Starting pfsense for New Users

[xiaofan]

Issues related to pfSense 2.5 -- not affecting me though as I am only using the basic features. But for consumer VPN (PIA, Nord, etc) users you may need to take note.

 

[TanKianW]

Issues related to pfSense 2.5 -- not affecting me though as I am only using the basic features. But for consumer VPN (PIA, Nord, etc) users you may need to take note.

I have not upgraded on all my remote machines yet. But the ones upgraded still running fine, include my test (home) system running for 30+ days. As usual, before any major upgrades, you should back it up just in case you need to restore back to previous version.

Except for one of my remote machines which experienced unbound not restarting after the upgrade, that was easily solved by restarting and reloading the pfblockerNG.

 

[newfrog]

pfsense is a firewall so if I put my openwrt router behind it (not in AP mode), will this setup work? Is this more secure or overkill or lead to more problems?

Thinking of playing with pfsense if it is more secure than openwrt

 

[hwzlite]

pfsense is a firewall so if I put my openwrt router behind it (not in AP mode), will this setup work? Is this more secure or overkill or lead to more problems?

Thinking of playing with pfsense if it is more secure than openwrt

Kinda overkill as both platforms served well as firewall wise
You can only differentiate them via their features offered.
You can try build it as virtualized router and g33k your heart out too.

 

[TanKianW]

pfsense is a firewall so if I put my openwrt router behind it (not in AP mode), will this setup work? Is this more secure or overkill or lead to more problems?

Thinking of playing with pfsense if it is more secure than openwrt

1) I think it will still work, though I do not have such use case.

2) I think there are more advanced features/functions on pfsense. It will not lead to more problems if you set it right. Whether it will be more secure will be up to how you set it up. You can run an enterprise behind it, so I am not sure if that is considered as sufficiently "secure" to you.

3) I think it will be a good start for some fun and learning on a firewall appliance. It is not as intimidating as what most will think. To me, the set up makes more sense. Feel free to give it a shot.

Hope it helps.

 

[xiaofan]

pfsense is a firewall so if I put my openwrt router behind it (not in AP mode), will this setup work? Is this more secure or overkill or lead to more problems?

Thinking of playing with pfsense if it is more secure than openwrt

This may lead to more problems because of Double NAT if you run both as router. PfSense is firewall cum router in typical home setup.

https://kb.netgear.com/30186/What-is-Double-NAT
https://kb.netgear.com/30187/How-to-fix-issues-with-Double-NAT

 

[newfrog]

Thanks all for yr comments. Best that I just learn pfsense on standalone basis for now since I have a spare old pc. Just have to dig out another NIC for now

 

[TanKianW]

Thanks all for yr comments. Best that I just learn pfsense on standalone basis for now since I have a spare old pc. Just have to dig out another NIC for now

You need a minimum of 2 ethernet ports, 1 for WAN and 1 for LAN.

If you are looking for NICs, go with Intel's. You can also get second hand NICs from ebay/taobao to try it out.

Do check out the info compiled on Page 1 of this thread.

Unleash the power of your home network. Have fun!

 

[GlassDoor]

From taobao? Is this available from qoo10/shopee/lazada?

Took the plunge.....

Installed ESXI, Synology 918+ img and going to explore with Openwrt next....

 

[jasonho]

From taobao? Is this available from qoo10/shopee/lazada?

Yes from taobao .

I believe you should be able to get variations from shopee/lazada but at a much higher price.

 

[GlassDoor]

Yes from taobao .

I believe you should be able to get variations from shopee/lazada but at a much higher price.

Thanks. Saw this on TB too.
Didn't find any fanless J4105 and better (J4125 or J5005) using intel nics on shopee/lazada. Most use realtek nics. Don't need 4nics, two will be all i need.
Need to get in a hurry as VPN endpoint device just uplorry.
How long did yours take to arrive after ordering on TB

 

[jasonho]

Thanks. Saw this on TB too.
Didn't find any fanless J4105 and better (J4125 or J5005) using intel nics on shopee/lazada. Most use realtek nics. Don't need 4nics, two will be all i need.
Need to get in a hurry as VPN endpoint device just uplorry.
How long did yours take to arrive after ordering on TB

Mine took a week, ordered on March 11 (Thurs) before 5pm, Received on March 17 wednesday evening.

Yes, mine is 4 x Intel i211 Nics. In fact I dont need 4 ports, but since I install ESXI and OpenWrt , my port 1 is dedicated for ESXI management Lan port.

My other 3 lan ports are passthru to my OpenWRT. The 2nd and 3rd ports are meant for Dual Wan (i intend to get another fiber connections soon) and allow me to do load balance or dedicated SSR connections. Port 4 is reserved in case I need to use it for something like NAS device

I feel it's good (not a must) to have 4 ports. I was even considering the 6 ports version (from another seller) for full lan ports management in 1 device.

 

[hwzlite]

Yes, mine is 4 x Intel i211 Nics. In fact I dont need 4 ports, but since I install ESXI and OpenWrt , my port 1 is dedicated for ESXI management Lan port.

My other 3 lan ports are passthru to my OpenWRT. The 2nd and 3rd ports are meant for Dual Wan (i intend to get another fiber connections soon) and allow me to do load balance or dedicated SSR connections. Port 4 is reserved in case I need to use it for something like NAS device

I heard ESXi + Dual Wan, & if you have a cloud VPS to spare, do check out this kool OpenMPTCPRouter which is based on OpenWrt

 

[jasonho]

Looks cute for a custom DIY OpenWRT box

 

[TanKianW]

*pfsense CE 2.5.1 update



UPDATE NOTES:
1) If you have been using WireGuard on pfsense 2.5, do remove WG and all WG settings before the update since it will be removed in this patch.
2) Back up the system before the update.
3) Reboot after the update.
4) If you are using it for production, you may want to adopt a "wait and see" approach.

Update release notes:
https://docs.netgate.com/pfsense/en/latest/releases/21-02-2_2-5-1.html

 

[xiaofan]

Updated to 2.5.1 without any issues. The update process is pretty fast.

I need to do two things after the update and reboot.
1) restart unbound
2) wait for pfBlockNG to finish the update. I manually update one more time just to make sure.

 

[lampPC]

Dear all,

what is the recommended spec of if I want to do dual Wan or triple Wan out to a single lan port.

 

[TanKianW]

Dear all,

what is the recommended spec of if I want to do dual Wan or triple Wan out to a single lan port.

You do not need lots of horse power for routing 1Gbps and running multi-WAN on pfsense. Maybe a low powered 4-core CPU + 8GB + 128GB SSD + >4 Intel NICs (3WANs + 1~3LAN).

Can take a look at the recommendations in Post #1 of this thread.
https://forums.hardwarezone.com.sg/threads/starting-pfsense-for-new-users.6390714/

Hope it helps.

 

[TanKianW]

Another Chance to Make it Right: WireGuard Install Package for pfSense

Read here:
https://forums.lawrencesystems.com/t/im-developing-a-wireguard-package-for-pfsense/9684

 

[TanKianW]

*Add-on to Post #2*

*Using Custom DNS Over TLS on pfSense*
Received some queries on the use of custom DNS on pfsense, so decided to cover a little bit more on this to set up the custom DNS over TLS which is well explained by Tom of Lawrence system some time back.



Setting up the Custom DNS (You will need to specify DNS for respective WANs for multi-WANs setup):

Set up page for DNS over TLS on DNS Resolver (pfsense CE 2.5.1):

Points to note:

• Main reason of using custom DNS over TLS is to increase privacy so that transport in between (pass over port 53) will not be "snoop" by your ISP. This is not a fool proof method since ISP can still see your IP address but prevent them from looking at the DNS queries.
• As for some of the use cases, I shall not explain too much. But it will allow you to use your internet more "freely".

If you are hosting your own servers, the "DNS Host Overrides" on pfsense might be useful to you: