest and less BS.​
  • This should not be a too complicated thread which touches on too many advanced setting where majority of the forumers here will not be using. It is to provide a head start for the new users, but still require new users to learn the interface and basics of firewall on their own to really understand the concepts of a firewall/router.​

*Disclaimer: I am not in any position to market the pfsense appliance from Netgate.
*A little background of my experience on using pfsense: Been learning, using, contributing, deploying pfsense over the past few years for several enterprise and home set up environment. I dare not say I am a professional since I still has a lot to learn and still make mistakes along the way. As Albert Einstein put it simply, "A person who never made a mistake never tried anything new."


**Hardware recommendations for pfsense (updated Jul 2021)**

*Option A: Building your own pfsense box
The most important parts to take note when building your pfsense box, chassis, motherboard form factor, CPU and NIC.​
  • CPU: Intel CPUs preferred with support for AES-NI crypto. You can look for Intel CPUs model that ends with "U" or "T" which are low powered. If you are concerned of power usage, you can turn on pfsense native support for EIST under System->Advanced->Misc->PowerD options​
  • Chassis: I will go with a mini-box that house a mini-ITX or a 1U low depth chassis.​
  • PSU: Flex-ATX power supplies usually allows for slimmer profile chassis, SFX power supply will need bigger ones. A good power supply with >250 watt, bronze and above certification will suffice.​
  • Memory: I will go for non-ECC Kingston Value RAM. at least 8GB​
  • Storage: I will go with Suds over magnetic disk. >128GB should suffice unless you enable heavy logging.​
  • Motherboard: This is one of the most important component. I will go with server class motherboards like Supermicro or Asrock Rack. Good to get motherboard that comes with Intel NICs.​
  • NICs: Due to the nature of driver compatibility of FreeBSD, Intel NICs are preferred over Marvell and Realtek. RJ45 or Fiber through SFP/SFP+ are ok. Do get NIC with good heatsinks since it might run pretty hot under load.​

A few good NIC makers comes to mind:​
  • 10Gtek (uses reliable Intel NIC chips)​
  • Chelsio (Recommended for 10Gbps set up)​
  • Mellanox (for >10Gbps set up)​
  • *Other Intel OEM (Beware of counterfeits)​
*You can check out the NICs recommended on "serve the home" website/forum and the FreeBSD driver support for NICs :https://www.freebsd.org/releases/12.0R/hardware/

*Recommendation for 1U pfsense set-up (Enterprise use) - for reference only (updated on Jan 2022)
  • 1U custom casing with 4x Noctua 4cm PWM fans
  • Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
  • Intel Xeon E3-1240L v5 (tray) at 25W (4-cores, 8 threads)
  • Dynatron 1U T-06 CPU cooler
  • 2x 8GB Kingston unbuffered DDR4 ECC Memory
  • OEM 500W Flex-ATX PSU (Platinum Rating)
  • 2x 240GB Samsung EVO SSD in ZFS mirror
  • Chelsio T520 with 2x 10G SFP+ OR Quad port Intel 1G NIC
XIsSfU0.jpg


1U rack pfsense deployment:
DXeBKal.jpg


pfSense and core switch (MikroTik CRS312):
xi7JJBh.jpg


Home office/lab (MikroTik CRS309 + CRS326) connecting to pfSense upstream
ZZPlQGK.jpg


*Option B: Purchasing your Netgate firewall appliance
You will not be able to purchase a Netgate appliance directly from their website. But you can use a local carrier to deliver it to Singapore if you are really keen of getting the original appliance.
Pros: support for pfsense straight from the box.
Cons: Expensive. Might have problem claiming warranty
Check out: https://www.netgate.com/products/appliances/

aQ9Rs1G.jpg


*Option C: Purchasing a third party all-in-one box with embedded (low powered) CPU and multiple NICs build in
Recommendation:​
  • Chassis: Passively cooled with lots of fins​
  • CPU: embedded Intel CPU with models ending with "U". For power users and VM users, recommend a CPU that has at least 4 cores, 8threads. Most will support AES-NI unless it is the earlier J19XX atom series.​
  • Memory: Recommend to get a box that do not come with memory. Can purchase separately locally for warranty claims. Recommend 8GB.​
  • Storage: Same as above. Prefer to purchase it locally for warranty claims.​
  • NICs: It will usually come with Intel's. Look for one with at least 4 NICs so can run dual-WAN and LACP LAGG to your switch. But performance will not be as good as dedicated higher end NICs with bigger heatsinks.​

*Recommendation of mini x86 boxes on Option C - for reference only (updated on 21 May 2021)
CPU (support AES-NI): Intel Celeron Quad Core J4105 TDP at 10W.
*UPDATED*: J4125 and J5005 are good buys too. Take note that supported memory capacity is up to 8GB only (But 8GB is more than enough for pfsense) Recommend getting one with Intel NICs.

Comparison with J4105:
J4125 VS J4105
J4105 VS J5005

**Alternative solutions from "Protectli" if you are not confident of such pc boxes from China:
https://protectli.com/
*Advantages over mini-pc boxes from China can be found here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-45#post-139621353

**Mini-pc Boxes from China (Taobao/Alibaba)
RAM:
8GB
Storage: 64GB or more
Chassis: passively cooled small chassis
NIC: at least 4 x Intel NIC i211
Price: Varies from $220-$240 (4GB-64S to 8GB-128S) including direct shipping
TAk94bn.jpg

VwWD034.png


Typical Dashboard:
Eja9GYz.jpg
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
**IMPORTANT (Please LEARN)* Initial pfsense Installation**
Loading pfsense the first time, and initial setting up of interfaces (using Ubiquiti switch), setting the firewall the first time:


Singtel miotv on pfsense:

xiaofan’s guide configure the pfsense VLANs to work with miotv. This should work.​
Another way is to connect the miotv and digital phone line str to the (bridged) Huawei ONR. I am using this method. It works too.​
Take note guide is for Singtel ONT users. It is not applicable SingTel ONR users.​
Good point, for ONR users, you need to connect SingTel TV box to the ONR. And to effectively use a pfsense router, the user needs to request SingTel to bridge the ONR.
pfsense router -- ONR bridged port
SingTel TV box (up to 3 boxes) -- ONR unbridged port​


**Connecting to main switch using LACP LAGG**
Setting LACP LAGG from pfsense box to switch (Ubiquiti):
*Recommend to set LAGG up during the initial stage when you have more than 2 LAN port. (Eg. 3 or 4)



*Some points to note: When LACP LAGGing 2 LAN ports, you will still only achieve max speed of 1 LAN port. However, when there are more than 1 point requesting for data and able to saturate 1 of the ports, LACP will automatically load balance and use the spare LAN port to transport the data from another request. If any of the LAN ports are to fail, the spare or good LAN port will automatically take over and route the traffic from it, fulfilling the failover requirements.

Create LAGG (LACP) to your L2 switch:
bqfNtmT.jpg

MuwLO9q.jpg



**Setting up OpenVPN Server on your pfsense**
It is pretty straight forward on pfsense. Just follow the wizard. The wizard will even create the certificate and the firewall rules. It is good if your CPU supports AES-NI crypto to speed up the encryption.



Some might need to set up your DDNS (due to DHCP at ISP side) to connect remotely using OpenVPN if you do not have a static IP. I recommend using the following:
1) DuckDNS (FOC)
2) Digital Ocean (Cloud subscription)
*There are quite a few options for you to choose from on pfsense. You can also choose from their drop down list.

*Set up for DDNS (for those without Static IPs):​

N2UTE55.jpg


**Setting up pfSense OpenVPN using third party Privacy VPN**
Updated OpenVPN set up for the privacy junkies out there and those who plan to deploy multiple third party privacy VPN services on pfSense. Tom from Lawrence system also use this example to highlight the use of Aliases and Floating rules which (I feel) most pfSense users or even veteran failed to use effectively. Worth a watch.
Link: https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-36#post-138840200


**UPDATED Video Tutorial: Setting up WireGuard VPN on pfSense**
Even though I have shared the step by step pictorial guide earlier on the setting up of WireGuard VPN on pfSense in this thread, this is an updated video tutorial from Tom of Lawrence System. In my earlier guide, I did not include the NAT set up to allow users who wants to route all their traffic (Like me on mobile) on the WireGuard server hosted on pfSense. This video tutorial will touch based on that. Settings under Firewall -> NAT -> Outbound. Feel free to watch if you are still new to pfSense, and a refresher to the veteran users too.

Video Tutorial here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-32#post-138343356


**UPDATED on 21 Jul 2022: Tailcale VPN Set up on pfSense (A solution to CGNAT)**
For those that has been keeping up to the Tailscale VPN set up on pfSense and the posts by @firesong , this is the add-on video tutorial from Tom of Lawrence Systems. He also took the time to explain some practical implementation of Tailscale VPN as a solution to home users with their network behind an ISP's "CGNAT".​

Guides could be found here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-69#post-142835191


**Using Custom DNS Over TLS (DoT/DoH) on pfSense**
Received some queries on the use of custom DNS on pfsense, so decided to cover a little bit more on this to set up the custom DNS over TLS which is well explained by Tom of Lawrence system some time back.



Setting up the Custom DNS (You will need to specify DNS for respective WANs for multi-WANs setup):
6g45WdB.jpg


Set up page for DNS over TLS on DNS Resolver (pfsense CE 2.5.1):
ePU9KEe.jpg


Points to note:​

  • Main reason of using custom DNS over TLS is to increase privacy so that transport in between (pass over port 53 in clear text) will not be "snoop" by your ISP. This is not a fool proof method since ISP can still see your IP address but prevent them from looking at the DNS queries.​
  • As for some of the use cases, I shall not explain too much. But it will allow you to use your internet more "freely".​

**IPv6 Configurations for the different ISPs in Singapore (Updated in 30 Oct 2021):**
Check out the different configuration of IPv6 for the different ISPs in Singapore on pfSense.​

Some Recommended Plugin Packages:
  1. OpenVPN client export​
  2. Either Suricata or Snort by Cisco (require registration)​
  3. pfblockerNG (GeoIP blocking requires [Free] MaxMind registration account)​
  4. ACME certificates (requires a registered Let's Encrypt account with email)​
  5. iperf - for benchmarking​
  6. Status Traffic totals - for Stats display​
  7. HAproxy to enforce https for all servers​
  8. apcupsd or nut plugins for connecting your pfsense to a UPS​
  9. Service Watchdog for automatically restarting the services when it is down​
  10. WireGuard VPN​
  11. Zabbix monitoring packages​
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
**MORE ADVANCED SETTINGS**

**Using HAproxy, ACME plugins to host your own proxy server through pfsense**

rmbPHDy.png

**UPDATED TUTORIAL: How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy**
Trouble-shooting HAproxy on pfsense has always been one of the most common queries I received from both the forum-ers and clients. This will be the latest HAproxy + LE Cert on pfsense tutorial by Tom of Lawrence System. The DNS services used here will be from Cloudflare but any DNS provider will work (DuckDNS, Digital Ocean). HAproxy is an effective way of "https"-ing your internal servers/services which you want to access externally. Which it acts as a "reverse proxy" and at the same time a "load-balancer" (Eg. multiple main and backup servers using the same DNS for high availability). Knowing how to use it competently can save you lots of time setting up SSL certs for your servers/services since HAporxy+LE on pfSense simply automates it. Tom also provides guidance to users on how to troubleshoot issues on DNS and wild-card certificates in the second video. Worth a watch even for veteran pfSense users.​






#For those who could not follow the instructions from Tom on the setting up of HAproxy, can try out this link recommended by @firesong
PS: Tagging @TanKianW to suggest the alternative quick-n-dirty HAproxy setup instructions (video at link): https://forums.serverbuilds.net/t/guide-reverse-proxy-via-haproxy-acme-on-pfsense/3513

Some key points to note:
  • Pay attention to the "frontend" and "backend" when configuring the HAproxy. Recommend to configure the backend first. Both have to match.​
  • You can register your free Let's Encrypt keys (production) through the pfsense GUI itself. Do take note that Let's Encrypt has a limit for issuing certificate per domain name, try not to exceed it.​

Few practical use of HAproxy through pfsense include:
  1. Easy enforce https for all your servers locally and externally through a single point. Whether they are http or using self-signed. This could be for hosting your very own self-managed private cloud using nextcloud (Personally, I am hosting it on the jail of TrueNAS Core)​
  2. Encrypted access to your NAS or any servers externally, if you are not using a VPN.​
  3. Automatically renew your SSL/TLS certificates using ACME plugins on pfsense. Set and forget, without worrying about expired certificates.​

*For security reasons, you should not be exposing your server to external access unless there is really a need. Using a VPN is more secure. You really need to know what you are doing before exposing your server externally.

Using Let's Encrypt certs through ACME on pfsense:

0RCODD6.jpg

vNlD2UE.jpg


Running your pfsense as a proxy server:
g8y1WW6.jpg


"https" your personal cloud server:
dCEoOzx.png


Interested in setting up your IaaS cloud services on TrueNAS Core, check out my thread here:
https://forums.hardwarezone.com.sg/threads/starting-truenas-core-for-new-users.6480129/
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
**SECURITY SECTION**

**Using pfsense's pfblockerNG plugin to run a Sinkhole, DNS & IP filter**

It is not necessary to run both Pi-Hole and pfblocker at the same time. pfsense is the more convenient way of running a sinkhole and DNS/IP filter.

Setting up the latest pfblockerNG:



Setting up GeoIP through Maxmind:



Difference between pfblocker and Pi-Hole:



Dashboard showing pfblocker in action:
0pRVMyd.jpg


GeoIP blocking using registered Maxmind account:
lO67XR9.jpg


Default blacklist category. Especially useful to parents who want to prevent kids visiting restricted web content:
XM2dVzj.jpg


DNS block list and feeds
hcDTPEh.jpg

A2mbeBb.jpg
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
**Security Recommendations for home network setup using pfsense:
  • Separate VLANs to segregate the network devices. (Eg. IOTs, Mobile devices, wired PCs, laptops, guests, etc) Your firewall rules should also prevent VLANs from communicating with each other.​
  • Remote access to your home network using VPN protocols such as OpenVPN or Wireguard (install packages on pfsense)​
  • Refrained from using the default port (Eg. avoid default port 80 & 443) to access your firewall GUI and restrict specific VLANs to access your firewall. You should not exposed your firewall to be accessed externally!​

**IMPORTANT (Please LEARN)* Understanding the firewall set up on pfsense and best practices**
Tom from Lawrence system clearly explain the concept of firewall using pfsense and what are the good practices to look out for.



**IMPORTANT (Please LEARN)* Setting up VLAN using pfsense**
Do plan and map the whole network before starting to set up your VLANs. Your firewall rules should also prevent VLANs from communicating with each other just in case one of the VLANs are compromised.


Example of VLANs firewall rules (preventing IOT VLAN from accessing firewall GUI and other LAN networks:
SfTNQOA.jpg


Since you're on firewall rules, I'd like to add that floating rules have precedences over the individual interface rules, then under the interface tabs, the rules are processed from top to bottom.

That is to say, if you have a rule permitting access to everywhere all the way on top of the list, and a rule blocking access to another subnet at the bottom of the list, your blocking rule won't work.

Remember to check the order of your rule, and of course test it out to ensure it's working as intended.

If you are using the pfblockerNG plugins, you notice that floating rules will automatically be created from the filter lists. Do not edit it, you may screw it up, unless you really know what you are doing.

The best way to test if the firewall rules work is to ping/test it. Sometimes right after making changes to the firewall rules, it may take some time for the firewall table to flush out the old rules. Even though most of the time it will be pretty fast.

The use of "invert match" in the firewall rules are also extremely useful too. For Eg, if you select an IP to block, but you check "invert match", it means the opposite where all other IPs will be blocked, except the IP selected.

Firewall rules can be configured very differently, and yet serve the same purpose. There is no one rule fits all solution. This really prove the flexibility of firewall configuration on pfsense.

**Set Schedules for Specific Firewall Rules**:
You can try create schedules under Firewall -> Schedules.
fTKNZH7.png


Then choose the created schedule for that particular firewall rule under Firewall -> Rules -> Extra Options -> under Advanced options click Display Advanced gear icon to expand -> Schedule
ybu4w5C.png

You can also set pfsense to block specific device at specific schedule. You can block the common internet ports to prevent access to the internet or gaming servers. Watch this:​



**Setting up and configuring IDS/IPS on pfsense**
You get to choose from the Suricata or Snort IDS/IPS plugin on pfsense and both are capable. For Suricata, it just take much more time to tweak, configure as it is more sensitive and produce more false positive during the initial stage and it is really not novice friendly. For most home users, I will go with Snort but you do need to register for a free account with them. Below are the recommended youtube links from Lawrence system on the installation and setting up. I will also add this in on Post #4.​

One plus point for Suricata is multithreading, snort is only single threaded.

I only run IDS on the interface I had a VPN server on. I turned off the WAN IDS because there is simply too much noise from all the port scanning and script kiddies, and I'm already dropping those packets in the first place.

I'm actually thinking of turning off IDS completely, since packets are all encrypted nowadays and IDS has limited usefulness because it can't inspect the packet contents.

Installation and setting up of Suricata on pfsense:



Installation and setting up of SNORT on pfsense:



Running IDS/IPS Snort:
vKo0cKu.jpg


Running IDS/IPS Suricata:
1XqPvh7.jpg



**ADD-ONS: Integrating pfSense with Home Assistant for Remote Monitoring**
Some have asked me what could be a good way to remote monitor (or a quick glance) of their pfsense running at home. In fact if you have been using "Home Assistant", you could integrate your pfsense with the (opensource) smart home supervisor. Some will know that I've been actively promoting forumers to integrate their IoTs and smart home devies with home assistant (HA) which is a very powerful smart home automation tool, that is opensource and yet highly customizable (using python or .yaml data language file). Below I will cover the basic step-by-step guide for integrating pfsense with HA.

For those who are interested to know more about the opensource HA project, could check out here:
https://www.home-assistant.io/

Check out the step-by-step guide here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-56#post-141085661
lqwpIWZ.jpg
 
Last edited:

coffeegreen

Junior Member
Joined
Aug 18, 2018
Messages
7
Reaction score
0
Any recommendations for white box appliance? I'm looking at specs for 1gbps ids/ips. So far the taobao boxes (topton i5-8265U) looks tempting.
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
<<OTHER SETTINGS>>

**(For Mission Critical) Setting up pfsense to auto-shut down during power down when connected to a UPS**
Install "apcupsd" package plugins, under Services -> apcupsd -> General
*I recommend connecting to a APC UPS with a USB connector. The set up should be pretty straight forward. Alternatively, you can also install the "nut" plugin for other brand UPS that supports the nut daemon.

APC UPS Settings over USB
Below are the details of the apcups daemon setting on pfsense over USB.
ks4zotT.png

V4ZNgf0.png


Status information for a working UPS:
BJk26nJ.png


Side note: You can configure the system to send you email notifications during a power failure by selecting "php" options (if you have set up it on pfsense earlier). Test the notification setup by initiating a simulated power failure and followed by powering it back on.
EVrC6zN.png

NOTE: If you want the pfsense appliance to power back on after a shutdown, do configure the power settings in the BIOS. This is extremely useful for those running their personal servers at home and want the servers to automatically turn back on when power resume back, after an earlier shut down/halt.


**Create mail Notification on pfsense**
Under System -> Advanced -> Notification
*You will need to create an app access on your gmail control interface if you using your gmail account. Setting as below:
Zhxu4J5.jpg



**Setting up Telegram Notification on pfSense**
Some of the pfsense users asked me instead of using email notification, what could be another good way for pfsense appliance to send you notifications or alerts? Well, you could use pfsense to send you alerts through Telegram notifications too. The set up is pretty straight forward so you just need to follow the step by step guide using the link below:

Link: https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-20#post-136423344

Create Telegram Notifications:
enVJiAs.jpg



**Setting Power savings for CPUs that support variable frequencies**
Under System -> Advanced -> Miscellaneous
*I prefer setting the power plan to "Adaptive". To save power and at the same time rev the clock speed up when required. Helps to strike a balance. You can also set your CPU to enable AES-NI Cryto acceleration here.
DfZtYl8.png


**For Just-In-Case Screw Ups on pfsense: Restoration of Previous Settings / Config**
Restore back to the last auto saved settings: Under Services -> Auto Config backup -> Restore.
*Do remember to set the auto config back up!
QMu9lgu.jpg


Restore and save your config settings:
Under Diagnostics -> backup & restore -> backup & restore
DuwC5ix.png



**Improving Bufferbloat using pfsense**
For those that is interested in bufferbloat. Though I have no problem with that, but I guess some here does. You can feel free to play with the different preset algorithm to see if works for you. It will be under Firewall -> Traffic Shaper -> Limiters. Feel free to check out this youtube link:



**How To Setup pfsense Firewall for Dual WAN (Multi-WAN) and Gateway Policy Based Routing Rules**


For those who still need more understanding on how to set up multi-WAN (or policy routing) on pfSense, this will be the updated tutorial video from Tom of Lawrence System. I will be updating this video on Page #1 of the thread for future reference to new users.



*Deploying 3G/4G Mobile Broadband as (Last Line of Defense) Backup WAN on pfSense*
I have been receiving requests on the deployment of 4G Mobile broadband as the "last line of defense" WAN. Therefore, I will like to provide a workable solution to this, especially for those looking at a more resilient multi-WAN setup. These are the group of users who will keep telling me dual-WAN can still be down if the fiber internet was cut at the manhole outside......that will be like.......Well, since some like to be prepared for the "worst case scenario", I will cover it here.​

https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-49#post-140440294

NOTE: I think this set up will be useful to those with mobile data plan and fiber plan from the same ISP, and when their fiber is down (M1, Singtel, Starhub?) their data plan will be free for use during the downtime. In this set-up, the network will fail over to the mobile data plan. I am using a spare 4G mobile SIM from Singtel.


*(WAN Setup) Configuring Ping and Gateway Monitoring/Logging on pfsense*

For those who want to configure ping and gateway monitoring/logging on pfsense. Especially when you want to track if your ISP (or which ISP) was down in order to trigger a WAN failover. Or even to lodge a complaint/case to your ISP about high packet loss or high latency during a certain period of time.​

https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-134636338

*IF running Dual-WAN, you can either set load balance or fail-over for the respective WAN.
  • For load balancing GW Group: Priority set is Tier 1 - Tier 1 for both WAN.​
  • For fail-over GW Group: Priority is Tier 2 - Tier 1 or vice versa for either of the WAN​
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
43,875
Reaction score
6,127
Re

I'm looking for a hardware firewall. I have the Fortigate FG-60F in mind until I discussed with the supplier here. It's good because it has high throughput

However, the hardware is S$1200+ and it comes with a S$500 yearly subscription for software/upgrading and its built-in VPN is meant for incoming only since it's an industrial product unlike our home VPN which handles outgoing.

Your setting up of pfsense is a bit too hard for me. I would rather buy a hardware firewall which comes with pfsense like the Netgate SG-5100. Its throughput (like the FG-60F) impresses me. What do you think of this product? A few questions

1) What's the price of the SG-5100 here? I think it's priced S$1000+/-
2) Any annual subscription for its software/firmware/upgrading?
3) Do you have a list of protection features that comes with pfsense like Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and Sandbox Cloud Service. How about antispam, web filtering, IoT protection etc?
4) It has some sort of VPN built-in. Does it behave like a consumer VPN or as a VPN for an industrial product? Can I add my own VPN like in my router?
5) I have a 1Gbps line. What is the best throughput if I enable ALL the protection features? A 800 - 900 Mbps with ALL protection features enabled is required so that the hardware firewall is not a bottleneck
6) I have a ASUS WiFi6 router. Any issue with integrating the hardware firewall to it?

https://www.netgate.com/solutions/pfsense/sg-5100.html

7) From the picture below it seems the SG-5100 needs two(2) incoming 1 Gbps lines. Am I correct?

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html


BTW, the SG-5100 seems to have some problems as reported below

https://forum.netgate.com/topic/144609/poor-sg-5100-performance
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
**Virtualizing pfSense on Hypervisor XCP-ng + XOA build from Source**
zk9BL29.jpg


Been a while since I updated the thread on some information on the first page. Though I have always been receiving queries from users asking me how to virtualize their pfsense, it has always been about ESXi from VMware....which I am not a fan of.

However, recently I start to receive some queries from users/clients who tried virtualizing pfsense (for testing) on hypervisor like XCP-ng+XOA (which I am interested in). And their main issue is that they are not able to run some of the extended features and plugins on XOA. The main reason being that the XOA server they using are the "free version" of the XOA which will only be unlocked with a paid subscription. However, the good thing about opensource (OSS) is that you can easily build the "unlocked version" of XOA (from Debian or Ubuntu) directly from source (github) if you know how to. The build from source version will also include the "sdn plugin" and several others for building internal networks on your hypervisor. As for installing pfsense on the hypervisor is as easy as copying the pfsense image (ISO) onto the host storage disk OR link to your NAS shared storage in SMB/NFS (what I am using) and install like any other hypervisor. By the way XCP-ng stands for "Xen Cloud Platform-Next Generation"!

Install pfsense on XCP-ng:
https://xcp-ng.org/blog/2019/08/20/how-to-install-pfsense-in-a-vm/

Recommend those trying out the opensource XCP-ng+XOA hypervisor to watch through this video tutorial:



Unlock the potential of your XOA by building from source:



Below show screenshot of XOA build from source with all plugins unlocked:
GUAL97D.jpg

Lt5kgeN.jpg


Do also remember to install your "guest tools" to ensure that your hypervisor can directly communicate to your operating system. Especially for those who are not able to get gigabit speed on their pfsense VMs. More information can read here: https://xcp-ng.org/docs/guests.html#linux

Code:
# install guest tools on the shell command of your pfsense:
pkg install xen-guest-tools xe-guest-utilities

# follow by starting the service
service xenguest start

Below showing the pfSense VM with guest tools installed and you are good to go.
KpVlYD7.jpg

Lastly, listen to Wendell from Level1tech/linux on what he thinks about XCP-ng:
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
There is a local reseller listed on the netgate site, but their prices are very high (higher than ordering from the US and paying shipping costs) and they don't seem to have any stock so you might have to wait for them to order one from the US anyway.

I bought a box from a chinese company called Qotom via lazada, 6x intel nics, fanless, i bought the cheapest model with a celeron cpu and 4gb ram but there are i5 and i7 versions available with up to 16gb. Mine has no problem routing 1gbps, although my ruleset isn't especially complicated. I'm not using IDS or any other features that may load it up.
It came with pfsense preinstalled so it was only necessary to configure it and update it to the latest version.

The official netgate one comes with a year's support, so if you are not familiar with pfsense you can contact netgate for help configuring it.

In terms of locally, i have a managed switch and create separate VLANs for work, personal use, iot devices and guests. The work VLAN is just straight out with no access to any of the other internal VLANs, i figure it's the company IT dept's responsibility to keep their laptop secure and i just want to isolate it away from anything of mine since it's not controlled by me.

Setting up pfsense isn't too difficult, make a bootable USB and follow the prompts. You can install it in a virtual machine if you'd like to test it and become familiar with the installation process and interface etc.
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
43,875
Reaction score
6,127
Re

1) You will have to convert USD to SGD, plus all the courier and delivery fees included. Should add up to 1k+/-. Their site currently selling at $699.

2) Update is free. But if you need support (esp for enterprise), do check here: https://www.netgate.com/resources/data-sheets/netgate-global-support.html

3) I do not recommend the common ClamAV over transparent proxy on pfsense setup, after personally running it for quite a while. Not really effective and cause more problem over time. I will recommend client side to run some form of AV. You had quite a long list of items. I will recommend checking out Netgate online documentations, online support and forum for your queries. You can also check out Snort, Suricata and pfblockerNG plugins. Btw, firewall is only one part of the puzzle for network security.

4) Yes. It also support OpenVPN, IPsec and L2TP. Just like most routers out there, but with more flexibility.

5) That is subjected to your firewall rule tables, IPS/IDS security levels (high, medium, low), reporting logs, exiting VPNs, traffic loads and simultaneous connections, etc. I will say SG5100 will be capable most of the times. If you want to play safe, good to up one model. If you are curious, recommend to get a spare x86 pc with 2 NIC, load pfsense up and try it out.

6) I think what you mean is if it "Have" issue. I will think no, if you want to run your ASUS as just an AP. You should use pfsense as the first line of defense between the internet and the rest of the network/switches. Recommend to turn off routing on ASUS to prevent dual NAT. Since we are on the topic of NAT, do turn on "PureNAT" under the System->Advanced->Firewall & NAT setting. pfsense is smart enough to identify the types of route and route the traffic efficiently.

7) You can set the interface anyway you like under the interfaces option. It is a "software" firewall, interfaces are flexible. It can use single WAN or Dual-WAN. Only if you buy the original Netgate appliance, it is pre-configured for you.

8) It seems to me like a hardware problem. Any hardware are subjected to failure. For software firewall, you can also consider "Untangle".

3) Actually, the list of protection features I mentioned are from Fortigate FG-60F. I just want to see whether the same or more features are available in SG-5100. Since it's using ClamAV then I doubt it has similar features as the Fortigate FG-60F. Unless you can post a picture of the GUI then I can do the protection features comparison.

4) So I can add my own VPN config files like from ExpressVPN/VyprVPN/SurfShark VPN? If yes, that would definitely affect the throughput like in my ASUS router.

5) Yes, the settings does affect the max throughput. I was saying if I enabled ALL protection features and set them to the max what would be my max throughput from the hardware firewall? Does the specs spelled out this? There are various throughputs (taken from Fortigate FG-60F) like

NGFW throughput
Firewall throughput
IPS throughput
Threat Protection throughput
IPsec VPN throughput
SSL-VPN througput
SSL-Inspection throughput
Application Control throughput and etc etc

Got some throughput data from below link but threat protection, SSL-VPN, SSL-Inspection throughputs etc seem missing. BTW does it come with SSL/HTTPS Inspection?

https://store.netgate.com/SG-5100.aspx

6) Corrected 'Can' to 'Any'

So I'll need to disable the NAT and VPN in my router and set in AP mode in order to integrate it with the SG-5100, right?

Also, IoT protection looks like missing which is important to me since I have many IoT devices at home.
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
43,875
Reaction score
6,127
Re

There is a local reseller listed on the netgate site, but their prices are very high (higher than ordering from the US and paying shipping costs) and they don't seem to have any stock so you might have to wait for them to order one from the US anyway.

I bought a box from a chinese company called Qotom via lazada, 6x intel nics, fanless, i bought the cheapest model with a celeron cpu and 4gb ram but there are i5 and i7 versions available with up to 16gb. Mine has no problem routing 1gbps, although my ruleset isn't especially complicated. I'm not using IDS or any other features that may load it up.
It came with pfsense preinstalled so it was only necessary to configure it and update it to the latest version.

The official netgate one comes with a year's support, so if you are not familiar with pfsense you can contact netgate for help configuring it.

In terms of locally, i have a managed switch and create separate VLANs for work, personal use, iot devices and guests. The work VLAN is just straight out with no access to any of the other internal VLANs, i figure it's the company IT dept's responsibility to keep their laptop secure and i just want to isolate it away from anything of mine since it's not controlled by me.

Setting up pfsense isn't too difficult, make a bootable USB and follow the prompts. You can install it in a virtual machine if you'd like to test it and become familiar with the installation process and interface etc.

Which local company is the reseller for NetGate devices? When I checked at the below it says no Netgate reseller here.

https://www.netgate.com/partners/locator.html#asia

Can post a link to the Qotom device? Thanks
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
When I checked at the below it says no Netgate reseller here

https://www.netgate.com/partners/locator.html#asia

Can post a link to the Qotom device? Thanks

What i ordered was: https://www.lazada.sg/products/pre-installed-pfsense-opnsense-aluminum-case-fanless-intel-7th-gen-celeron-3865u-mini-pc-with-8gb-ddr4-128gb-ssd-6-x-rj45-gigabit-lan-support-aes-ni-i343902778-s776340360.html?spm=a2o42.seller.list.98.6f153d4acRt9nB&mp=1

Same seller i bought mine from, although this model comes with 8GB while mine has 4. Shipping from china wasn't too slow and i have no complaints about the device itself.

From the netgate link, there is one reseller here:

nexivity.com.sg
Singapore, Singapore, Singapore
+65 6921 7738

I think by default the netgate page only shows resellers in europe, you have to change it to asia and then choose singapore as the sub location. That said i wasn't terrible impressed... They have the SG-3100 on their site for 1350 USD:
https://store.nexivity.com.sg/product/netgate-sg-3100-pfsense-security-gateway-appliance/#

The same model direct from the US is 399 USD.

I'm not sure if the currency option on their site is broken, it defaults to USD and has an option to change it to SGD but it doesn't seem to do anything - the 1350 price may be USD or may be SGD? Either way it's pricey.
 

wkweksl

Member
Joined
Mar 9, 2005
Messages
385
Reaction score
0
This for slightly above SGD$400 barebones.

I got a i5-7200U from them early last year. Fanless and runs fairly cool. Build
quality is good and all Intel NICs.
 

toyota

Junior Member
Joined
Aug 19, 2000
Messages
81
Reaction score
3
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?

By default Singtel will put you behind their ONR, so using pfsense with this setup would give you double nat and no ipv6. You can get them to put the ONR in bridged mode, or on some models you can do this yourself. It can be quite a pain getting hold of someone to make that change for you.

Personally i've not used dual wan with pfsense in singapore, although i have configured dual and triple wan connectivity in other countries. You can have failover or load balancing, although if you have 2x 1gbps connections going into the firewall you'll need something faster (port bonding can work) for the inside if you want to make use of >1gbps.

When i setup multiple wan links on pfsense, we had unreliable and slow adsl links which were all <10mbps so a single internal 100mbps port was more than sufficient.

IPv6 dual wan will work a little differently, you have two choices - either prefix translation to make it work more like legacy ip, or you can actually announce multiple address blocks to the lan side (and you could use multiple firewalls to do it so you have failover incase one dies).. with the latter config, the client device sees 2 routes and gets to choose which to use rather than the firewall.
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
17,845
Reaction score
2,800
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?

Basically if you want redundancy, better avoid the following two.

SingTel ONR -- but you can request to bridge the ONR.

MyRepublic: CGNAT, but you can pay S$50 to get Static IP as the workaround.

But with the above two, you will not have IPv6 if you care for IPv6. I do not care about IPv6 myself based on my testing using Singtel ONT (6rd IPv6 implementation, not dual stack, performance is worse than IPv4).

You can choose all other ISPs. I will actually recommend M1 (relatively stable) and Viewquest (high performance but less stable). But if you do not care for IPv6, then MyRepublic with Static IP is also with good performance (close to Viewquest).
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top