Starting pfsense for New Users

Mach3.2

Great Supremacy Member
Joined
Apr 8, 2011
Messages
71,499
Reaction score
1,436
Interesting to know that. Unifi AP and Switches seem to be highly recommended by Lawrence of the Lawrence Systems YouTube channel. He does not care much about routers from Ubiquiti though.

Haha, so you are the more advanced users. I am just a beginner who just starts to look beyond the typical consumer grade Linksys, TP-Link and Asus stuff.

To me my Asus RT-AX82U seems to be pretty good for my simple use cases with the help of Pi-hole. Still to look deeper inside, I can ssh into the Asus box and explore what is inside but I can not do much to change the behaviors. Installing Merlin and Entware may enable me to do more things but the CPU is still a limiting factor.

With pfSense it seems to be pretty good and open up much more for me to explore. I am not into the prosumer or enterprise AP though, since the existing routers like Asus RT-AX82U AX5400 and Huawei AX3 Pro AX3000 are good enough as an AP. Even the free SingTel Mesh Router AC1900 is a decent AP to use with pfSense as well since it is just plug and play (automatically runs in AP mode if connected to other router).
I'm not really that advanced, I just like to experiment.


Segmenting networks with VLANs sounds really good, but the **** part comes when something broke and you're not around to fix it. I'm at the point where if you pull my pfsense box and put in a all in one router, nothing would work. :s13:


The age old mantra of keeping things simple holds true, no point complicating your home network unnecessarily. :o
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,107
Reaction score
2,878
I'm not really that advanced, I just like to experiment.

Segmenting networks with VLANs sounds really good, but the **** part comes when something broke and you're not around to fix it. I'm at the point where if you pull my pfsense box and put in a all in one router, nothing would work. :s13:

The age old mantra of keeping things simple holds true, no point complicating your home network unnecessarily. :o

Haha, right now I have two routers with the help of TP-Link TL-SG105E.
1) Asus RT-AX82U
2) pfSense+SingTel Mesh Router as AP

If one of them is down and the other will still work for the family members.

I kind of like two router solution to have a bit of redundancy at home.
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
Layer 3 Switch Routing


For the interest group. Tom explains it clearly.
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
Mobile Cellular WAN as "last resort" failover:

For those who really need more redundancy and wants to set up a "Dual or Triple WAN" on pfsense. For example, 2x fiber ISP and 1x mobile 4G network as the last failover, you can do so with pfsense. It is common for some production appliance to use mobile cellular network for redundancy as the last line of failover. This also allows the admin to remote access/control a firewall when the main network is down.

This could be useful when your main ISP is down and your network failover to mobile network which is under the same ISP (usually will be paid for by the ISP due to downtime), eg. M1 fiber is down and failover to M1 mobile network.

If you are interested to set up a mobile cellular network as a failover do ensure that your 3G/4G modem are listed in the official pfsense list of supported modems.

Supported list here:
https://docs.netgate.com/pfsense/en/latest/cellular/hardware.html

*Set up is similar to how you set up the multi-WAN network. You might need to reboot the firewall if the modem does not appear on the interface section.
 
Last edited:

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
Hi

For those who are using a virtualized pfsense, what is your fallback plan when your server is down or being restarted? Is the below backup 'hot swappable'?

Am planning for an unraid server with pfsense and NAS together with VM and docker containers but also wary to balance the need for continuous internet access for the family vs the tinkering around on the server.

main: modem => virtual pfsense => unifi switch => AP
backup: modem => asus router => unifi switch => AP

Thanks in advance!
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
Hi

For those who are using a virtualized pfsense, what is your fallback plan when your server is down or being restarted? Is the below backup 'hot swappable'?

Am planning for an unraid server with pfsense and NAS together with VM and docker containers but also wary to balance the need for continuous internet access for the family vs the tinkering around on the server.

main: modem => virtual pfsense => unifi switch => AP
backup: modem => asus router => unifi switch => AP

Thanks in advance!

I will recommend a bare metal pfsense and everything behind it will be for “tinkering”.

Overall, i experienced more problems, trouble-shooting and downtime on virtualised pfsense (due to some client’s past IT legacy) in the field than simply a bare metal deployment. Don’t get me wrong, I don’t mind running virtualised pfsense in a worklab/homelab, but i won’t trust reliability on it.
 
Last edited:

hwzlite

Senior Member
Joined
Jan 27, 2007
Messages
2,348
Reaction score
2,119
main: modem => virtual pfsense => unifi switch => AP
backup: modem => asus router => unifi switch => AP


This is similar to my setup/strategy as shown below:

prtg.jpg


main: modem => virtual SOPHOS UTM Home => DIR868L (bridge mode + AP)

So in event of any "extended" maintenance or downtime which fail-to-meet-wife-internet's SLA , will be manually rewired/reconfig to fallback mode -
backup: modem => DIR868L (router mode + AP)

Now I'm in the state of super "extended" downtime mode cos my 8yrs+ 24/7 workhorse VMware host (Workstation) cum HTPC PC's motherboard had finally gone south.

Currently still in procrastination mode for next setup, possibly going for unraid + virtual OpenWrt :D
 

Mach3.2

Great Supremacy Member
Joined
Apr 8, 2011
Messages
71,499
Reaction score
1,436
Hi

For those who are using a virtualized pfsense, what is your fallback plan when your server is down or being restarted? Is the below backup 'hot swappable'?

Am planning for an unraid server with pfsense and NAS together with VM and docker containers but also wary to balance the need for continuous internet access for the family vs the tinkering around on the server.

main: modem => virtual pfsense => unifi switch => AP
backup: modem => asus router => unifi switch => AP

Thanks in advance!
I do my reboots at 3AM, when nothing is running.

Anyway rebooting only takes like 5 minute, and it's not too much of a disruption if people are sleeping anyway.

The additional benefit is you can snapshot your VM before you upgrade the software, it gives you the ability to roll back if your upgrade went wrong. Not sure if unraid supports snapshots, but it's really a good feature to have.


Regarding what happens if my ESXi host goes down, well I'm pretty much hosed, it runs the RADIUS server too, nobody is getting onto the wifi if my RADIUS server goes down. :s13:
 
Last edited:

hwzlite

Senior Member
Joined
Jan 27, 2007
Messages
2,348
Reaction score
2,119
Last edited:

Mach3.2

Great Supremacy Member
Joined
Apr 8, 2011
Messages
71,499
Reaction score
1,436
AFAIK unraid does not support snapshots natively.
Hhhhmmmm...... unless install UNRAID as a VM in ESXI server?
That could work, but angtc11 now need a HBA that he can passthrough to unraid.


@angtc11
As a matter of preference, I would really run the NAS and router on different machines, and imo it doesn't really matter if it's bare metal or virtualised so long you have a recovery plan that you can execute quickly. :s13:
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
This is similar to my setup/strategy as shown below:

prtg.jpg


main: modem => virtual SOPHOS UTM Home => DIR868L (bridge mode + AP)

So in event of any "extended" maintenance or downtime which fail-to-meet-wife-internet's SLA , will be manually rewired/reconfig to fallback mode -
backup: modem => DIR868L (router mode + AP)

Now I'm in the state of super "extended" downtime mode cos my 8yrs+ 24/7 workhorse VMware host (Workstation) cum HTPC PC's motherboard had finally gone south.

Currently still in procrastination mode for next setup, possibly going for unraid + virtual OpenWrt :D

Continue to run the old hardware with a new/second hand motherboard from taobao. Still can find quite a lot of them. Good old server, I find it a waste to retire them.....some for sentimental value.

Most of my servers/systems are constantly brought/resuscitate back to life with "new" old hardware. Motherboard usually the first to up lorry. Easily get on the cheap from ebay/taobao. Surprisingly Convergent still honor my Kingston Value DDR3 (lifetime limited warranty) when it kaput after 9 years of service!:D
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,107
Reaction score
2,878
A little updates from my pfSense experiment. Actually now it is no longer an experiment. It is already in active use at home for the past one month. Still it is not an exclusive use as I still use my Asus RT-AX82U for the SingTel TV box.

Both are serving the wireless clients at home (SingTel Mesh Router is used as an AP attached to the pfSense router). Pi-hole is used with Asus with 1.1.1.3 as the backup. pfBlockerNG is used with pfSense with 1.1.1.3 as the upstream DNS.

I turned up the pfBlockerNG ads blocking a bit and so far no complaints. I was too aggressive in my initial Pi-hole deployment at home last year so I had to add a lot of whitelist.

Today I was playing with one of my Linux SBCs, Rock 64 with RK3328 CPU and 2GB RAM, running Ubuntu 18.04. I was puzzled to find that it uses 1.1.1.1 and not pfSense as the DNS. A little bit of Google sorted out the issue with systemd-resolved settings change.

I also play a little bit with TL-SG108E VLAN switch but it seems a bit limited and I still can not get SingTel TV working with either the switch itself or with pfSense plus the switch. I did not spend much time on this though. Rather I was playing with my old wireless routers with openwrt (Linksys WRT1900AC and Linksys EA7500 v2). Linksys WRT1900AC seems to have built in HW support as a VLAN capable switch under OpenWRT.

I did not buy the MikroTik switch yet. I ordered a MikroTik hap ac2 router from Taobao instead as an impulse buy. It will take about a month to reach here though with sea shipment.
 

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
I will recommend a bare metal pfsense and everything behind it will be for “tinkering”.

Overall, i experienced more problems, trouble-shooting and downtime on virtualised pfsense (due to some client’s past IT legacy) in the field than simply a bare metal deployment. Don’t get me wrong, I don’t mind running virtualised pfsense in a worklab/homelab, but i won’t trust reliability on it.

Thanks for the advice, I guess getting a bare metal deployment will have less complications. Was seduced by YouTube videos on how easy it is and thought I can save the money by combining with the NAS =p.

Might still try the Virtualized pfsense as a backup
 

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
This is similar to my setup/strategy as shown below:

prtg.jpg


main: modem => virtual SOPHOS UTM Home => DIR868L (bridge mode + AP)

So in event of any "extended" maintenance or downtime which fail-to-meet-wife-internet's SLA , will be manually rewired/reconfig to fallback mode -
backup: modem => DIR868L (router mode + AP)

Now I'm in the state of super "extended" downtime mode cos my 8yrs+ 24/7 workhorse VMware host (Workstation) cum HTPC PC's motherboard had finally gone south.

Currently still in procrastination mode for next setup, possibly going for unraid + virtual OpenWrt :D

My wife's sla is 99.999% uptime, haha. Maybe this can be my future evolution when I get more experienced
 

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
I do my reboots at 3AM, when nothing is running.

Anyway rebooting only takes like 5 minute, and it's not too much of a disruption if people are sleeping anyway.

The additional benefit is you can snapshot your VM before you upgrade the software, it gives you the ability to roll back if your upgrade went wrong. Not sure if unraid supports snapshots, but it's really a good feature to have.


Regarding what happens if my ESXi host goes down, well I'm pretty much hosed, it runs the RADIUS server too, nobody is getting onto the wifi if my RADIUS server goes down. :s13:

It would be challenging for me, my 'green zone' is variable and sometimes after 3am cos the wife is seeing Korean drama, would be too stressful esp if it was a working day.

Is the benefit of the RADIUS server authentication worth the added dependency?
 

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
That could work, but angtc11 now need a HBA that he can passthrough to unraid.


@angtc11
As a matter of preference, I would really run the NAS and router on different machines, and imo it doesn't really matter if it's bare metal or virtualised so long you have a recovery plan that you can execute quickly. :s13:

Yup, separate it shall be. Will look for those small form factor devices from CN to install pfsense and continue with my NAS build.

Thanks!
 

Mach3.2

Great Supremacy Member
Joined
Apr 8, 2011
Messages
71,499
Reaction score
1,436
Is the benefit of the RADIUS server authentication worth the added dependency?
Probably not, your APs also have to be configured to authenticate wireless STAs against the RADIUS server, if your RADIUS server goes down, no one is getting their internet.

Bonus points for me since I host my unifi controller on the same ESXi host as my pfsense/RADIUS server, if the ESXi box goes out I'm definitely hosed since my setup doesn't have redundencies built in, and I can't access the controller to reconfigure the APs for WPA2 Personal.

I'm probably looking at a 2hr recovery time frame if I immediately take my spare computer out and restore my weekly backups. :s13:
 
Last edited:

angtc11

Member
Joined
Feb 14, 2004
Messages
469
Reaction score
5
Probably not, your APs also have to be configured to authenticate wireless STAs against the RADIUS server, if your RADIUS server goes down, no one is getting their internet.

Bonus points for me since I host my unifi controller on the same ESXi host as my pfsense/RADIUS server, if the ESXi box goes out I'm definitely hosed since my setup doesn't have redundencies built in, and I can't access the controller to reconfigure the APs for WPA2 Personal.

I'm probably looking at a 2hr recovery time frame if I immediately take my spare computer out and restore my weekly backups. :s13:

I will get 'killed' for a 2hr RTO, so i better stop thinking about it :s13:


I forgot to ask earlier, anyone has recc on the sff hardware from TB etc? I looked at some of the earlier links shared, seem to be out of stock. like the one below
edit: medium range chip at good value would be nice

https://item.taobao.com/item.htm?spm=a1z0k.7385961.0.0.37d54f4dzwNUyZ&id=625362549411&_u=7vgd4vh33d1
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,905
Reaction score
2,220
I will get 'killed' for a 2hr RTO, so i better stop thinking about it :s13:


I forgot to ask earlier, anyone has recc on the sff hardware from TB etc? I looked at some of the earlier links shared, seem to be out of stock. like the one below
edit: medium range chip at good value would be nice

https://item.taobao.com/item.htm?spm=a1z0k.7385961.0.0.37d54f4dzwNUyZ&id=625362549411&_u=7vgd4vh33d1

Unless you need >8GB, this is ok.


rQ7at45.jpg
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top