Starting pfsense for New Users

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
Thanks I managed to get it working already. Actually i thought that i would be getting a block request from pfsense but it turns out it just resolve the blacklisted domain to the 172.x IP that I specified LOL.

Can i check should i be expecting to see at the reports section for DNSBL blockstats?
Im am looking at mine and it seems like it is not blocking much???
18pIYB9.jpg

Maybe it means you are doing good? ;)

Let it run a few days......you can go explore around less "decent" sites....if you know what I mean. :ROFLMAO:

You can try adding more blocklist if you like. Just don't overdo it.

Maybe can play around with basic old school "SHIELD UP" after securing your network.
https://www.grc.com/x/ne.dll?bh0bkyd2
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*SHARING* Recent Rack Setup for pfSense
Received some queries on 1U rack pfSense set up. Below showing a more "recent" system for a WFH financial project. For your reference:

Specs I have shared earlier here:
https://forums.hardwarezone.com.sg/...-for-new-users.6390714/page-19#post-135211019
*Take note that I am using a Supermicro 1U PCIEx8 riser card. The unit also comes with a dual mirrored (zfs) SSD boot drives.

How it looks like if you are considering to house it in a 1U chassis:
Rear I/Os and cooler height (just clear)
KfO3SZ8.jpg


Top view:
UOz7MEA.jpg


Front view:
vGEyJfH.jpg


Single Stream Performance Test on the pfSense unit:
jIHULQs.jpg


Multiple Streams Performance Test on the pfSense unit (Close to 10G routing):
o2Mi3CZ.jpg
 
Last edited:

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,759
Reaction score
120
Thanks @TanKianW and the rest of the bros the guidance on the components and settings

Got my custom pfsense router up and running :D

pLUu0nT.jpg


Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
16GB RAM
400W Flex-ATX 80Plus Gold PSU
120GB SSD
Intel Gigabit ET Quad Port Server Adapter (E1G44ET) NIC
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*Choosing a Motherboard that support IPMI for pfSense
Some asked about the reasons why I prefer a server motherboard with IPMI when building an enterprise class firewall like pfSense. The reason is simple. For example, due to some screw up you lost access to the webconfig or when you want to access your pfsense boot console (to restore a previous stable config) which in "normal circumstances" requires you to connect (kb+monitor) directly to the firewall appliance. With IPMI you could do all that remotely from another PC. The older motherboard's IPMI requires Java while the newer ones come with support for HTML5.

Wendell from Level1tech (previously Tek Syndicate) explains on the use of IPMI and why it is so useful and convenient.



How the IPMI management interface looks like. Direct access to the motherboard BIOS from IPMI. Take note that for the older JAVA based IPMI, you will need to use Firefox browser with JRE7u80 (Chrome will not work).
AokFkRz.jpg


*Check on your boot mirror set up under Diagnostics -> GEOM Mirrors
Main advantage of a mirrored boot drive is when one drive fails, you could still retrieve all your firewall settings and keep it running before replacing the failed drive.
J7PQ0wl.jpg
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*(For Advanced pfSense Users ONLY) Hardware Tuning and Troubleshooting

For those that is building their own pfSense appliance (rack or desktop) using OTS DIY hardware, you might sometimes run into quirky performance issues which requires system tuning and trouble-shooting. Especially due to some hardware features that is not supported in the first place that requires "disabling". In contrast to that, hardware tuning could also help to optimise your overall pfSense appliance performance (Eg. HAproxy, memory allocation, MBUF, etc).

Warning: I will advise to back up your pfSense before trying out any of the settings, just in case there is any screw up. I also advise that such tuning are more suited for advanced pfSense users (that know what they are doing) or some who might be feeling adventurous to gain a deeper understanding of the firewall appliance. You should also possess some basic foundation in Linux/Unix command to make sure that you don't screw this up.

Feel free to read up here for more information and some of the NIC specific issues:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html

Adding System Tunables under System -> Advanced:
TFpG4fi.jpg


Check/verify using "sysctl -a" command on Diagnostics -> Command Prompt

YLKpkg2.jpg


Access Shell through boot command:
qYxsw0Q.jpg
 
Last edited:

Java_Guru

Senior Member
Joined
Aug 4, 2001
Messages
2,229
Reaction score
0
I looking for a 1U case that allows my ports to face front. This is so I can access all the ports easily and swap with my switch. Anyone seen one that can do this?
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
I looking for a 1U case that allows my ports to face front. This is so I can access all the ports easily and swap with my switch. Anyone seen one that can do this?

You can check out the offerings from Supermicro. It may come with a premium though. Can check out Taobao or Amazon.

You can also find some OEM rack chassis suppliers from taobao or aliexpress.

*For those interested in front facing 1U Chassis and with sufficient budget. I will recommend chassis from Supermicro:
https://www.supermicro.com/en/products/chassis/1u/505/sc505-203B

Techinn: https://www.techinn.com/en/super-micro-cse-505-203b-1u-barebone-server/138166455/p
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*A Good Watch: A Simple Explanation on SD-WAN
Once in a while I received queries on SD-WAN. I think Tom (from Lawrence Systems) gives a simple and clear explanation on the often "over-marketed" SDWAN function. Take note that if the SD-WAN service/data-centres goes down, you might still be on your own, even though they usually provide sufficient redundancy (but hey, in the IT line, you should be prepared for everything to fail). You don't simply get SD-WAN by grabbing/setting up a router/firewall, it requires services to "orchestrate" it.​

 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*Trouble-shoot: For pfSense Users Experiencing High Memory Usage when using ZFS
Some users who selected/chose "ZFS" as the file format during the initial pfsense installation, could be experiencing high memory usage (close to 70%-90%). This might be due to your ZFS installation "memory caching" more than you expected. For concerned users, I will provide some "system tunables" to solve this using the boot menu interface which requires a reboot.​

You can access the pfSense boot menu by directly connecting it to your appliance or through an IPMI interface:

Typical pfSense Boot menu:
qYxsw0Q.jpg


Step by Step:
Code:
Step 1: Select 8 to enter into Shell


Step 2: Access the boot folder
TYPE:

cd /boot


Step 3: Access the boot loader config file to edit
TYPE:

ee loader.conf


Step 4: Append the following parameter to specify the max arc size
TYPE:

vfs.zfs.arc_max="2048M"


Step 5: Press Esc and choose a) to SAVE.


Step 6: exit Shell and select 5 to reboot.

TAKE NOTE: To verify that the boot parameter has been appended. Log into your pfsense webgui, go to Diagnostics -> Command Prompt -> Type sysctl -a then follow by execute. You should see that the parameter under "vfs.zfs.arc_max" has been changed.
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*Availability of the Netgate SG6100 and initial review
For those that is willing to pay for the local carrier to import the appliance in, SG6100 is a good start for those with their homelab or prosumer wanting to upgrade their router/firewall. I will say if you are familiar with pfSense, this is definitely more powerful than most consumer/prosumer routers out there, including UDM/Pro/USG if you are still unsure. This unit comes with 2x SFP+ 10G, capable to route at 10G for multiple streams, and do load balancing & failover for multiple WANs.




For jump ship personnel:



*WAN Load Balancing (2x 1G fibre) on pfSense:
cn6Qw4w.jpg
 
Last edited:

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
Those who using pfblocker NG, I have a question :

1) are we able to schedule the rules to off for certain a device? e.g Monday - Friday 10am-7pm?


Sent from A universe Where pink PWNED everything

I don't use that. But I think you meant "time based rules".

Read: https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html

You can find the video tutorial on scheduling of firewall rules on the first page of this thread. It should not be a problem since any rules created from pfblockerNG could be found under "floating" rules section. There is a setting under "schedule" where you can make changes and set routine schedules.​
4LR6OF9.jpg

 
Last edited:

Trans-Am

Supremacy Member
Joined
Apr 2, 2014
Messages
7,035
Reaction score
245
I don't use that. But I think you meant "time based rules".
Read:
https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html
You can find the video tutorial on scheduling of firewall rules on the first page of this thread. It should not be a problem since any rules created from pfblockerNG could be found under "floating" rules section. There is a setting under "schedule" where you can make changes and set routine schedules.
4LR6OF9.jpg

Thanks, will read on it


Sent from A universe Where pink PWNED everything
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
*Update on Post #7

*Setting up Telegram Notification on pfSense*
Some of the pfsense users asked me instead of using email notification, what could be another good way for pfsense appliance to send you notifications or alerts? Well, you could use pfsense to send you alerts through Telegram notifications too. The set up is pretty straight forward so you just need to follow the step by step guide below:

Step 1:
Install Telegram client on a computer, mobile (Android or iOS) or even use the web app through your browser. You will need to register a Telegram account. Do create a username for you telegram account.

Step 2:
Create API keys using the bot created with the help of the Telegram BotFather. (Yes, there is a bot to create a bot!)​
  • Under the search, search for "BotFather". Send a message to BotFather and type "/start", follow by "/newbot".​
  • Create a name for your bot followed by creating a username for your bot (username ends with Bot or _bot).​
  • You will see a reply like below. Copy the API keys (yellow box) and save somewhere. It will look like: 1234567890:AETEGcnsf8735hhwhdfo2rhj9SFkjdnWDfg489604​
as6LRDy.jpg


Step 3:
Start your bot by sending a message to the name of your bot. Take note that this is not your bot username. Send a message "/start" to start your bot.
ieNeNZ8.jpg


Step 4:
  • Next we will need to get your Chat ID to input into the pfsense configuration. Go to your browser, under the URL, type: https://api.telegram.org/bot<<INPUTYOUR-API-KEYS-HERE>>/getUpdates​
  • You will see your Chat ID below in the yellow box:​
w5t3fxk.jpg


Step 5:
Navigate to pfsense setting System -> Advanced -> Notification. Check Enable, cut & paste the API keys and your Chat ID accordingly, followed by testing the notification before saving. You will see the reply from your "pfSense.localdomain" shown in Step 3 above.​
enVJiAs.jpg
 
Last edited:

Eraserpencil

Suspended
Joined
Feb 16, 2017
Messages
11
Reaction score
0
Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?
 

firesong

Supremacy Member
Deluxe Member
Joined
Jan 17, 2001
Messages
7,906
Reaction score
3,947
Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?
1. Don't change to the ONR. Getting permission for bridging is a hit-and-miss, but it's also the exception rather than the norm. If you have the ONT, fight to stick to the ONT. The 2Gbs plan generally not benefit most people in terms of bandwidth - but perhaps you have 20 or more people staying at home with you and all using the bandwidth at the same time. If it's the normal 5 or fewer pax household, a 500Mbps/1Gbps plan is more than sufficient imo. ;) (Just fwiw, Netflix streaming at 4k only requires 25Mbps). In any case, with the 2Gbps plan, it's split into 1+1: 1 Gbps bridged, and the other you're forced to be unbridged. It's "combined" by Singtel's proprietary router, so effectively you either remove your OPNsense box from the network, or you run it at 1Gbps anyway.

2. VLANs are the way to go so you will only need one set of infrastructure and VLAN tag appropriately. You don't need separate wireless equipment for that - just cofigure tags and switch as needed.
 

UnusedCalculator

Junior Member
Joined
Jul 11, 2021
Messages
38
Reaction score
3
1. Don't change to the ONR. Getting permission for bridging is a hit-and-miss, but it's also the exception rather than the norm. If you have the ONT, fight to stick to the ONT. The 2Gbs plan generally not benefit most people in terms of bandwidth - but perhaps you have 20 or more people staying at home with you and all using the bandwidth at the same time. If it's the normal 5 or fewer pax household, a 500Mbps/1Gbps plan is more than sufficient imo. ;) (Just fwiw, Netflix streaming at 4k only requires 25Mbps). In any case, with the 2Gbps plan, it's split into 1+1: 1 Gbps bridged, and the other you're forced to be unbridged. It's "combined" by Singtel's proprietary router, so effectively you either remove your OPNsense box from the network, or you run it at 1Gbps anyway.

2. VLANs are the way to go so you will only need one set of infrastructure and VLAN tag appropriately. You don't need separate wireless equipment for that - just cofigure tags and switch as needed.
Hey, Eraserpencil here. Had the mods deactivate that in favor of this.

I just realise the Singtel devices for the 2Gbps and the 1 Gbps plans support up to wifi 5. I would probably get a 1Gbps plan then and use the free router as the common one for the house. Would you suggest getting a pair of XT8s or 2 stand alone APs (like an RT-AX86U) to do the wireless-backhauled mesh network for me to test out OPNSense.

Not really sure what the concern about bridging is...
 

TanKianW

Supremacy Member
Joined
Apr 21, 2005
Messages
5,884
Reaction score
2,187
Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

1) You should stick to an ONT if possible. But if you are replaced with ONR (for 2G plans), you need Singtel to bridge for you.

2) Yes, you can create VLANs on your OPNSense.

3) Not a Singtel Mesh user, some forumers here should be able to give you some advice.

My views on your set up: If you connect the ONT/ONR to the OPNSense, then to routers, you are creating Double NAT. If you want to play around with OPNSense firewall, you could connect it to the ONR port with a public IP address (which requires you to bridge the ONR). Another ONR port connecting to your MESH in AP mode.​
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
17,845
Reaction score
2,800
Hey! I need help planning out my network, not sure if what I have in mind makes sense.

I have an ONT with SIngtel 1Gbps plan, upgrading to Singtel 2Gbps with a pair of Singtel Mesh Extender AC2600. That upgrade will (I THINK) change the ONT to an ONR. Currently I intend to have an OPNSense box from the ONT/ONR to 2 different routers. The idea is to have 2 different networks in the house. 1 should be untouched for other household members to use. The other is for me to start playing around with OPNSense and learn about networking. Because my room is the furthest from the router, the second network will be through the 2 mesh extenders (via wireless backhaul). The first network will be just be via a generic router like an ASUS RT-AX86U.

I have a few questions, if you could shed some light.
1) Is there a difference between an ONT/ONR? Should I want one over the other?
2) Can I set up VLANs based on what I said on the OPNSense box?
3) Any gotchas I should look out for when using Singtel Mesh Extender AC2600?

Just wondering if you can talk to Singtel and not to upgrade to 2Gbps plan, that is the worst plan for you to play with pfSense/OPNSense/etc. I can even say it is the worst plan from Singtel. You simply can not bridge the ONR for the 2Gbps plan. (BTW, it is the same for Viewquest 2Gbps plan). And the free mesh comes with it is not good.

You should stick to the original 1Gbps plan with ONT if you want to play with two networks. You just need to buy a VLAN capable switch to create two seperate networks. I am doing that myself with the cheap TP-Link TL-SG105E. You can actually create three seperate networks but usually you do not need it. I use one network with RT-AX82U for family use and Singtel TV, then I use the other network to play with pfSense/OpenWRT/etc.

Ref: https://forums.hardwarezone.com.sg/...an-settings-with-tplink-sg108e.5746952/page-3

If you have already signed up for Singtel 2Gbps, try to negotiate with Singtel to change to 1+1 Gbps plan where you do get two seperate networks, one port bridged (you can play with OPNsense or pfSense here, no VLAN required) and the other three port unbriged (you can use the free RT-AX86U which comes free with the 1+1 plan). In this case, you do not need to setup VLAN.
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top