PFSense help - DHCP issues

[qbhatti]

Hi.

I have gigabit fiber up/down with a provider on the Cityfiber network.
I currently have a Draytek 3900 router - which is nice, but doesnt have 10gig in it.
So i managed to get hold of something called a FORCEPOINT 1100 10gig router. It has PFSense on it.

I have never used PFSense before and am trying to learn how to make it work, before I fully deploy this (else lots of angriness from mrs).

1. I managed to get the VLAN-tagging working on the WAN, as well as MAC clone so now it does see the internet.
2. I am struggling with DHCP rules - in my current router I can assign reserved DHCP bits to various parts of my network - like my homeassistant, my plex, and my CCTV bits and bobs. These are all on the 192.168.0.x address range.

PFSense DOES NOT let me reserve these bits of the DHCP if the range is 192.168.0.1-254 - how do I get around this?

Option 1.
1. Move CCTVs to 192.168.2.x
2. Move server/home bits to 192.168.3.x
3. Leave the DHCP pool as it currently is - 192.168.0.x
I dont know how I am supposed to set this so I can use WiFi to login to the CCTV bits, or the server bits - something about subnets but im really not sure I understand how I am supposed to set it.

Option 2.
1. Set the DHCP reserved bits to a narrow bit that is not currently 'reserved' - the problem is my CCTVs are on the 200s, APs and routers are on the 10s, and a home bits are between 20-50s.



Any help of what I should do?

 

[Glanza]

Switch to OPNSense if your just getting started, it's a fork that is pretty much the EU version and gets updated faster.

 

[Simon42]

PFSense DOES NOT let me reserve these bits of the DHCP if the range is 192.168.0.1-254 - how do I get around this?

It does allow this type of use by creating multiple pools for each subnet see https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#general-options

I usually split CCTV and other traffic (IoT, guest etc) into appropriate VLANs so I can lock things down but if you're not very familiar with pfSense then mirroring what you had before may be a good start for now.

 

[qbhatti]

OK thanks simon - thats useful to know.
I got hold of a forcepoint 1100 which has the 2x SFP+ ports on it - so im hoping it will keep everything runny smoothly on it. Im going to take a look at it and see what happens.

Ive tried to get my head around VLANS but i struggled - will look at some more youtubes.

 

[Simon42]

Ive tried to get my head around VLANS but i struggled - will look at some more youtubes.

VLANs are quite simple although tagging can appear confusing at first especially with multiple VLANs over trunk routes etc, but this also depends on what other kit (switches, access points) you have and how its connected.

Basically you can set up VLANs each with their own DHCP settings (Services -> DHCP server) and for each you can set DHCP range and pools to divide the subnet as you like, and also assign static IPs etc. By default these VLANs won't be talk to each other unless you add firewall rules which are per configured per VLAN/network other than floating rules. This makes it easy to restrict access one or both ways between them.

Definitely read up and be sure you've got a good idea of what's possible and a good plan for your network. Some of us here have really complex home setups but for most users its overkill.

 

[qbhatti]

Im not sure my setup is that complex but I dont know.

garage:
forcepoint 10g router
tplink 10g switch (managed)
tplink POE 1g switch (dumb)
NVR
server
--> AX access point in attic conversion.



Lounge:
10 port multigig switch (managed - connected at 10g to garage)
16 port poe 1g switch (dumb - most of the cameras end up here)
--> AC access point in downstairs far end of house.

I have had issues of not being able to 'see' new cameras when I first buy them and connect them as they are 192.168.1.x without having to set my TCPIP settings in windows to 192.168.1.xx first - i dont want this to happen, and not sure how to avoid this if I call the cctv bit 192.168.2.x and the server 192.168.3.x etc