Help setting up pfSense

RoyMi6 · 11 Jan 2017 at 11:24

Hey folks,

Having a tinker with pfSense as I'm moving to Sky Fibre so fancied getting a little more control now that I'll be using the connection for more.

I've got a Windows 10 "server" with that I'm using for Plex that's on 24/7 so I fancied that would make a good pfSense box if I ran it in Virtual Box.

The old setup was:

Sky Modem (WiFi disable, DHCP enabled)
|
switch
/ | \
Server PCs Unifi APs

The new setup I figured would just be:

Sky Modem (WiFi disabled, DHCP disabled)
|
Server
- new 2nd NIC connected to modem
- pfSense running in Virtual Box (DHCP enabled on LAN side)
- onboard NIC connected to switch
|
switch
/ \
PCs Unifi APs

So keeping in mind that I still want my host server to function correctly (i.e. connect the the internet and the LAN, through the pfSense VM) and just a little confused about what network addresses need to be static and which ones can be dynamic.

Also, how do you configure you network on your host server to connect through pfSense? Or how do I check... because with DHCP disabled on my Sky modem I've currently got a static IP assignment and gateway setup to point to that, so that's to stop my network traffic just utilising that rather than being forced to use pfSense?

Anyway, a bit of help to point me in the right direction for docs that might cover my specific problems i'll face would likely be a good start, or any other advice much appreciated

EDIT: I should say when setting this up I almost feel like I need a 3rd virtual NIC or something to configure for the HOST machine... I'm just not use if that's actually what i'd need.

neodude · 11 Jan 2017 at 12:01

It's a slightly different setup to mine so I'm not entirely sure how to solve most of your issues, but I'll give my thoughts

Is there a way to switch the Sky Router into a purely "modem" mode as opposed to just disabling DHCP?. If not it would maybe be worth you trying to get a BT Openworld Fibre Modem.

I also run pfSense as a VM. I have it set up with a passed through PCIe Dual Nic Card. So the Dual Nic is purely dedicated to pfSense. I then have the onboard NIC on my server plugged into my switch as I would if using a physical router.

VM Superhub In Modem Mode
|
Dual NIC (located in server but passed through to pfSense VM)
|
Switch
/|\
Server/PCs/AP

RoyMi6 · 11 Jan 2017 at 12:27

No, as far as I'm aware there isn't a way to just have it in modem mode.

The fact it's still got it's firewall isn't a major issue if I just remember it's there.

Yeah, see, a 3rd NIC would make a lot of sense in my head, and although there's no doubt some way round it I'm not that clued up on how to achieve it.

Is your host machine running Windows? I've had a bit of reading around and it appears that to get around the problem I have (in my head) where I asked the question of "how do I stop the host using the direct connection to the modem?" I should remove the IP4/6 protocols from the network adapter. Is this what you've done?

neodude · 11 Jan 2017 at 12:39

My Host OS is UnRaid. I've not done anything special with networking settings, once the pfSense VM was set up with the NIC passed through it just acts exactly the same way as a physical router would. My server is set up with a Static IP and pointed to the pfSense IP for gateway and DNS. Most of the other devices on the network are setup to get their addresses via DHCP.

Server network settings on left.

RoyMi6 · 11 Jan 2017 at 18:22

So I gave up on pfSense when I found my Asus N66U router and installed ASUSWRT-Merlin.

I think it's going to give me everything I need, with the one exception being it's not immediately obvious how I can set up a OpenVPN client to only be used for some hosts... Not sure if it's possible but I think it will need a different thread!

parityboy · 12 Jan 2017 at 01:42

@RoyMi6

If I remember rightly, the Merlin firmware is based on Linux, so you're going to have to learn iptables and adjust the NAT rules accordingly.

RoyMi6 · 12 Jan 2017 at 15:50

Once I figured out what I was looking for (split-tunneling) I found the "policy based routing" configuration that I was after in the Merlin GUI.

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Super handy for me because while I want to encrypt my entire network I'm having troubles with Sonos working with it, so want to exclude that. Also likely I'll have issues with streaming full 4K stuff over the VPN so likely will exclude the Amazon Fire TV's in the future. In fact... I'd imagine it would probably complain if my VPN is set for somewhere exotic!