Starting pfsense for New Users

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
Hi pros.

I am trying to understand the vlan trunking to my switch.
What i understand is that for VLANs that have my LAN interface as a parent interface, they would carry or trunk the VLANs across my LAN interface to my switch.
But will the default VLAN (1) ?? be trunked to my switch also or is that something i need to create?

the reason I am asking because after trunking the VLANs to my switch, the devices connected to ports on my switch port 1 (untagged) with VLAN1 ports cant seem to get internet, IP address from my DHCP server from my LAN interface, whereas devices that are connected to my switch port 3 (untagged) with VLAN10 can get IP address

another question, is it recommended the management IP of the switch be on the same network range/subnet as my LAN interface?

Apologies if what i type don't make sense, still noob and trying to learn :(
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
Hi pros.

I am trying to understand the vlan trunking to my switch.
What i understand is that for VLANs that have my LAN interface as a parent interface, they would carry or trunk the VLANs across my LAN interface to my switch.
But will the default VLAN (1) ?? be trunked to my switch also or is that something i need to create?

the reason I am asking because after trunking the VLANs to my switch, the devices connected to ports on my switch port 1 (untagged) with VLAN1 ports cant seem to get internet, IP address from my DHCP server from my LAN interface, whereas devices that are connected to my switch port 3 (untagged) with VLAN10 can get IP address

another question, is it recommended the management IP of the switch be on the same network range/subnet as my LAN interface?

Apologies if what i type don't make sense, still noob and trying to learn :(

From the pfsense side:

Your vlan interfaces will send tagged traffic through the physical interface.
The physical interface (if you configure it) will send untagged traffic.

From the switch side:

You can configure multiple tagged VLANs, and traffic with tags will be routed to the tagged vlan.
Any traffic which arrives without a vlan tag will be routed to the default (ie untagged) vlan configured on that port. On a Cisco switch this defaults to vlan 1, on other switches it can vary, and its configurable.
Managed switches will usually let you configure which vlans are allowed on which ports, how you configure this differs based on the brand/model of switch but the principle is the same.

It's best practice to use tags for all traffic on trunked interfaces, do not assign any addressing to the physical interface on the firewall and configure the switch either with no default vlan (ie untagged traffic will be discarded) or to an unused vlan.
It's also best practice not to use the default vlan (usually 1) for anything incase you make a mistake and something ends up unexpectedly connected to it.

Ideally your management interfaces should be on a separate management network, in a corporate environment this would prevent random office users from accessing the management interfaces of devices which they have no need for. Wether you bother with this on a home network is up to you.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
From the pfsense side:

Your vlan interfaces will send tagged traffic through the physical interface.
The physical interface (if you configure it) will send untagged traffic.

From the switch side:

You can configure multiple tagged VLANs, and traffic with tags will be routed to the tagged vlan.
Any traffic which arrives without a vlan tag will be routed to the default (ie untagged) vlan configured on that port. On a Cisco switch this defaults to vlan 1, on other switches it can vary, and its configurable.
Managed switches will usually let you configure which vlans are allowed on which ports, how you configure this differs based on the brand/model of switch but the principle is the same.

It's best practice to use tags for all traffic on trunked interfaces, do not assign any addressing to the physical interface on the firewall and configure the switch either with no default vlan (ie untagged traffic will be discarded) or to an unused vlan.
It's also best practice not to use the default vlan (usually 1) for anything incase you make a mistake and something ends up unexpectedly connected to it.

Ideally your management interfaces should be on a separate management network, in a corporate environment this would prevent random office users from accessing the management interfaces of devices which they have no need for. Wether you bother with this on a home network is up to you.

how to configure the physical interface on pfsense to send untagged traffic ?
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
how to configure the physical interface on pfsense to send untagged traffic ?
Oh you misunderstand..

The physical interface is ALWAYS untagged, but it won't actually send any traffic unless you configure addressing on the interface.

IE: leave the physical interface without any IPs assigned. Only configure and use the vlan interfaces.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
Oh you misunderstand..

The physical interface is ALWAYS untagged, but it won't actually send any traffic unless you configure addressing on the interface.

IE: leave the physical interface without any IPs assigned. Only configure and use the vlan interfaces.
oh I think i had configured my physical interface with an address

LAN 1 -> Static IP 10.xx.0.1 (with DHCP server turned on)
VLAN 10 on LAN 1 -> static IP 10.xx.10.1 (with DHCP server turned on)

devices on my switch that are on ports untagged with VLAN1 should be able to receive a 10.xx.0.x IP address?
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
oh I think i had configured my physical interface with an address

LAN 1 -> Static IP 10.xx.0.1 (with DHCP server turned on)
VLAN 10 on LAN 1 -> static IP 10.xx.10.1 (with DHCP server turned on)

devices on my switch that are on ports untagged with VLAN1 should be able to receive a 10.xx.0.x IP address?
Ports will have a default vlan for untagged traffic, its usually 1 but on most switches you can change it.

Each port can be configured for one untagged vlan, and any number of tagged vlans. Most switches will have every port set to vlan 1 untagged and no tagged vlans by default, which is why you get the behaviour you describe.

You should either have untagged ports (set to a single specific vlan) or tagged ports (all traffic tagged). You shouldn't mix things by sending untagged and tagged traffic on the same port.
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Updated on Post #2

For those who want to configure ping and gateway monitoring/logging on pfsense. Especially when you want to track if your ISP (or which ISP) was down in order to trigger a WAN failover. Or even to lodge a complaint/case to your ISP about high packet loss or high latency during a certain period of time.

 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*VLAN Set-up for Different SSIDs from AP
pfsense users that are interested to set up VLANs for different wireless SSID (Eg. Segregate Mobile and IOTs VLANs into different SSIDs), do check if your AP, wireless router support this function. It should look something like this (Eg. on Ruckus Unleashed):
xqJXFbV.jpg


VLAN set up on pfsense:
MpzlCWv.jpg


Do check to ensure that the VLAN traffic is passed down from your main switch to your APs (Eg. on SwOS):
hHZtLds.jpg
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Bridging Mikrotik HEX-S Router as a Managed Switch + Passive POE
Home users who only has a single RJ45 patch panel (HDB BTO) in every room and hope to connect to a managed switch (for LAN connection) and an AP (passive POE up to 57V). Can check out the Mikrotik HEX-S router. You can easily bridge (RouterOS) to a managed switch with VLANs, with the passive POE out to power an AP in your furthest bedroom (MBR).

Mikrotik HEX-S (Bought it at $90): https://mikrotik.com/product/hex_s
0IN3fdq.jpg


Bridging RouterOS to become a managed switch
fUexnCH.jpg

ibszgvd.jpg


Powering the AP (Ruckus R500) and the HEX-S from POE at my main switch side. No extra power cord required!
HOHvcgc.jpg


*NOTE: Do check the power requirements of your AP to ensure that it could be powered by the passive POE.

Check out here if you interested to set up VLANs and bridging on RouterOS:
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*pfSense CE 2.5.2 Release Now Available
Just updated my test lab systems (on both VM & bare-metal) today. Will be testing it out and running it for a couple of days to see if there is any major bugs. Will also test out the experimental add-on WireGuard VPN that returned as a package.

Official News Release:
https://www.netgate.com/blog/pfsense-ce-2.5.2-release-now-available

Release Notes here:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-2.html

Initial testing from servethehome:
https://www.servethehome.com/pfsense-ce-2-5-2-released-with-updates/


NOTE:
  • Do back up the older image/system before the update
  • Do remove any previous setting of Wireguard VPN before the update
  • Do not update the packages before the system update, it may break the plugins
  • The WireGuard VPN returned as an experimental add-on
 
Last edited:

xiaofan

Supremacy Member
Joined
Sep 16, 2018
Messages
9,842
Reaction score
138
Just updated and it seems to have no issue for me. But I am only using a few features only (mainly pfBlockerNG, Singtel 6rd IPv6 and a few simple firewall rules, iperf3, etc).
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Just updated and it seems to have no issue for me. But I am only using a few features only (mainly pfBlockerNG, Singtel 6rd IPv6 and a few simple firewall rules, iperf3, etc).

One of the major fixes is on Multi-WAN issue. Those deploying multi-WAN should go for this update. At the moment, seem stable on my homelab system.

For those who want to test out the Wireguard VPN package can update to this latest version too.
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
*For Testing ONLY: WireGuard VPN Package on pfSense CE 2.5.2 (On Win10 and iOS clients)

pfSense Tunnel Set-up
(Copy the public key here and paste on the "peer" public key on your client)
OYeKtX1.jpg


pfSense Peer set-up (Copy the public key from your client to the peer setting here)
qfURW4V.jpg

7sM38ZT.jpg


Win10 client set-up (Key in the setting using the format below. Copy the public key from pfsense tunnel setting to client [Peer] here. End point either key in your DDNS or your static IPs) Do uncheck “block untunneled traffic”. The Public key shown in the row below the “Name” will be the one you copy and paste on the “Peer” on pfsense. The private keys are self generated, do not alter!
1utYhMF.jpg


Peer Settings on iOS:
When set to cellular for connection "On demand", you will automatically connect to your WireGuard VPN when you leave your home network. Set up is quite similar with using the WireGuard application on Win10. I experienced some crashes on iOS client app. You may need to disable the “on demand” setting and manually activate/deactivate it. Allowed IPs can just put 0.0.0.0/0.
FlHcbLJ.png


NOTE:
  • You do need to assign the WireGuard interface and set up the firewall rules like what you normally do when setting up a new interface
  • You can set the WireGuard interface to assign IPs to the connections coming in (or assign IPs at client side) with/without the DHCP server running.
  • Do ensure your assigned IPs for WireGuard do not clash with your other internal (VLAN) IPs. In my case, I assign the 192.168.40.XX and 192.168.80.XX for two separate tunnels.

SPEEDTEST: Close to Line Speed VPN
WireGuard OFF:

XGgUBYg.jpg

WireGuard ON:
5d1Z7Vz.jpg
 
Last edited:

adderrs

Member
Joined
Dec 19, 2016
Messages
207
Reaction score
7
*For Testing ONLY: WireGuard VPN Package on pfSense CE 2.5.2 (On Win10 and iOS clients)

pfSense Tunnel Set-up
(Copy the public key here and paste on the "peer" public key on your client)
OYeKtX1.jpg


pfSense Peer set-up (Copy the public key from your client to the peer setting here)
qfURW4V.jpg

7sM38ZT.jpg


Win10 client set-up (Key in the setting using the format below. Copy the public key from pfsense tunnel setting to client [Peer] here. End point either key in your DDNS or your static IPs) Do uncheck “block untunneled traffic”. The Public key shown in the row below the “Name” will be the one you copy and paste on the “Peer” on pfsense. The private keys are self generated, do not alter!
1utYhMF.jpg


Peer Settings on iOS:
When set to cellular for connection "On demand", you will automatically connect to your WireGuard VPN when you leave your home network. Set up is quite similar with using the WireGuard application on Win10. I experienced some crashes on iOS client app. You may need to disable the “on demand” setting and manually activate/deactivate it. Allowed IPs can just put 0.0.0.0/0.
FlHcbLJ.png


NOTE:
  • You do need to assign the WireGuard interface and set up the firewall rules like what you normally do when setting up a new interface
  • You can set the WireGuard interface to assign IPs to the connections coming in (or assign IPs at client side) with/without the DHCP server running.
  • Do ensure your assigned IPs for WireGuard do not clash with your other internal (VLAN) IPs. In my case, I assign the 192.168.40.XX and 192.168.80.XX for two separate tunnels.

SPEEDTEST: Close to Line Speed VPN
WireGuard OFF:

XGgUBYg.jpg

WireGuard ON:
5d1Z7Vz.jpg
Superb wireguard speed. What is your hardware?
 

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
Superb wireguard speed. What is your hardware?

The pfSense hardware I am running in homelab:
  • Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
  • Intel Xeon E3-1240Lv5 (tray) at 25W (4-cores, 8 threads)
  • 2x 8GB Kingston unbuffered DDR4 ECC Memory
  • OEM 500W Flex-ATX PSU (Platinum Rating)
  • 2x 240GB Samsung 870EVO SSD in ZFS mirror
  • Chelsio T520-LL-CR with 2x 10G SFP+ LAGG to main switch using DAC
Switches:
  • Main Switch: Mikrotik CRS312
  • Homelab Switch: Mikrotik CRS305
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
HI experts, im trying to setup pfblocker DNSBL, with 1 default list and 1 self added list. I reloaded the settings from the update tab but I am still able to ping the domain from the list ?

ZV8OfDc.jpg


hm1IKcu.jpg


EQ1UuSI.jpg


any assistance is greatly appreciated :sad:

There are 2 versions. One is pfblockerNG, another is pfblockerNG-devel.

You should use the later that has been actively developed. You will read about it on netgate forum.
https://forum.netgate.com/topic/156604/pfblockerng-vs-pfblockerng-devel

If you are using the correct version, try restarting "unbound" after update and reload your blocklist. Sometimes it will take a while to refresh the firewall table too.

If problem persist, reinstall the package.
 

bujingai

Junior Member
Joined
Sep 24, 2007
Messages
29
Reaction score
4
The pfSense hardware I am running in homelab:
  • Asrock Rack E3C23DI m-itx board with 2x Intel NIC,
  • Intel Xeon E3-1240Lv5 (tray) at 25W (4-cores, 8 threads)
  • 2x 8GB Kingston unbuffered DDR4 ECC Memory
  • OEM 500W Flex-ATX PSU (Platinum Rating)
  • 2x 240GB Samsung 870EVO SSD in ZFS mirror
  • Chelsio T520-LL-CR with 2x 10G SFP+ LAGG to main switch using DAC
Switches:
  • Main Switch: Mikrotik CRS312
  • Homelab Switch: Mikrotik CRS305
nice build
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18

anyone facing the same issue this the one posted in this link?
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
There are 2 versions. One is pfblockerNG, another is pfblockerNG-devel.

You should use the later that has been actively developed. You will read about it on netgate forum.
https://forum.netgate.com/topic/156604/pfblockerng-vs-pfblockerng-devel

If you are using the correct version, try restarting "unbound" after update and reload your blocklist. Sometimes it will take a while to refresh the firewall table too.

If problem persist, reinstall the package.
Thanks I managed to get it working already. Actually i thought that i would be getting a block request from pfsense but it turns out it just resolve the blacklisted domain to the 172.x IP that I specified LOL.

Can i check should i be expecting to see at the reports section for DNSBL blockstats?
Im am looking at mine and it seems like it is not blocking much???
18pIYB9.jpg
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.
Top