pfSense questions

Status
Not open for further replies.

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
For the last 15+ years, I've been running what's now Koozali SME Server (www.koozali.org, formerly Mitel e-smith Server) as my home server/router. It's a Linux-based web/mail/file server that incorporates a NAT gateway/firewall and a variety of other features that aren't especially relevant. It's worked well and met my needs so far, but there are some things I'd now like to do that it just isn't capable of, so I'm looking mostly at pfSense to handle the routing/firewall functions, while keeping the SME server for web/mail/etc duties. The particular capabilities I'm thinking of are:
  • I'd like to set up a guest WiFi network that's completely isolated from my main LAN. Clients on the guest network shouldn't be able to see each other, or wired machines on the LAN, but should have Internet access.
  • I'd like the ability to use a second Internet connection, mostly as a backup to my main connection, but also for increased bandwidth.
In addition, I'm running an OpenVPN server right now. I'd prefer to put VPN duties for both computer and mobile device clients onto the router, and I'm pretty sure pfSense can handle that. I'd be willing to consider a different VPN platform, but it'd need to work with Mac, Linux, and iOS clients, at a minimum.

On the first bullet, I have a Ubiquiti access point that supports multiple SSIDs and VLAN tagging, which I'm thinking would make it fairly straightforward. As to my existing server, I'm thinking I'd just forward the relevant ports (25, 80, 110, 143, 443, 993, 995) to that server and disable its routing functions.

Any thoughts on this? Or alternative suggestions? I'm also considering Sophos, but not a big fan of the "crippleware" aspect*. Whatever the software, I'd want to run it on a standalone, fairly low-power device like this.

* Edit: but I'm not really fond of pfSense's "hide the documentation unless you pay for a $100 membership" approach either.
 
Last edited:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,976
pfSense will work for what you want and runs well on that netgate appliance you linked to. How fast is your internet connection?

You've already got the access point so stick with that, it's your best option for meeting you wifi needs. Just set up a guest network with it's own ssid and you should be all set there. Not sure on how you would prevent clients on the same subnet from seeing each other though. Clients on LAN should be fine and isolated with a quest network set up.

Not sure what you mean by "hide the documentation", it's readily available on line. Gold membership gets you 2 support instances and access to the talk and how to videos. The forums are a good resource and there are some very helpful people there, just don't expect a lot of hand holding. You have to have a pretty good understanding of basic networking to understand what the guys over there are talking about if you request help.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
How fast is your internet connection?
50 Mbit down/10 up.
Not sure on how you would prevent clients on the same subnet from seeing each other though.
I think, but am not sure, the Ubiquiti does that, at least for WiFi clients on SSIDs designated as "guest" networks.
Not sure what you mean by "hide the documentation", it's readily available on line.
There's a wiki online, but the manual itself is only available with the Gold membership (isn't it?), and the wiki apparently leaves things out. For example, the OpenVPN page says "WARNING: This guide is brief, and omits important considerations. Consult the OpenVPN chapter in the pfSense book rather than relying on this entirely." That's not entirely reassuring.
You have to have a pretty good understanding of basic networking to understand what the guys over there are talking about if you request help.
I think I do, but pfSense gives a lot more bells, whistles, and knobs than I've had to deal with in the past. It looks like a basic configuration (1 WAN connection, 1 LAN NATted to that) should be simple and safe enough though.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,976
That netgate appliance will have more than enough headroom for your connection even with some packages running. I should do line speed with OpenVPN as well.

I'm not a gold member so I can't comment on what the book contains. The wiki is somewhat limited but the forums more than make up for what's not there.

Unless I'm mistaken the "guest" SSID is just a vlan that's being handled by the AP instead of the router. Your quests won't be able to see anything on your LAN.

Honestly from reading your responses here helping others I'm sure you'll have no issues whatsoever getting pfSense up and running. I've been running it for about 2 years now and had zero networking experience when I started with it. I love it and would never go back to any SOHO router. Besides, it's based on FreeBSD so that makes it even more awesome. :D
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
Well, the Netgate box is on the way and should be here Thursday. Small SSD was delivered yesterday. May take a while before I get it in service, but it appears that everything should be do-able. Thanks for the info.

I'm starting to feel like a test case for Allan Jude's "de-penguinize your infrastructure" talk...
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
I'm sorry I missed this last week. Have you looked at the Ubiquiti router? Either the Edge Router Lite ($100) or the Unifi Security Gateway ($120). If you have the Unifi AP's (and controller), then the latter is a breeze to configure and gives you some nice insights into network performance and utilization.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
I did look at those, but you know the DIY motto--spend twice as much to do it half as well! (-: Seriously, though, I remember thinking they wouldn't quite handle everything I wanted to do, though I don't now remember exactly what I thought they wouldn't do. I may yet regret that decision, though.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
Seriously, though, I remember thinking they wouldn't quite handle everything I wanted to do
I can understand this. I've been using the ERL, and I've found that while not everything is in the GUI, their CLI command structure is incredible and well documented. The Security Gateway is a bit more limited, but would likely suit what you listed above pretty easily (not sure if dual wan load balancing is enabled yet, or if it's just fail-over). But the pfsense box is pretty sweet as well. I've also been testing out the free sophos box and it's not bad (even with all the freebie hobbling).
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
I did look at those, but you know the DIY motto--spend twice as much to do it half as well! (-: Seriously, though, I remember thinking they wouldn't quite handle everything I wanted to do, though I don't now remember exactly what I thought they wouldn't do. I may yet regret that decision, though.
The Erl is an amazing device and will readily handle all the things you wish to do if I have read your requirements correctly. It's a great router.
I can understand this. I've been using the ERL, and I've found that while not everything is in the GUI, their CLI command structure is incredible and well documented. The Security Gateway is a bit more limited, but would likely suit what you listed above pretty easily (not sure if dual wan load balancing is enabled yet, or if it's just fail-over). But the pfsense box is pretty sweet as well. I've also been testing out the free sophos box and it's not bad (even with all the freebie hobbling).
What freebie hobbling in sophos?
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
4 cores, 6GB RAM and some cloud or advanced threat detection stuff (I forget the details, but they clearly aren't a big deal to me). And I should note that this is for the XG (edited to correct model).
 
Last edited:

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
4 cores, 6GB RAM and some cloud or advanced threat detection stuff (I forget the details, but they clearly aren't a big deal to me). And I should note that this is for the SG.
Those are limitations on the new xg
;)

The sg doesn't have such limitations. The sg actually has MORE functionality
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
Good catch, yes, it's the XG. Freakin thing doesn't say that anywhere in the GUI. :smile:
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
I have found the xg to be piss. I don't want to upgrade my UTM 9. Ever. It will make me sad when it's discontinued
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
Well, figures the thread would get more traffic after I've already ordered the hardware for pfSense (though I'm sure it could be easily repurposed for Sophos if desired)...
 
Joined
Mar 22, 2016
Messages
217
Youtube has a lot of incredible guides for pfSense. There is one gentleman who does a complete breakdown of everything on all the new releases for pfSense. Be wary though, they are in extremely gory detail and are usually 4-5 parts at 1.5 hours each, but he explains everything extremely well.

I followed the guides on youtube for setting up my openVPN server on pfSense. Some extra configuration is offered in those guides.

I really like my pfSense router. I've tried to set up Sophos on a VM but always end up having trouble with it. But that's me.
 

Scareh

Contributor
Joined
Jul 31, 2012
Messages
182
been using pfsense on a xenserver VM for about a year now. No doubt about it, it's the most versatile firewall, proxy and vpn server i've found.
THe only downside is indeed the documentation, that i agree on. I also agree on the fact that the forum is one of the best places to find additional help. (the pfsense one that is).

And if all else fails, just ask on here, lost of people have experience on pfsense
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,466
The box arrived today. It's a little bigger than I'd envisioned, though not greatly so. It'd be nice if Netgate had some kind of documentation for the hardware--what the different pin headers on the motherboard were, which of the three apparently-identical internal ports was mSATA, etc.--but ADI Engineering has enough online to handle it. Installed the SSD, installed pfSense 2.3.2, and away we go.

Is there a menu option I'm missing to shut the system down, or is it safe to just pull the plug?
 
Joined
Mar 22, 2016
Messages
217
Web GUI has a shut down under services I believe. Otherwise ssh/console and just run the shutdown command


Sent from my iPhone using Tapatalk
 
Status
Not open for further replies.
Top