Starting pfsense for New Users

[UnusedCalculator]

If you just recontract the 1Gbps, you can continue using the ONT. They may or may not give you free SingTel Mesh Router (you need to check) which you need to self collect. And there will be no visit by the SingTel technician and no change of the ONT.

In that case, you only need two extra stuff other than your OPNSense box
1) a smart switch or managed switch with VLAN capability. Cheapest is probably TP-Link TL-SG105E. You only need to setup VLAN here.

2) another router for your general home use. That one can be your existing router or the SingTel Mesh Router if they give you for free. If you want to use mesh then it is up to you. Do not get the mesh solution from SingTel. You can buy whatever you like, say Asus AImesh (eg: RT-AX82U *2 is okay based on what you wrote), Asus Zenwifi or Netgear Orbi.

New users will get ONR. Existing users can continue using ONT. But if you move to a different place then they will consider you as a new signup. In that case you have to sign up with the 1+1 Gbps plan to have two separate networks (with two public IPv4 addresses as well).

Is there any difference in either effort of setting up or technical flexibility if I got lets say a pair of RT-AX92U(heard I should go with a tri-band instead of a dual band) vs a pair of XT8s? XT8s being already preconfigured (whatever that means) for a mesh system?

I'm not getting my own place, but im curious. If I had and gone with another provider, would it be possible to get an ONT equivalent from Starhub/ViewQuest/M1?

 

[xiaofan]

Is there any difference in either effort of setting up or technical flexibility if I got lets say a pair of RT-AX92U(heard I should go with a tri-band instead of a dual band) vs a pair of XT8s? XT8s being already preconfigured (whatever that means) for a mesh system?
I'm not getting my own place, but im curious. If I had and gone with another provider, would it be possible to get an ONT equivalent from Starhub/ViewQuest/M1?

Asus RT-AX92U and Zenwifi XT8 mesh are both triband and AImesh is not difficult to set up. But Zenwifi XT8 should be better than RT-AX92U. AX92U is an early effort by Asus and I kind of consider it as a failed product from Asus.

Starhub and M1 will be a good alternative as they come with ONT by default. Viewquest may provide ONR or ONT and you may ask them to bridge the ONR (not possible for 2Gbps plan). Bad thing about Viewquest is that new users will have CGNAT and stability is bad.

But I consider SingTel ONT to be very unique that you can get two or three public IP addresses with a smart switch. I believe that is not possible with other ISPs. And SingTel is very stable. Of course SingTel does have issues with international routing and bad latency (eg: bad for gaming). But I am not into gaming.

For new users I do not recommend SingTel due to the issues with ONR.

 

[UnusedCalculator]

Asus RT-AX92U and Zenwifi XT8 mesh are both triband and AImesh is not difficult to set up. But Zenwifi XT8 should be better than RT-AX92U. AX92U is an early effort by Asus and I kind of consider it as a failed product from Asus.

Starhub and M1 will be a good alternative as they come with ONT by default. Viewquest may provide ONR or ONT and you may ask them to bridge the ONR (not possible for 2Gbps plan). Bad thing about Viewquest is that new users will have CGNAT and stability is bad.

But I consider SingTel ONT to be very unique that you can get two or three public IP addresses with a smart switch. I believe that is not possible with other ISPs. And SingTel is very stable. Of course SingTel does have issues with international routing and bad latency (eg: bad for gaming). But I am not into gaming.

For new users I do not recommend SingTel due to the issues with ONR.

Thanks for your advice. Any recommendations for OPNSense box and the configurations like ram, speed etc etc?

 

[xiaofan]

Thanks for your advice. Any recommendations for OPNSense box and the configurations like ram, speed etc etc?

I have no idea about OPNSense but I think it should be the same as pfSense recommend in this thread. My pfSense knowledge is also very basic. So you should read post #1. Option C should be good enough for most of the people: Intel J4105 or similar low power CPU, 4 or more LAN ports with Intel LAN card, 4GB/64GB should be ok but 8GB/128GB (or 256GB) will be better if you want to use Linux or Windows later when you are no longer interested in pfSense/OPNSense.

Just wondering why not use pfSense? It is more popular and you may have better support in this forum as there are experts like brother TanKianW.

 

[UnusedCalculator]

Haha, I'll go to wherever has the best support for getting me started. Not pro enough to have an opinion.

 

[TanKianW]

Updated on Post #2

**Deploying 3G/4G Mobile Broadband as (Last Line of Defense) Backup WAN on pfSense**

I have been receiving requests on the deployment of 4G Mobile broadband as the "last line of defense" WAN. Therefore, I will like to provide a workable solution to this, especially for those looking at a more resilient multi-WAN setup. These are the group of users who will keep telling me dual-WAN can still be down if the fiber internet was cut at the manhole side......that will be like.......Well, since some like to be prepared for the "worst case scenario", I will cover it here.

NOTE: I think this set up will also be beneficial to users with mobile data plan and fiber plan from the same ISP. Normally when the ISP's fiber internet is down (Eg. M1, Singtel, Starhub) their data plan will be free for use to compensate the downtime. In this set-up, the network will automatically fail over to the 4G mobile data network. I am using a spare 4G mobile SIM (500M data cap) provided by Singtel during sign-up many years back.

4G Hardware information:​

• Mini-PCIE 4G modem module from Quectel (Model: EC20)​
• Developer Mini-PCIE 4G modem carrier card with SIM slot powered by USB-C​
• Industrial 4G modem carrier card metal enclosure with external antennas​

4G Modem Assembly Unit shown in picture below:

Step 1:

Create the PPP connection on pfsense under Interface tab and key in the information. Some information will be auto-filled when you select the ISP. You might need to try out the different link interface to get it to work. /dev/cuaU2.2 works for my case:​

Step 2:

Add the interface and enable it. Process will be similar to how you add and enable a WAN interface on pfSense:​

Step 3:
Under System -> Routing -> Gateway Groups, set the 4G network as Tier 2 failover (Tier 3 for my case):

Step 4:
Remember to set the custom DNS server for the 4G network:

Followed by the monitor IP (I am using Singtel DNS server here):

NOTE: You may have to manually connect the interface by navigating to Status -> Interface, click on "connect":

Step 5:

Check that all is up at the main dashboard page. So now you have Triple-WAN redundancy! Unless sub-sea cable damaged by cruise ships or some data-centers are burnt down this time......​

 

[terminater]

how's the performance with tb mini pc using j4105? any problems with gigabit up/down with vlans?

 

[TanKianW]

how's the performance with tb mini pc using j4105? any problems with gigabit up/down with vlans?

No problem with 1G up/down on vlans.

Not recommended to bridge the remaining ports to use like a switch though. Connect it to a managed switch.

 

[terminater]

No problem with 1G up/down on vlans.

Not recommended to bridge the remaining ports to use like a switch though. Connect it to a managed switch.

I see thanks! Would u recommend I hoot one now or wait till 11.11?

 

[Trans-Am]

No problem with 1G up/down on vlans.
Not recommended to bridge the remaining ports to use like a switch though. Connect it to a managed switch.

Any reason not to bridge the remaining ports to use like switch?


Sent from A universe Where pink PWNED everything

 

[hairymonster]

No problem with 1G up/down on vlans.

Not recommended to bridge the remaining ports to use like a switch though. Connect it to a managed switch.

Can j4105 do 1gbps up and down link with IPS/IDS enabled? Or need a better cpu? If the latter which cpu do you recommend?

 

[Mach3.2]

Any reason not to bridge the remaining ports to use like switch?


Sent from A universe Where pink PWNED everything

Poor use of resources, you probably won't be able to do 1Gbps full duplex with the j4105 if you try to bridge multiple NICs into a software switch. You're also likely to bog down your router with software switching + ips + NAT + routing.

Switches use ASICs which can switch 1Gbps full duplex effortlessly, you don't have that on your NICs.

 

[TanKianW]

Can j4105 do 1gbps up and down link with IPS/IDS enabled? Or need a better cpu? If the latter which cpu do you recommend?

For J4105, with Snort IPS/IDS enabled on WAN and LAN, IPS's policy selection set to "Security", default blocking enabled, and a few ET Open rules manually turned on, should not be much problem achieving 1G up/down.

For home use, J4105 should suffice. You can check out the options (A, B & C) in Post #1.​

 

[TanKianW]

I see thanks! Would u recommend I hoot one now or wait till 11.11?

I think you can go for 10.10 or 11.11.

Which ever fit your budget.

 

[TanKianW]

Any reason not to bridge the remaining ports to use like switch?


Sent from A universe Where pink PWNED everything

Like what Bro Mach3.2 shared earlier.

On top of that, I prefer to manage VLANs at switch level. I also prefer to utilise the spare ports for LAGG or Multi-WAN.

 

[terminater]

For J4105, with Snort IPS/IDS enabled, IPS's policy set to "Security" selection, default blocking enabled, and a few ET Open rules manually turned on, should not be much problem to problem achieving 1G up/down.

For home use, J4105 should suffice. You can check out the options (A, B & C) in Post #1.​

worth it to go for j4125 with intel i210 nics instead?

 

[TanKianW]

worth it to go for j4125 with intel i210 nics instead?

J4125 is a more recent chip with higher clocks (comparing J4105) based on the Intel Ark spec sheet. If not much difference in price, I will get it.

• J4105: https://ark.intel.com/content/www/u...-j4105-processor-4m-cache-up-to-2-50-ghz.html
• J4125: https://ark.intel.com/content/www/u...-processor-j4125-4m-cache-up-to-2-70-ghz.html

However for the intended purpose, both should perform pretty close.

https://www.cpu-monkey.com/en/compare_cpu-intel_celeron_j4125-1076-vs-intel_celeron_j4105-841

 

[xiaofan]

worth it to go for j4125 with intel i210 nics instead?

For J4125, Beelink GK55 and Minisforum GK41 seem to be popular. Taobao price for the GK55 seems to be pretty decent. They both come with Windows 10 so you can revert back to Windows/Linux if you are tired of pfsense after a while.

Ref: Beelink GK55, J4125 CPU, 8GB/256GB, dual gigabit Ethernet card, RMB1169 from Taobao and it has Windows 10 license and seems to be of better build quality than no brand ones.
https://item.taobao.com/item.htm?id=590652691219
Minisforum GK41 is more expensive.
https://detail.tmall.com/item.htm?id=644877829711&skuId=4641786876957

 

[xiaofan]

The one I bought last time at RMB1169, J4105, 8GB/256GB, no OS, 4 gigabit Ethernet cards. Now the price goes up quite a bit at RMB1379.

https://m.tb.cn/h.fecgvKb?sm=2cde1c J4105迷你电脑小主机工控机四网口intel i211网卡虚拟机NAS软路由

Same shop has J4125 and price is higher than J4105, 8GB/256GB is at RMB1570.

https://m.tb.cn/h.feciGOp?sm=002362 J4125四网口i210千兆intel网卡工控主机迷你电脑企业防火墙软路由

 

[firesong]

Curious, since I'm waiting for my box - can you run Docker containers in the background? It is a BSD box from what I know.

Am planning to consolidate the functions my Linux SBC current does if so - I run services like Smokeping, Vaultwarden, Healthchecks. Used to run my controller off that, but have no need for controllers now with Ruckus. Would prefer not to run these on the NAS if I can help it, only because my VW database is backed up to the NAS for redundancy - trying to minimise that single point of failure.

I note there is no need to run PiHole and Wireguard separately any longer, so that's good. The issue is more that I want to avoid having to set up relaying the Letsencrypt certificates from pfsense box to servers behind - a bit troublesome. Doable with rsync, but I don't want to rsync /etc files if I can help it.

Edit: A quick internet search suggested I run Docker in a VM on the pfsense box. I'd rather have it bare-metal, only because I don't really want to virtualise a Docker install that runs containers - the performance penalty there makes it a bit silly to do so on a J4105.