Starting pfsense for New Users

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Hi All, decided to start a new thread on helping forumers to give them a head start using pfsense firewall.

Below are my reasons for doing so:
1) As working from home becomes the default mode of working for many of us, securing your home network becomes a major task. In fact, if you have read the recent reports on spike in network vulnerability, more home networks are compromised during this WFH period. Therefore, by deploying a quality firewall, our home network becomes more secure and safe. Of course, having a firewall is only one piece of puzzle to secure your home network.
2) Provide an alternative to the more advanced mikrotik and ubiquiti routers. Actually pfsense is a "Step Up" comparing with these alternatives.
3) Change the perception that pfsense is hard to configure and only exclusively to advanced users.
4) With our increase demand for internet speed, IOTs, multiple home mobile devices and awareness of network security increases, OTS consumer product just lacks the capability to protect our home network
5) OTS routers or even some lower end Mikrotik/Ubiquiti routers are not really build/capable for Dual-WAN. Therefore, as more subscribed to 2x 1Gbps plans or 2x ISPs plans, the demand for a multi-WAN capable router fit into place.
6) An "always on" router, no need to power cycle, no need for reboot (maybe except for major updates). Enterprise class routing solutions are suited for 24/7 operations. Compare this with any top range consumer routers, where after a long period of operation, consumer routing solutions tend to "ghost" on the connection and behave extremely sluggish for most cases.

What I will try to do is:
1) Provide some hardware recommendations for building your pfsense box
2) What could be my personal preferred pfsense set up. This could be subjective.
3) Provide good YouTube links for setting up your pfsense and some step by step configurations complementing the online resources (if any). Most of the time I will be quoting YouTube links from Tom of Lawrence System since his online tutorials are the most extensive and in my opinion...honest and less BS.
4) This should not be a too complicated thread which touches on too many advanced setting where majority of the forumers here will not be using. It is to provide a head start for the new users, but still require new users to learn the interface and basics of firewall on their own to really understand the concepts of a firewall/router.

*Disclaimer: I am not in any position to market the pfsense appliance from Netgate.
*A little background of my experience on using pfsense: Been learning, using, contributing, deploying pfsense over the past few years for several enterprise and home set up environment. I dare not say I am a professional since I still has a lot to learn and still make mistakes along the way. As Albert Einstein put it simply, "A person who never made a mistake never tried anything new."


*Hardware recommendations for pfsense (updated 7 Dec 2020):
Option A: Building your own pfsense box
The most important parts to take note when building your pfsense box, chassis, motherboard form factor, CPU and NIC.
CPU: Intel CPUs preferred with support for AES-NI crypto. You can look for Intel CPUs model that ends with "U" or "T" which are low powered. If you are concerned of power usage, you can turn on pfsense native support for EIST under System->Advanced->Misc->PowerD options
Chassis: I will go with a mini-box that house a mini-ITX or a 1U low depth chassis.
PSU: Flex-ATX power supplies usually allows for slimmer profile chassis, SFX power supply will need bigger ones. A good power supply with >250 watt, bronze and above certification will suffice.
Memory: I will go for non-ECC Kingston Value RAM. at least 8GB
Storage: I will go with SSDs over magnetic disk. >128GB should suffice unless you enable heavy logging.
Motherboard: This is one of the most important component. I will go with server class motherboards like Supermicro or Asrock Rack. Good to get motherboard that comes with Intel NICs.
NICs: Due to the nature of driver compatibility of FreeBSD, Intel NICs are preferred over Marvell and Realtek. RJ45 or Fiber through SFP/SFP+ are ok. Do get NIC with good heatsinks since it might run pretty hot under load.

A few good NIC makers comes to mind:
1) 10Gtek
2) Mellanox
3) Intel OEM
4) Chelsio (Recommended)
*You can check out the NICs recommended on "serve the home" website and forum.

*Recommendation for 1U pfsense set-up (Enterprise use) - for reference only (updated on 21 May 2021)
  • 1U custom casing with 2 delta 4cm fans
  • Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
  • Intel Xeon E3-1240L (tray) at 25W (4-cores, 8 threads)
  • Dynatron 1U T-06 CPU cooler
  • 2x 8GB Kingston unbuffered DDR4 ECC
  • OEM 500W Flex-ATX PSU (Platinum Rating)
  • 2x 240GB intel SSD in ZFS mirror
  • Chelsio T520 with 2x 10G SFP+ OR Quad port Intel 1G NIC
XIsSfU0.jpg

L1onZER.jpg


1U rack pfsense deployment:
BOe6rvC.jpg

ERv04dJ.jpg


Option B: Purchasing your Netgate firewall appliance
You will not be able to purchase a Netgate appliance directly from their website. But you can use a local carrier to deliver it to Singapore if you are really keen of getting the original appliance.
Pros: support for pfsense straight from the box.
Cons: Expensive. Might have problem claiming warranty
Check out: https://www.netgate.com/products/appliances/

aQ9Rs1G.jpg


Option C: Purchasing a third party all-in-one box with embedded (low powered) CPU and multiple NICs build in
Recommendation:
Chassis: Passively cooled with lots of fins
CPU: embedded Intel CPU with models ending with "U". For power users and VM users, recommend a CPU that has at least 4 cores, 8threads. Most will support AES-NI unless it is the earlier J19XX atom series.
Memory: Recommend to get a box that do not come with memory. Can purchase separately locally for warranty claims. Recommend 8GB.
Storage: Same as above. Prefer to purchase it locally for warranty claims.
NICs: It will usually come with Intel's. Look for one with at least 4 NICs so can run dual-WAN and LACP LAGG to your switch. But performance will not be as good as dedicated higher end NICs with bigger heatsinks.

*Recommendation of mini x86 boxes on Option C - for reference only (updated on 21 May 2021)
CPU (support AES-NI): Intel Celeron Quad Core J4105 TDP at 10W.
*UPDATED*: J4125 and J5005 are good buys too. Take note that supported memory capacity is up to 8GB only (But 8GB is more than enough for pfsense) Recommend getting one with Intel NICs.

J4105: https://ark.intel.com/content/www/u...-j4105-processor-4m-cache-up-to-2-50-ghz.html
J4125: https://ark.intel.com/content/www/u...-processor-j4125-4m-cache-up-to-2-70-ghz.html
J5005: https://ark.intel.com/content/www/u...-j5005-processor-4m-cache-up-to-2-80-ghz.html

Comparison with J4105:
J4125 VS J4105
J4105 VS J5005

RAM: 8GB
Storage: 64GB or more
Chassis: passively cooled small chassis
NIC: at least 4 x Intel NIC i211
Price: Varies from $220-$240 (4GB-64S to 8GB-128S) including direct shipping

TAk94bn.jpg


VwWD034.png


Typical Dashboard:
6SrSK0R.jpg


If you are considering to 10Gbe your home network, can check out here:
https://forums.hardwarezone.com.sg/...r-hdb-home-network-10gbe-project-6341518.html

*Some Recommendations on Plugin Packages:
1) OpenVPN client export
2) Either Suricata or Snort by Cisco (require registration)
3) pfblockerNG (GeoIP blocking requires [Free] MaxMind registration account)
4) ACME certificates (requires a registered Let's Encrypt account with email)
5) iperf - for benchmarking
6) Status Traffic totals - for Stats display
7) HAproxy to enforce https for all servers
8) apcupsd or nut plugins for connecting your pfsense to a UPS
9) Service Watchdog for automatically restarting the services when it is down
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*IMPORTANT (Please LEARN)* Initial pfsense Installation
Loading pfsense the first time, and initial setting up of interfaces (using Ubiquiti switch), setting the firewall the first time:
Singtel miotv on pfsense:
xiaofan’s guide configure the pfsense VLANs to work with miotv. This should work.
Another way is to connect the miotv and digital phone line str to the (bridged) Huawei ONR. I am using this method. It works too.
Take note guide is for Singtel ONT users. It is not applicable SingTel ONR users.
Good point, for ONR users, you need to connect SingTel TV box to the ONR. And to effectively use a pfsense router, the user needs to request SingTel to bridge the ONR.
pfsense router -- ONR bridged port
SingTel TV box (up to 3 boxes) -- ONR unbridged port

*Connecting to main switch using LACP LAGG
Setting LACP LAGG from pfsense box to switch (Ubiquiti):
*Recommend to set LAGG up during the initial stage when you have more than 2 LAN port. (Eg. 3 or 4)


*If you are using a Mikrotik switch (SwOS), just simply set as "passive" (or active) and let the pfsense appliance to initiate the LAGG. It will self resolve and identify the LAGG set up from upstream.
2PRSJ5t.jpg


NOTE: If you want to learn more on the use of SwOS on a Mikrotik switch. Feel free to check out here:
https://wiki.mikrotik.com/wiki/SwOS/CSS326

*Some points to note: When LACP LAGGing 2 LAN ports, you will still only achieve max speed of 1 LAN port. However, when there are more than 1 point requesting for data and able to saturate 1 of the ports, LACP will automatically load balance and use the spare LAN port to transport the data from another request. If any of the LAN ports are to fail, the spare or good LAN port will automatically take over and route the traffic from it, fulfilling the failover requirements.

LACP LAGG your LAN to switch:
bqfNtmT.jpg

MuwLO9q.jpg


*Setting up Multi-WAN on pfsense:


Configuring Ping and Gateway Monitoring/Logging on pfsense
For those who want to configure ping and gateway monitoring/logging on pfsense. Especially when you want to track if your ISP (or which ISP) was down in order to trigger a WAN failover. Or even to lodge a complaint/case to your ISP about high packet loss or high latency during a certain period of time.
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-134636338

*IF running Dual-WAN, set load balance and fail-over for default WAN, fail-over for secondary WAN
5wDCf0r.png



*Using and setting up OpenVPN through your pfsense
It is pretty straight forward on pfsense. Just follow the wizard. The wizard will even create the certificate and the firewall rules. It is good if your CPU supports AES-NI crypto to speed up the encryption.


After setting up OpenVPN on pfsense, you just need to download the install client (with OpenVPN client export plugin installed) from the OS list and set up on the connecting pc.
jebbbBT.jpg

Some might need to set up your DDNS (due to DHCP at ISP side) to connect remotely using OpenVPN if you do not have a static IP. I recommend using the following:
1) DuckDNS (FOC)
2) Digital Ocean (Cloud subscription)
*There are quite a few options for you to choose from on pfsense. You can also choose from their drop down list.

*Using Custom DNS Over TLS on pfSense*
Received some queries on the use of custom DNS on pfsense, so decided to cover a little bit more on this to set up the custom DNS over TLS which is well explained by Tom of Lawrence system some time back.


Setting up the Custom DNS (You will need to specify DNS for respective WANs for multi-WANs setup):
6g45WdB.jpg


Set up page for DNS over TLS on DNS Resolver (pfsense CE 2.5.1):
ePU9KEe.jpg


Points to note:
  • Main reason of using custom DNS over TLS is to increase privacy so that transport in between (pass over port 53 in clear text) will not be "snoop" by your ISP. This is not a fool proof method since ISP can still see your IP address but prevent them from looking at the DNS queries.
  • As for some of the use cases, I shall not explain too much. But it will allow you to use your internet more "freely".

Set up for DDNS (for those without Static IPs):
wZHgWmg.jpg

N2UTE55.jpg
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
(MORE ADVANCED SETTINGS)

*Using HAproxy, ACME plugins to host your own proxy server through pfsense.

rmbPHDy.png


*Using Let's Encrypt through ACME, HAproxy plugin:

*Using Wildcard Certificates to enforce https:

*Trouble-shooting HAproxy on pfsense:
Some key points to note:
1) Pay attention to the "frontend" and "backend" when configuring the HAproxy. Recommend to configure the backend first. Both have to match. Do sketch out your whole network map, plan before you start configuring.
2) You can register your free Let's Encrypt keys (production) through the pfsense GUI itself. Do take note that Let's Encrypt has a limit for issuing certificate per domain name, try not to exceed it.

Few practical use of HAproxy through pfsense include:
1) Easy enforce https for all your servers locally and externally through a single point. Whether they are http or using self-signed.
2) Hosting your very own self-managed private cloud using nextcloud (Personally, I am hosting it on the jail of TrueNAS Core)
3) Encrypted access to your NAS or any servers externally, if you are not using a VPN.

*For security reasons, you should not be exposing your server to external access unless there is really a need. Using a VPN is more secure. You really need to know what you are doing before exposing your server externally.

Using Let's Encrypt certs through ACME on pfsense:

0RCODD6.jpg

vNlD2UE.jpg

Running your pfsense as a proxy server:
g8y1WW6.jpg

"https" your personal cloud server:
dCEoOzx.png

Recommended: Setup 2FA on nextcloud if you want added security using the TOTP mobile app:
dS2sOFl.jpg


*Interested in setting up your IaaS cloud services on TrueNAS Core, check out my thread here:
https://forums.hardwarezone.com.sg/threads/starting-truenas-core-for-new-users.6480129/

*Improving Bufferbloat using pfsense
For those that is interested in bufferbloat. Though I have no problem with that, but I guess some here does. You can feel free to play with the different preset algorithm to see if works for you. It will be under Firewall -> Traffic Shaper -> Limiters. Feel free to check out this youtube link:
5JrHhc9.png
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*SECURITY SECTION*

*Using pfsense's pfblockerNG plugin to run a Sinkhole, DNS & IP filter :

*It is not necessary to run both Pi-Hole and pfblocker at the same time. pfsense is the more convenient way of running a sinkhole and DNS/IP filter.
Setting up the latest pfblockerNG:

Setting up GeoIP through Maxmind:

Difference between pfblocker and Pi-Hole:

Dashboard showing pfblocker in action:
0pRVMyd.jpg


GeoIP blocking using registered Maxmind account:
lO67XR9.jpg


Default blacklist category. Especially useful to parents who want to prevent kids visiting restricted web content:
XM2dVzj.jpg


DNS block list and feeds
hcDTPEh.jpg

A2mbeBb.jpg
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*SECURITY SECTION*

Security Recommendations for home network setup using pfsense:

1) LACP LAGG from pfsense to LAGG capable switch.
2) Separate VLANs to segregate the network devices. (Eg. IOTs, Mobile devices, wired PCs, laptops, guests, etc) Your firewall rules should also prevent VLANs from communicating with each other.
3) VPN using OpenVPN (for connecting to home network when you are in the workplace or vice versa)
4) Refrained from using the default port (Eg. avoid default port 80 & 443) to access your firewall GUI and restrict specific VLANs to access your firewall. You should not exposed your firewall to be accessed externally!

*IMPORTANT (Please LEARN)* Understanding the firewall set up on pfsense and best practices
Tom from Lawrence system clearly explain the concept of firewall using pfsense and what are the good practices to look out for.

*IMPORTANT (Please LEARN)* Setting up VLAN using pfsense
Do plan and map the whole network before starting to set up your VLANs. Your firewall rules should also prevent VLANs from communicating with each other just in case one of the VLANs are compromised.
Example of VLANs firewall rules (preventing IOT VLAN from accessing firewall GUI and other LAN networks:
SfTNQOA.jpg


Since you're on firewall rules, I'd like to add that floating rules have precedences over the individual interface rules, then under the interface tabs, the rules are processed from top to bottom.

That is to say, if you have a rule permitting access to everywhere all the way on top of the list, and a rule blocking access to another subnet at the bottom of the list, your blocking rule won't work.

Remember to check the order of your rule, and of course test it out to ensure it's working as intended.

If you are using the pfblockerNG plugins, you notice that floating rules will automatically be created from the filter lists. Do not edit it, you may screw it up, unless you really know what you are doing.

The best way to test if the firewall rules work is to ping/test it. Sometimes right after making changes to the firewall rules, it may take some time for the firewall table to flush out the old rules. Even though most of the time it will be pretty fast.

The use of "invert match" in the firewall rules are also extremely useful too. For Eg, if you select an IP to block, but you check "invert match", it means the opposite where all other IPs will be blocked, except the IP selected.

Firewall rules can be configured very differently, and yet serve the same purpose. There is no one rule fits all solution. This really prove the flexibility of firewall configuration on pfsense.

*Set Schedules for Specific Firewall Rules:
You can try create schedules under Firewall -> Schedules.
fTKNZH7.png


Then choose the created schedule for that particular firewall rule under Firewall -> Rules -> Extra Options -> under Advanced options click Display Advanced gear icon to expand -> Schedule
ybu4w5C.png

You can also set pfsense to block specific device at specific schedule. You can block the common internet ports to prevent access to the internet or gaming servers. Watch this:


*Setting up and configuring IDS/IPS on pfsense
You get to choose from the Suricata or Snort IDS/IPS plugin on pfsense and both are capable. For Suricata, it just take much more time to tweak, configure as it is more sensitive and produce more false positive during the initial stage and it is really not novice friendly. For most home users, I will go with Snort but you do need to register for a free account with them. Below are the recommended youtube links from Lawrence system on the installation and setting up. I will also add this in on Post #4.

One plus point for Suricata is multithreading, snort is only single threaded.

I only run IDS on the interface I had a VPN server on. I turned off the WAN IDS because there is simply too much noise from all the port scanning and script kiddies, and I'm already dropping those packets in the first place.

I'm actually thinking of turning off IDS completely, since packets are all encrypted nowadays and IDS has limited usefulness because it can't inspect the packet contents.

Installation and setting up of Suricata on pfsense:

Installation and setting up of SNORT on pfsense:

Running IDS/IPS Snort:
vKo0cKu.jpg

lahs2Oc.jpg


Running IDS/IPS Suricata:
1XqPvh7.jpg

d7cTTFJ.jpg
 
Last edited:

coffeegreen

Junior Member
Joined
Aug 18, 2018
Messages
7
Reaction score
0
Any recommendations for white box appliance? I'm looking at specs for 1gbps ids/ips. So far the taobao boxes (topton i5-8265U) looks tempting.
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*MISCELLANEOUS SETTINGS*:

*(For Mission Critical) Setting up pfsense to auto-shut down during power down when connected to a UPS
Install "apcupsd" package plugins, under Services -> apcupsd -> General
*I recommend connecting to a APC UPS with a USB connector. The set up should be pretty straight forward. Alternatively, you can also install the "nut" plugin for other brand UPS that supports the nut daemon.

APC UPS Settings over USB
Below are the details of the apcups daemon setting on pfsense over USB.
ks4zotT.png

V4ZNgf0.png


Status information for a working UPS:
BJk26nJ.png


Side note: You can configure the system to send you email notifications during a power failure by selecting "php" options (if you have set up it on pfsense earlier). Test the notification setup by initiating a simulated power failure and followed by powering it back on.
EVrC6zN.png


*If you want the pfsense appliance to power back on after a shutdown, do configure the power settings in the BIOS. This is extremely useful for those running their personal servers at home and want the servers to automatically turn back on when power resume back, after an earlier shut down/halt.

*Create email Notification on pfsense:
Under System -> Advanced -> Notification
*You will need to create an app access on your gmail control interface if you using your gmail account. Setting as below:
x7GKa7J.jpg

Zhxu4J5.jpg


*Setting Power savings for CPUs that support variable frequencies
Under System -> Advanced -> Miscellaneous
*I prefer setting the power plan to "Adaptive". To save power and at the same time rev the clock speed up when required. Helps to strike a balance. You can also set your CPU to enable AES-NI Cryto acceleration here.
DfZtYl8.png



*For Just-In-Case Screw Ups on pfsense
Setting a "SPARE" LAN
Recommend to set up a maintenance interface (if you have spare LAN) for just in case situation where you are lock out from the web interface due to some screw ups on the primary LAN interfaces, you could connect to the spare LAN network to access the interface again.
s0F2Nwv.jpg

Restore back to the last auto saved settings:
Under Services -> Auto Config backup -> Restore.
*Do remember to set the auto config back up!
QMu9lgu.jpg

Restore and save your config settings:
Under Diagnostics -> backup & restore -> backup & restore
DuwC5ix.png
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
32,118
Reaction score
832
Re

I'm looking for a hardware firewall. I have the Fortigate FG-60F in mind until I discussed with the supplier here. It's good because it has high throughput

However, the hardware is S$1200+ and it comes with a S$500 yearly subscription for software/upgrading and its built-in VPN is meant for incoming only since it's an industrial product unlike our home VPN which handles outgoing.

Your setting up of pfsense is a bit too hard for me. I would rather buy a hardware firewall which comes with pfsense like the Netgate SG-5100. Its throughput (like the FG-60F) impresses me. What do you think of this product? A few questions

1) What's the price of the SG-5100 here? I think it's priced S$1000+/-
2) Any annual subscription for its software/firmware/upgrading?
3) Do you have a list of protection features that comes with pfsense like Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and Sandbox Cloud Service. How about antispam, web filtering, IoT protection etc?
4) It has some sort of VPN built-in. Does it behave like a consumer VPN or as a VPN for an industrial product? Can I add my own VPN like in my router?
5) I have a 1Gbps line. What is the best throughput if I enable ALL the protection features? A 800 - 900 Mbps with ALL protection features enabled is required so that the hardware firewall is not a bottleneck
6) I have a ASUS WiFi6 router. Any issue with integrating the hardware firewall to it?

https://www.netgate.com/solutions/pfsense/sg-5100.html

7) From the picture below it seems the SG-5100 needs two(2) incoming 1 Gbps lines. Am I correct?

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html


BTW, the SG-5100 seems to have some problems as reported below

https://forum.netgate.com/topic/144609/poor-sg-5100-performance
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
I'm looking for a hardware firewall. I have the Fortigate FG-60F in mind until I discussed with the supplier here. It's good because it has high throughput

However, the hardware is S$1200+ and it comes with a S$500 yearly subscription for software/upgrading and its built-in VPN is meant for incoming only since it's an industrial product unlike our home VPN which handles outgoing.

Your setting up of pfsense is a bit too hard for me. I would rather buy a hardware firewall which comes with pfsense like the Netgate SG-5100. Its throughput (like the FG-60F) impresses me. What do you think of this product? A few questions

1) What's the price of the SG-5100 here? I think it's priced S$1000+/-
2) Any annual subscription for its software/firmware/upgrading?
3) Do you have a list of protection features that comes with pfsense like Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and Sandbox Cloud Service. How about antispam, web filtering, IoT protection etc?
4) It has some sort of VPN built-in. Does it behave like a consumer VPN or as a VPN for an industrial product? Can I add my own VPN like in my router?
5) I have a 1Gbps line. What is the best throughput if I enable ALL the protection features? A 800 - 900 Mbps with ALL protection features enabled is required so that the hardware firewall is not a bottleneck
6) I have a ASUS WiFi6 router. Can issue with integrating the hardware firewall to it?

https://www.netgate.com/solutions/pfsense/sg-5100.html

7) From the picture below it seems the SG-5100 needs two(2) incoming 1 Gbps lines. Am I correct?

https://www.netgate.com/blog/choosing-the-right-netgate-appliance.html


BTW, the SG-5100 seems to have some problems as reported below

https://forum.netgate.com/topic/144609/poor-sg-5100-performance

1) You will have to convert USD to SGD, plus all the courier and delivery fees included. Should add up to 1k+/-. Their site currently selling at $699.

2) Update is free. But if you need support (esp for enterprise), do check here: https://www.netgate.com/resources/data-sheets/netgate-global-support.html

3) I do not recommend the common ClamAV over transparent proxy on pfsense setup, after personally running it for quite a while. Not really effective and cause more problem over time. I will recommend client side to run some form of AV. You had quite a long list of items. I will recommend checking out Netgate online documentations, online support and forum for your queries. You can also check out Snort, Suricata and pfblockerNG plugins. Btw, firewall is only one part of the puzzle for network security.

4) Yes. It also support OpenVPN, IPsec and L2TP. Just like most routers out there, but with more flexibility.

5) That is subjected to your firewall rule tables, IPS/IDS security levels (high, medium, low), reporting logs, existing VPNs, traffic loads and simultaneous connections, etc. I will say SG5100 will be capable most of the times. If you want to play safe, good to up one model. If you are curious, recommend to get a spare x86 pc with 2 NIC, load pfsense up and try it out.

6) I think what you mean is if it "Have" issue. I will think no, if you want to run your ASUS as just an AP. You should use pfsense as the first line of defense between the internet and the rest of the network/switches. Recommend to turn off routing on ASUS to prevent dual NAT. Since we are on the topic of NAT, do turn on "PureNAT" under the System->Advanced->Firewall & NAT setting. pfsense is smart enough to identify the types of route and route the traffic efficiently.

7) You can set the interface anyway you like under the interfaces option. It is a "software" firewall, interfaces are flexible. It can use single WAN or Dual-WAN. Only if you buy the original Netgate appliance, it is pre-configured for you.

8) It seems to me like a hardware problem. Any hardware are subjected to failure. For software firewall, you can also consider "Untangle".
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
There is a local reseller listed on the netgate site, but their prices are very high (higher than ordering from the US and paying shipping costs) and they don't seem to have any stock so you might have to wait for them to order one from the US anyway.

I bought a box from a chinese company called Qotom via lazada, 6x intel nics, fanless, i bought the cheapest model with a celeron cpu and 4gb ram but there are i5 and i7 versions available with up to 16gb. Mine has no problem routing 1gbps, although my ruleset isn't especially complicated. I'm not using IDS or any other features that may load it up.
It came with pfsense preinstalled so it was only necessary to configure it and update it to the latest version.

The official netgate one comes with a year's support, so if you are not familiar with pfsense you can contact netgate for help configuring it.

In terms of locally, i have a managed switch and create separate VLANs for work, personal use, iot devices and guests. The work VLAN is just straight out with no access to any of the other internal VLANs, i figure it's the company IT dept's responsibility to keep their laptop secure and i just want to isolate it away from anything of mine since it's not controlled by me.

Setting up pfsense isn't too difficult, make a bootable USB and follow the prompts. You can install it in a virtual machine if you'd like to test it and become familiar with the installation process and interface etc.
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
32,118
Reaction score
832
Re

1) You will have to convert USD to SGD, plus all the courier and delivery fees included. Should add up to 1k+/-. Their site currently selling at $699.

2) Update is free. But if you need support (esp for enterprise), do check here: https://www.netgate.com/resources/data-sheets/netgate-global-support.html

3) I do not recommend the common ClamAV over transparent proxy on pfsense setup, after personally running it for quite a while. Not really effective and cause more problem over time. I will recommend client side to run some form of AV. You had quite a long list of items. I will recommend checking out Netgate online documentations, online support and forum for your queries. You can also check out Snort, Suricata and pfblockerNG plugins. Btw, firewall is only one part of the puzzle for network security.

4) Yes. It also support OpenVPN, IPsec and L2TP. Just like most routers out there, but with more flexibility.

5) That is subjected to your firewall rule tables, IPS/IDS security levels (high, medium, low), reporting logs, exiting VPNs, traffic loads and simultaneous connections, etc. I will say SG5100 will be capable most of the times. If you want to play safe, good to up one model. If you are curious, recommend to get a spare x86 pc with 2 NIC, load pfsense up and try it out.

6) I think what you mean is if it "Have" issue. I will think no, if you want to run your ASUS as just an AP. You should use pfsense as the first line of defense between the internet and the rest of the network/switches. Recommend to turn off routing on ASUS to prevent dual NAT. Since we are on the topic of NAT, do turn on "PureNAT" under the System->Advanced->Firewall & NAT setting. pfsense is smart enough to identify the types of route and route the traffic efficiently.

7) You can set the interface anyway you like under the interfaces option. It is a "software" firewall, interfaces are flexible. It can use single WAN or Dual-WAN. Only if you buy the original Netgate appliance, it is pre-configured for you.

8) It seems to me like a hardware problem. Any hardware are subjected to failure. For software firewall, you can also consider "Untangle".

3) Actually, the list of protection features I mentioned are from Fortigate FG-60F. I just want to see whether the same or more features are available in SG-5100. Since it's using ClamAV then I doubt it has similar features as the Fortigate FG-60F. Unless you can post a picture of the GUI then I can do the protection features comparison.

4) So I can add my own VPN config files like from ExpressVPN/VyprVPN/SurfShark VPN? If yes, that would definitely affect the throughput like in my ASUS router.

5) Yes, the settings does affect the max throughput. I was saying if I enabled ALL protection features and set them to the max what would be my max throughput from the hardware firewall? Does the specs spelled out this? There are various throughputs (taken from Fortigate FG-60F) like

NGFW throughput
Firewall throughput
IPS throughput
Threat Protection throughput
IPsec VPN throughput
SSL-VPN througput
SSL-Inspection throughput
Application Control throughput and etc etc

Got some throughput data from below link but threat protection, SSL-VPN, SSL-Inspection throughputs etc seem missing. BTW does it come with SSL/HTTPS Inspection?

https://store.netgate.com/SG-5100.aspx

6) Corrected 'Can' to 'Any'

So I'll need to disable the NAT and VPN in my router and set in AP mode in order to integrate it with the SG-5100, right?

Also, IoT protection looks like missing which is important to me since I have many IoT devices at home.
 
Last edited:

Apparatus

High Supremacy Member
Joined
May 27, 2005
Messages
32,118
Reaction score
832
Re

There is a local reseller listed on the netgate site, but their prices are very high (higher than ordering from the US and paying shipping costs) and they don't seem to have any stock so you might have to wait for them to order one from the US anyway.

I bought a box from a chinese company called Qotom via lazada, 6x intel nics, fanless, i bought the cheapest model with a celeron cpu and 4gb ram but there are i5 and i7 versions available with up to 16gb. Mine has no problem routing 1gbps, although my ruleset isn't especially complicated. I'm not using IDS or any other features that may load it up.
It came with pfsense preinstalled so it was only necessary to configure it and update it to the latest version.

The official netgate one comes with a year's support, so if you are not familiar with pfsense you can contact netgate for help configuring it.

In terms of locally, i have a managed switch and create separate VLANs for work, personal use, iot devices and guests. The work VLAN is just straight out with no access to any of the other internal VLANs, i figure it's the company IT dept's responsibility to keep their laptop secure and i just want to isolate it away from anything of mine since it's not controlled by me.

Setting up pfsense isn't too difficult, make a bootable USB and follow the prompts. You can install it in a virtual machine if you'd like to test it and become familiar with the installation process and interface etc.

Which local company is the reseller for NetGate devices? When I checked at the below it says no Netgate reseller here.

https://www.netgate.com/partners/locator.html#asia

Can post a link to the Qotom device? Thanks
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
3) Actually, the list of protection features I mentioned are from Fortigate FG-60F. I just want to see whether the same or more features are available in SG-5100. Since it's using ClamAV then I doubt it has similar features as the Fortigate FG-60F. Unless you can post a picture of the GUI then I can do the protection features comparison.

4) So I can add my own VPN config files like from ExpressVPN/VyprVPN/SurfShark VPN? If yes, that would definitely affect the throughput like in my ASUS router.

5) Yes, the settings does affect the max throughput. I was saying if I enabled ALL protection features and set them to the max what would be my max throughput from the hardware firewall? Does the specs spelled out this? There are various throughputs (taken from Fortigate FG-60F) like

NGFW throughput
Firewall throughput
IPS throughput
Threat Protection throughput
IPsec VPN throughput
SSL-VPN througput
SSL-Inspection throughput
Application Control throughput and etc etc

Got some throughput data from below link but threat protection, SSL-VPN, SSL-Inspection throughputs etc seem missing. BTW does it come with SSL/HTTPS Inspection?

https://store.netgate.com/SG-5100.aspx

6) Corrected 'Can' to 'Any'

So I'll need to disable the NAT and VPN in my router and set in AP mode in order to integrate it with the SG-5100, right?

Also, IoT protection looks like also missing which is important to me since I have many IoT devices at home.

3) Better to post your item list for their sales person to compare and respond to you if you getting the appliance. Or check out their online reviews and forum on Fortigate/pfsense comparison. There should be a lot of such comparison online.

4) If these VPNs support the different protocols, I know a few support OpenVPN, it should not have any problems.

5) Same as No.3

6) Yes. To be honest, you might want to check on what is this "IOT protection" thingy and what is under the hood. Or is it just a check box to make the user feel their iOTs are well protected, which in reality just a default/simple blacklisted IOT DNS/IP filter list?
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
When I checked at the below it says no Netgate reseller here

https://www.netgate.com/partners/locator.html#asia

Can post a link to the Qotom device? Thanks

What i ordered was: https://www.lazada.sg/products/pre-installed-pfsense-opnsense-aluminum-case-fanless-intel-7th-gen-celeron-3865u-mini-pc-with-8gb-ddr4-128gb-ssd-6-x-rj45-gigabit-lan-support-aes-ni-i343902778-s776340360.html?spm=a2o42.seller.list.98.6f153d4acRt9nB&mp=1

Same seller i bought mine from, although this model comes with 8GB while mine has 4. Shipping from china wasn't too slow and i have no complaints about the device itself.

From the netgate link, there is one reseller here:

nexivity.com.sg
Singapore, Singapore, Singapore
+65 6921 7738

I think by default the netgate page only shows resellers in europe, you have to change it to asia and then choose singapore as the sub location. That said i wasn't terrible impressed... They have the SG-3100 on their site for 1350 USD:
https://store.nexivity.com.sg/product/netgate-sg-3100-pfsense-security-gateway-appliance/#

The same model direct from the US is 399 USD.

I'm not sure if the currency option on their site is broken, it defaults to USD and has an option to change it to SGD but it doesn't seem to do anything - the 1350 price may be USD or may be SGD? Either way it's pricey.
 

wkweksl

Member
Joined
Mar 9, 2005
Messages
383
Reaction score
0
This for slightly above SGD$400 barebones.

I got a i5-7200U from them early last year. Fanless and runs fairly cool. Build
quality is good and all Intel NICs.
 

toyota

Junior Member
Joined
Aug 19, 2000
Messages
71
Reaction score
1
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?

I am using MR with static IP as primary WAN. Singtel with ONR bridged at host side as secondary WAN. I recommend MR with Static IP.

Both of my WAN are connected using LACP LAGG to a 10Gbe switch distributing to every room LAN points. Primary WAN channel to a VLAN connected to LAN PCs and secured servers. Secondary WAN channel to a few VLANs to run CCTVs, IOT and mobile devices.
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?

By default Singtel will put you behind their ONR, so using pfsense with this setup would give you double nat and no ipv6. You can get them to put the ONR in bridged mode, or on some models you can do this yourself. It can be quite a pain getting hold of someone to make that change for you.

Personally i've not used dual wan with pfsense in singapore, although i have configured dual and triple wan connectivity in other countries. You can have failover or load balancing, although if you have 2x 1gbps connections going into the firewall you'll need something faster (port bonding can work) for the inside if you want to make use of >1gbps.

When i setup multiple wan links on pfsense, we had unreliable and slow adsl links which were all <10mbps so a single internal 100mbps port was more than sufficient.

IPv6 dual wan will work a little differently, you have two choices - either prefix translation to make it work more like legacy ip, or you can actually announce multiple address blocks to the lan side (and you could use multiple firewalls to do it so you have failover incase one dies).. with the latter config, the client device sees 2 routes and gets to choose which to use rather than the firewall.
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Updated Post 4 on the set up of pfblockerNG, and comparison with Pi-Hole.

*It is not necessary to run BOTH! pfsense is the more convenient way of running a sinkhole and DNS/IP filter.

Running a Sinkhole, DNS and IP filter using pfsense's pfblockerNG plugin:

Setting up the latest pfblockerNG:
https://www.youtube.com/watch?v=xizAeAqYde4

Setting up GeoIP through Maxmind:
https://www.youtube.com/watch?v=4LADrjmf_rA

Difference between pfblocker and Pi-Hole:
https://www.youtube.com/watch?v=6wToQrcvkF8&t=94s

Dashboard showing pfblocker in action:
0pRVMyd.jpg


GeoIP blocking using registered Maxmind account:
lO67XR9.jpg


Default blacklist category. Especially useful to parents who want to prevent kids visiting restricted web content:
XM2dVzj.jpg


DNS block list and feeds
hcDTPEh.jpg

A2mbeBb.jpg
 
Last edited:

xiaofan

Supremacy Member
Joined
Sep 16, 2018
Messages
9,840
Reaction score
138
Thanks for the thread.

I bought a China box fanless with 8M Ram, 128G SSD with 3865U CPU to try out pFsense.

Longer term want to have dual WAN.

What are you guys using for the dual WAN. Currently on SingTel and I thought I read that the ONR gives a local LAN IP address. So thinking of changing to another provider since out of contract with SingTel. Any advice?

Basically if you want redundancy, better avoid the following two.

SingTel ONR -- but you can request to bridge the ONR.

MyRepublic: CGNAT, but you can pay S$50 to get Static IP as the workaround.

But with the above two, you will not have IPv6 if you care for IPv6. I do not care about IPv6 myself based on my testing using Singtel ONT (6rd IPv6 implementation, not dual stack, performance is worse than IPv4).

You can choose all other ISPs. I will actually recommend M1 (relatively stable) and Viewquest (high performance but less stable). But if you do not care for IPv6, then MyRepublic with Static IP is also with good performance (close to Viewquest).
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.
Top