Starting pfsense for New Users

[TanKianW]

Interestingly, Opn is going with Dnsmasq instead of KEA. It switched to KEA with v.24.1 until it moved with v.25.7.

I was resisting the move to KEA because it was feature incomplete. Now I'm not sure about Dnsmasq.

I just go with what ISC (Internet System Consortium) recommends. Ars Technica has a few good article on Kea DHCP worth checking out.

If you are building a homelab, I guess it is fine for either since nothing breaking or mission critical.​

 

[firesong]

I just go with what ISC (Internet System Consortium) recommends. Ars Technica has a few good article on Kea DHCP worth checking out.

If you are building a homelab, I guess it is fine for either since nothing breaking or mission critical.​

I did read the Opn documentation and note that they did state Kea is better for larger scale deployments, so it appears Opn seems to be targeting the homelab market more?

Just shared cos it seems like another fork here - approach to DHCP.

 

[morimorimori]

KEA is still half baked. DNSmasq is the opn recommended option for small networks now.

I've gone back to ISC till they sort things out. Its not like its full of holes and going to fall over and die immediately.

 

[xiaofan]

The new broadband plan are mostly 3 / 5 / 10 GB. My current Pfsense box has support up to 1 GB port.

I am wondering how do folks here deal with this? Get a lower broadband plan? Or upgrade my Pfsense box?

I am happy with my current Pfsense, IP6 configured, accelerator for my gaming working well. If I need to upgrade, I think I may just go to Omada VPN gateway product.

Any thoughts / comment?

One cheap alternative is to upgrade to 3Gbps plan and then use a mini PC with Intel N100 CPU and quad 2.5G NICs for your pfSense upgrade. I used one of such mini PC (running virtualized OpenWRT or pfSense or OPNsense) for my previous SingTel 1Gbps plan with ONT.

Mini PCs with dual 10G SFP+ port and dual/quad 2.5G NICs are also of reasonable price (Intel N100 CPU or better). I am using one such mini PC (Intel N100 CPU, virtualized OpenWRT, not using pfSense/OPNsense now, less than S$300 with 8GB/256GB configuration) for my SingTel 5Gbps plan (Bridged ONR). If you run bare metal, Intel N100 is actually okay for 10Gbps routing, but better CPU may be desired.

But if you want to go to Omada ecosystem, that is a fine solution.

 

[TanKianW]

KEA is still half baked. DNSmasq is the opn recommended option for small networks now.

I've gone back to ISC till they sort things out. Its not like its full of holes and going to fall over and die immediately.

I will not call it half baked, more like a transition phase. If it is "half-baked" it will not be recommended by ISC, the consortium behind the very existence of your internet. Unless there are specific use case you need on ISC (DHCP) which is not present in KEA, which I "very" doubt home user will even need.

Since ISC DHCP has been deprecated, largely due to the source code being pretty "messy" and tedious to maintain, it is unlikely to be "forked" proven by the numerous lackluster attempts by developers. I will recommend to make the jump when the time is right for you. I have switch to KEA since last year before the update and running it on enterprise systems since. And to be honest, not as drama as what most thought.

Just to be clear, it is fine to continue using ISC DHCP, but with the understanding that it will not have new features or development moving forward. From my experience, the longer the transition take/drag, the harder it is going to get moving forward. At the moment, it has been a checking the "checkbox" transition for me.

I will not comment on the “OPN recommended option” since it is just a matter of choice/direction between firewall platforms. There is no perfect solutions but the solution right for your use case.​

 

[TanKianW]

The new broadband plan are mostly 3 / 5 / 10 GB. My current Pfsense box has support up to 1 GB port.

I am wondering how do folks here deal with this? Get a lower broadband plan? Or upgrade my Pfsense box?

I am happy with my current Pfsense, IP6 configured, accelerator for my gaming working well. If I need to upgrade, I think I may just go to Omada VPN gateway product.

Any thoughts / comment?

Upgrade the box if it does not support NIC upgrade.

If you are a basic pfsense firewall user, I find Unifi gateway a better upgrade option over Omada.​

 

[xiaofan]

There were past reports of Starhub IPv6 problem with pfSense, which may well affect OPNsense as well.

The following post in IPv6 thread may be a useful reference for pfSense users, even though it is talking about OPNsense.

As of now, the best ISP for IPv6 may actually be ViewQuest which gives free /56 Static IPv6 for VQ users upon request.

M1 and Starhub give only /64.

SingTel is rolling out native IPv6 as well and it is supposed to be /56. But somehow I could not really use more than /64 which may be related to the SingTel ONR.

Just sharing my experience, has dual-stacked my home previously except for Wireguard until now
Below are some of the backstories and what are the problems faces and the steps to overcome it. Solution might be janky, but it works for me now.

ISP: Starhub 5Gbps Plan
Router OS: OPNSense 25.1.8_1 (Running on Taobao N100 Mini PC bought 2 years back)

Write Up #1: Recently lost "IPv6" after dual-stacking my Wireguard, IPv6 was working fine when I whenever I check it until recently.
Block private networks: Checked
Block bogon networks: Unchecked
IPv6 Configuration Type: DHCPv6
Prefix delegation size: 64
Request prefix only: Unchecked
Send prefix hint: Unchecked

With this settings it is supposed to be working, but no matter what I am not able to get an IPv6.
Have restarted router and modem multiple times.
So did a packet inspection for WAN,
I did see Solicit, Advertise and Request... but no reply from Starhub issuing me IPv6.
So I thought Starhub was down, so I waited for another day, but nothing changes, still no IPv6

Afterwards I tried generating MAC Address and set it on my WAN Interface. Voila and it works, I am getting a IPv6 address. Problem solved.
Next, I tried removing the custom MAC address, I lost the IPv6 again. Then I generate another MAC address, this time it doesn't work anymore until I used back the first MAC address, I had generated previously
For now, I am leaving it this way. Leaving this here so that it might be able to help someone out as well as to see anyone has insight on this.


Write Up #2: Wireguard with IPv6
Backstory
Since setting up it as dual-stack last year, I have the following:
LAN Interface:
IPv6 Configuration Type: Track Interface
Parent Interface: WAN
Assign prefix ID: 0
Manual Configuration: [Checked] Allow manual adjustment of DHCPv6 and Router Advertisements

In Router Advertisements:
Router Advertisements: Stateless
Router Priority: Normal
Source Address: Automatic
DNS options:
Use the DNS configuration of the DHCPv6 server: Unchecked
Do not send any DNS configuration to clients: Unchecked

With this IPv6 is working perfectly as it should be able to browse public IPv6.
However, I do realised that if I set my DNS to the GUA IPv6 address of my Pihole, it will fail once I get a new prefix from starhub. So I looked into ULA, and given myself a ULA adding it in Interfaces/Virtual IPs:
Will explain why I didn't use the link local fe80 IP address later on.

Mode: IP Alias
Interface: LAN
Network / Address: [My generated LAN IPv6 ULA prefix]

Now with the this, all of my devices will get a 'Local' IPv6 address. ULA, my local IPv6 is fixed. Locally my IPv6 is working as it should.

Dual-Stacking Wireguard but... no public IPv6 access
1. Generate another ULA Network Address for my Wireguard
2. Everything work as it is, include DNS over IPv6, I realised I can't use the fe80 IP address to connect to my DNS server back home. Cause fe80 is link local, it doesn't support routing. Thus, the ULA address I have set up previously come into play.

Now the issue is without a Globally routed IPv6, I am not able to surf Public IPv6.
So, I am left with two choices. (Don't flame me for using NAT in IPv6, it's more like an experiment that I want to try, but also I am left with no other choice..

NAT-ing my Wireguard IPv6 Stateful vs Stateless
1. NAT66, so all my outgoing Wireguard to the public will use my WAN Interface IPv6. - This is tested to be working, but decided not to use it since it is stateful.
2. NPTv6 - This basically rewrites the prefix of my Wireguard ULA to my WAN IPv6 Prefix

NPTv6 rewriting the wrong address
Under firewall > NAT > NPTv6 Add a Rule
Interface: WAN
Internal IPv6 Prefix (source): [Internal Wireguard IPv6 Prefix]
External IPv6 Prefix: [Leave it Empty] (Since my public IPv6 prefix is dynamic, the idea to leave it empty is so that it will grab the prefix of my Global IPv6 prefix.
Track Interface: LAN

When I got to here... NPTv6 is working but no IPv6 public internet. Upon checking my logs...
NPTv6 is has replace my Wireguard IPV6 with the LAN IPv6 Prefix that I have created earlier.

But if i remove my Virtual IP temporarily, then add back my LAN ULA in Virtual IP. My Wireguard is able to surf IPv6 publicly.
However, feeling that this will not solve the problem, once reboot, I am afraid NPTv6 will pick my LAN prefix again.

Updating NPTv6 with Monit and Custom Script
Have to make use of Monit, OPNSense API and some custom script to update the NPTv6 settings.
Two scripts needed (At the bottom of this post)
1. check_ipv6_prefix.sh
2. update_nptv6.sh

In Services > Monit > Settings > Service Tests Settings (Add New):
Name: WAN_IPv6_Changes
Condition: status != 0
Action: Start

In Services > Monit > Settings > Service Settings (Add New):
Enable service checks: Ticked
Name: wan_ipv6_prefix_check
Type: Custom
Path: /path/to/check_ipv6_prefix.sh
Start: /path/to/update_nptv6.sh .
Test: WAN_IPv6_Changes (The Service Test Created Earlier)

If only Starhub gives us a prefix larger than /64
As of now this is the best I could think of to overcome this, it's janky, but it works for me for now. Do let me know if you have another solution. It would be good if Starhub don't just assign /64 IPv6 to us... then I could assign another IP range to another dummy interface and track that instead without conflicting with my Local ULA.

Scripts
Do review it before using it, not going to lie but made it up with the help of ChatGPT

check_ipv6_prefix.sh
https://pastebin.com/PJWg5aR9

update_nptv6.sh
https://pastebin.com/Scf88Ftp

 

[xxnewbiexx]

I have an old pfSense router for sale. It is in working order and has been upgraded to the latest stable release.

Spec and details of the unit is available here:
https://www.carousell.sg/p/pfsense-mini-pc-intel-atom-e3827-4-ports-1375616211/

 

[xiaofan]

Upgraded a virtual pfSense CE 2.7.2 installation to CE 2.8.0 and it seems to work fine, under Proxmox PVE 8.

I was already using KEA DHCP in CE 2.7.2 and no issue for my simple use case (basic pfSense installation plus pfBlockerNG-devel). This is a secondary router for my home network.

Main home network (5Gbps) is still running OpenWRT 23.05 (under Proxmox PVE 8).

For the secondary home network (1Gbps), I will switch between OpenWRT 24.10 and pfSense CE 2.8.0 (and maybe also OPNsense). All are running as virtual machine under Proxmox PVE 8.

 

[xiaofan]

Hmm, got one things not working -- Singtel native IPv6.

No issues on the WAN side, but got issues with LAN side.

Need to figure out again.

For OpenWRT 24.10, Singtel native IPv6 works out of the box without any extra settings.

Edit -- it works now.

Singtel native IPv6 Settings for reference:
https://forums.hardwarezone.com.sg/threads/ipv6-discussions.6976522/page-24

 

[xiaofan]

As of now, not doing much with pfSense.

1) Singtel native IPv6 is working
2) pfBlockerNG-devel is working
3) Duck DNS DDNS service is working.

Next step: kind of being similar to what I do with OpenWRT.
1) Wireguard VPN server
2) Tailscale

 

[xiaofan]

Wireguard up and running now. I need to understand the NAT rules better later.

1. A few notes.

1) You do not need to add wireguard interface now. pfSense (2.7/2.8) now automatically creates Wireguard Interface Group. [Same for Tailscale].

2) NAT rule is important, as mentioned in the video of Lawrence Systems. If the rule is not there, Wireguard Peers cannot access the internet.

3) pfSense automatically adds the following Unbound DNS Resolver ACL rule -- if you change something in the configuration, that rule may not be able to get automaticlally updated. This may cause DNS related issues.

In my case, I change the Wireguard network from 10.0.5.0/24 to 10.0.8.0/24 and this causes problems. Usually you do not change this and then you may not notice the issue. Initially I worked around the issue by adding other DNS servers to the Wireguard Peer configuration. Later I was able to fix the issue by looking at Unbound DNS Resolver settings.

2. The video tutorial is still very useful mentioned in Post #2 (Page 1) and Post #625 (Page 32) are still very useful. For example, the Firewall rules and Outbound NAT rule.


3. The following tutorial may be a bit more up-to-date for new users. But it does not talk about the Outbound NAT rule mentioned above.


4. I have not yet leaned how to do the following:
Build a Secure Site-to-Site VPN with Pfsense & WireGuard

 

[xiaofan]

Tailscale is also up and running now. But I think I need to learn about Tailscale routing portion (Exit Node and Advertised Node).

Another thing to improve is the Firewall rule.

The video and guides mentioned in Page 69 are still useful.
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/page-69

 

[xiaofan]

Tailscale -- using Subnet Routes
https://tailscale.com/kb/1019/subnets
https://openwrt.org/docs/guide-user/services/vpn/tailscale/start

pfSense Tailscale Setting

From OpenWRT (Network 1) -- need to use CLI, no nice GUI.

root@OpenWrt:~# tailscale down
Tailscale was already stopped.

root@OpenWrt:~# tailscale up --advertise-routes=192.168.18.0/24 --accept-routes
Error: changing settings via 'tailscale up' requires mentioning all
non-default flags. To proceed, either re-run your command with --reset or
use the command below to explicitly mention the current value of
all non-default settings:

        tailscale up --accept-routes --advertise-routes=192.168.18.0/24 --advertise-exit-node

root@OpenWrt:~# tailscale up --advertise-routes=192.168.18.0/24 --accept-routes --reset

root@OpenWrt:~# ping -c 4 192.168.88.1
PING 192.168.88.1 (192.168.88.1): 56 data bytes
64 bytes from 192.168.88.1: seq=0 ttl=64 time=5.473 ms
64 bytes from 192.168.88.1: seq=1 ttl=64 time=5.928 ms
64 bytes from 192.168.88.1: seq=2 ttl=64 time=5.361 ms
64 bytes from 192.168.88.1: seq=3 ttl=64 time=6.089 ms

--- 192.168.88.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 5.361/5.712/6.089 ms

From pfSense (Network 2)

[2.8.0-RELEASE][root@pfSensen100new.home.arpa]/root: ping -c 4 192.168.18.1
PING 192.168.18.1 (192.168.18.1): 56 data bytes
64 bytes from 192.168.18.1: icmp_seq=0 ttl=64 time=1.856 ms
64 bytes from 192.168.18.1: icmp_seq=1 ttl=64 time=1.964 ms
64 bytes from 192.168.18.1: icmp_seq=2 ttl=64 time=2.173 ms
64 bytes from 192.168.18.1: icmp_seq=3 ttl=64 time=1.948 ms

--- 192.168.18.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.856/1.985/2.173/0.116 ms

From Windows Tailscale client (Network 2) -- not so sure why the ping is so high.

PS C:\work> ping 192.168.18.1

Pinging 192.168.18.1 with 32 bytes of data:
Reply from 192.168.18.1: bytes=32 time=164ms TTL=64
Reply from 192.168.18.1: bytes=32 time=167ms TTL=64
Reply from 192.168.18.1: bytes=32 time=167ms TTL=64
Reply from 192.168.18.1: bytes=32 time=171ms TTL=64

Ping statistics for 192.168.18.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 164ms, Maximum = 171ms, Average = 167ms

From Windows Tailscale client (Network 1)

PS C:\work> ping 192.168.88.1

Pinging 192.168.88.1 with 32 bytes of data:
Reply from 192.168.88.1: bytes=32 time=10ms TTL=64
Reply from 192.168.88.1: bytes=32 time=12ms TTL=64
Reply from 192.168.88.1: bytes=32 time=9ms TTL=64
Reply from 192.168.88.1: bytes=32 time=9ms TTL=64

Ping statistics for 192.168.88.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 12ms, Average = 10ms

 

[Trans-Am]

hi need y'all opinion.

the next broadband plan I will be using will be at least 3g and I was thinking if I should try this as I am total new/nub to this scene.

1) for someone with 0 knowledge on this, should I use this or use those "branded" router

2) my plan is to have vLan and guess network and below is some of the equipment i had chosen ( feel free to suggest)

router: miniroute n100 ( how much ram & space do I need ?)

switch: ? ( need to have at least 2 sfp+ ports, if possible remaining port will be 5g if not at least 2.5g and lastly at least 1poe++ port, I think total 8 ports will be more than enough for me)

AP: ? ( do recommend the one using poe, I only need 1 ap, no mesh required )

budget I not sure how much 1.2k?
if equipment can be cheaper, that will be great.

TIA


Sent from A universe Where pink PWNED everything

 

[TanKianW]

1) for someone with 0 knowledge on this, should I use this or use those "branded" router

That is totally up to you. Before thinking/asking whether you should, maybe you should ask yourself whether you want and are willing to learn from scratch (mainly on your own), if you have (past) zero understanding of networking. I have seen some who asked about whether they should spin it up, tried it themselves and found it too much for them and given up. In the end, just stick to consumer-branded routers.​

router: miniroute n100 ( how much ram & space do I need ?)

switch: ? ( need to have at least 2 sfp+ ports, if possible remaining port will be 5g if not at least 2.5g and lastly at least 1poe++ port, I think total 8 ports will be more than enough for me)

AP: ? ( do recommend the one using poe, I only need 1 ap, no mesh required )

budget I not sure how much 1.2k?
if equipment can be cheaper, that will be great.

TIA


Sent from A universe Where pink PWNED everything

Router: I suggest at least 16GB. Not because pfsense needs 16GB, more like you can do more with 16GB. Who knows, a few months down the road, you will be spinning your own Proxmox hypervisor.

Switch: You can look around the forum thread here and find one that best suit your use case and budget. If you need vlan, you should go with a "managed switch"

AP (if you meant those saucer-like kinds of APs): These will be POE powered, which requires a POE switch. If you are new to all these advanced networking appliances, you may want to take a look at Unifi's offering or a Tplink Omada as the cheaper alternative. Try not to mix and match if you are starting out, unless you have ample time on hand to test them out.​

 

[TanKianW]

pfSense Plus Finally Gets Centralized Management - NEXUS​

Obviously, this is not targeting home lab users but enterprise users who require multiple remote monitoring and management of their pfSense+ appliances. Though this came a bit late, but better late than never. Do note that this service requires a subscription of 39 USD per year, per appliance.​