PFsense 2.1 lan

Hardware Hub Networking
1

After watching the pfsense video Logan and Quain a while back I set out on a much needed task. I revived a pretty capable hp computer I had laying around, striped it down, and put in a intel 4 port gigabit server adapter I got on ebay and a wifi card and installed pfsense.

All this was done with the ultimate goal to replace my aging p.o.s. linksys router that is being held together with super glue and duct tape cheaply and to outperform its modern counterparts. The basic functionality that is needed is my router now preforms (4 gig lan and wifi) but of course I want to be able to take advantage of the scalability and advance features as I become for familiar with the software.

Excited I installed pfsense and got it up and running. Using the integrated gigabit port for wan and one of the four intel ports for lan. For my main rig,  it was running smoothly. But when I went to configure the other three ports and the wifi I hit a road block. I enabled the interfaces no problem but they all were incapable of connecting to the internet. After much googleing and forum searches I still had no idea how to set them up so they can all access the internet.

With the resent update to 2.1 my will to get this up and running has returned, but I need your help. I am clueless when it comes to networking.

I understand that pfsense has limited wifi card support, but according to the pfsense website the processor used by my card [TP-Link Wireless N Dual Band PCI Express Adapter with 3 x 2dBi Antenna (TL-WDN4800)] should work, but this is not the end of the word because it was cheap and I would like to upgrade to ac in the future if possible.

What I need working first and foremost is enabling 4 lan ports so they would work in the most basic function, just like my old router. all able to connect to the internet and be apart of the same network.

Any input or suggestions would be greatly appreciated!

Thanks in advance,

Greg

2

Go to Diagnostics > Backup/Restore and download the configuration, post the output about interfaces (hide your public ip if it happens to be visible). Should look something like this:

 

<interfaces>

<wan>

<enable/>

<if>vr0</if>

<descr><![CDATA[WAN]]></descr>

<ipaddr>dhcp</ipaddr>

<dhcphostname/>

<alias-address/>

<alias-subnet>32</alias-subnet>

<spoofmac/>

</wan>

<lan>

<enable/>

<if>vr1</if>

<descr><![CDATA[LAN]]></descr>

<spoofmac/>

<ipaddr>10.53.112.1</ipaddr>

<subnet>22</subnet>

</lan>

<opt2>

<descr><![CDATA[PRIVATE]]></descr>

<if>vr1_vlan1</if>

<enable/>

<spoofmac/>

<ipaddr>10.53.116.1</ipaddr>

<subnet>22</subnet>

</opt2>

<opt3>

<descr><![CDATA[PUBLIC]]></descr>

<if>vr1_vlan2</if>

<enable/>

<spoofmac/>

<ipaddr>10.53.120.1</ipaddr>

<subnet>22</subnet>

</opt3>

</interfaces>

3

I had that problem with the wifi myself, had a hell of a time trying to get it working. I eneded up using my old DSL modem for the Wireless Access point, As for the lan port, I just use a couple of switches linked together for a total of 15 ports.

4

wan>

<enable/>

<if>nfe0</if>

<ipaddr>dhcp</ipaddr>

<ipaddrv6>dhcp6</ipaddrv6>

<gateway/>

<blockpriv>on</blockpriv>

<blockbogons>on</blockbogons>

<media/>

<mediaopt/>

<dhcp6-duid/>

<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>

-<descr>
<![CDATA[WAN]]>
</descr>

</wan>

-<lan>

<enable/>

<if>em3</if>

<ipaddr>192.168.1.1</ipaddr>

<subnet>24</subnet>

<ipaddrv6>track6</ipaddrv6>

<subnetv6>64</subnetv6>

<media/>

<mediaopt/>

<track6-interface>wan</track6-interface>

<track6-prefix-id>0</track6-prefix-id>

-<descr>
<![CDATA[LAN]]>
</descr>

</lan>

-<opt1>

-<descr>
<![CDATA[OPT1]]>
</descr>

<if>em0</if>

<enable/>

<spoofmac/>

</opt1>

-<opt2>

-<descr>
<![CDATA[OPT2]]>
</descr><if>em1</if></opt2>-<opt3>-<descr>
<![CDATA[OPT3]]>
</descr><if>em2</if></opt3>

 

5

I reset most of everything to default so that's why a lot of the interfaces are disabled

6

Yeah it looks like you only had one lan interface enabled when this was printed.

Make sure that when you create new interfaces, go into the settings of the newly created ones to: First enable the interface, and assign a new ip and a range for it which doesn't overlap other settings.

Example:

int lan1: ip: 192.168.1.1 with a range from 192.168.1.2-192.168.1.50

int lan2: ip: 192.168.1.51 with a range from 192.168.1.52-192.168.1.100

and so on.

7

What about the ip configuration?

8

My bad, my earlier post was a bit confusing.

Here's a short step-by-step example on how to configure two LAN interfaces.

 

Assuming we're starting from scratch, so: 

First we need to assign all the interfaces to the physical ports, go to

Interfaces > (assign) 

and set it up like this

-WAN on VR0

-OTP1 on VR1

-OPT2 on VR2

(just a matter of preference really, if you change the settings you might have to move your connector to another port and login again).

 

Now go to Interfaces > OPT1 

-Tick the box to enable the interface

-In the description bar, rename the interface “LAN1” or whatever you wish

-Make sure the “IPv4 configuration type” is set to “Static IPv4

-Scroll down a bit until you see “Static IPv4 configuration”

-Set “IPv4 address” to 192.168.1.1 /24

-Head to the bottom and click Save, however when you're prompted to apply the changes do NOT apply them yet. Let her wait.

 

Next move to Interfaces > OPT2

-Same as last time, just name it LAN2 and set the IP address to 192.168.1.100 /24 instead.

-Save, but DON'T apply the settings. 

 

Now go to Services > DHCP Server 

There should be 2 tabs, LAN1 and LAN2 

-Tick the box to enable DHCP server on LAN1 interfaces

-In the “Range” box insert a value from 192.168.1.2-192.168.1.99

-Click save

-Hop to the LAN2 tab

-Tick the box

-Set the range to 192.168.1.101-192.168.1.199

-Save

 

Now lets go back to Interfaces > LAN1

-Now you can apply the settings. :)

That's it.

 

Your box is now set up like this:

-In port 1 we have our WAN, (pshht who cares, we didn't even touch her).

-In port 2 we have LAN1, with an address of 192.168.1.1, sharing anything in between 192.168.1.2-192.168.1.99 to it's clients.

-In port 3 we have LAN2, with an address of 192.168.1.100, sharing anything in between 192.168.1.101-192.168.1.199 to it's clients.

9

Cool thank you ill give it a try. And I am trying to configure 4 lans + wifi so for the other 3 interfaces I just keep going up with the ranges?

If I understand correctly lan 3 would have 192.168.1.200 for the IPv4 address and its range in the DHCP server would be 192.168.1.200-.299?

 

also for the IPv6 configuration type should I use the track interface option?

 

Thanks a bundle!

10

Yeah just remember that you can't go over 192.168.1.255, it will let you know when you hit the roof.

You could set lan3 to use 192.168.2.1 instead but then you should change the subnet mask (the /24 part in interfaces > LAN settings) to a lower value (increasing the total range). Another alternative is to set lan3 & 4 to use 10.x.x.x. Or... yeah... well there's a ton of options.

I'd just shrink the ranges instead, i doubt you need over 200 addresses anyway. Also disable ipv6, i don't think anything uses it yet.

11

errrr it froze applying changes, now I cant get on the internet or into the gui. I'll try again tomorrow and see if I have better luck.

12

I'm going to install pfSense to see how it is done in the GUI, but what it seems you need to do is bridge the Intel LAN ports and Wifi, and NAT those to the WAN. The bridge interface is a virtual device that acts like a switch between all the attached physical interfaces. You would assign an IP to the bridge interface so that from any interface on the LAN you can connect to the pfSense box using the same address. Also the DHCP server shouldn't have to worry about having ranges configured for each interface, it should just assign the next free address from the range for your whole network in response to a request on any of the LAN interfaces.

At least, that's what it seems like you want. If you actually want five separate address ranges and all that weird stuff disregard everything I said, but from what I gather you really just want to turn it into an awesome wireless router running pfSense.

I'll be back after checking out the pointy click way of doing this.

13

Ok here's how I did it, and maybe there is a better way, but this worked more or less:

Make sure all your wireless and OPTn interfaces are assigned. I don't know how the wireless ones work (I was testing on a VM), but for example:

  • WAN->em0
  • LAN->em1
  • OPT1->em2
  • OPT2->em3
  • OPT3->em4
  • WIFI1->ath0 (or something like that?)

Next make sure they are all enabled, by clicking on each in the interface list and checking "Enable."

The next step is to create a bridge interface. Do that in Interfaces->(assign), open the Bridges tab, and click the + button on the right. Shift- or Control- select the OPTn and WIFIn interfaces (i.e. everything but WAN and LAN) then give it some descriptor like "LAN Bridge" and save. Get back to the Interface assignments tab, where you'll notice a + button has appeared at the bottom of the list, on the right. Click it to add OPT4, which will show BRIDGE0 as the port.

Now, things get a bit tricky. We want LAN to be assigned BRIDGE0. Ok this is doable, shuffle things around until you get the following:

  • WAN->em0
  • LAN->BRIDGE0
  • OPT1->em1
  • OPT2->em2
  • OPT3->em3
  • OPT4->em4
  • WIFI1->ath0

Save it, and congratulations you can't get the web interface to respond anymore. You broke it. Can we fix it? Yes we can! Hopefully it is not a very big deal to plug a keyboard and monitor into the pfSense box... Set it up and you should see the menu "Welcome to pfSense [bla bla] Enter an option:" at which point you will notice that all of the ports are assigned correctly, but there is no address on LAN! Weird, right?

Enter option 2 to "Set interface(s) IP address" and enter 2 again to configure the LAN interface (it even knows we want a static IP). Fill in the address you want (the same one you used to access the web interface, for me it was 192.168.1.1) at the next prompt, and likewise for the subnet mask (24 in my case).

Leave the gateway blank, and unless you know what you are doing leave the IPv6 address blank as well.

Select y to enable the DHCP server on the LAN, and enter reasonable values for start and end of the address range (where x.y.z.1 < reasonable < x.y.z.255, I picked 192.168.1.100 and 192.168.1.200 for start and end, respectively).

I choose not to revert to HTTP for the web interface but do whatever you like here (just say no). Hit enter after the interface comes up to return to the main menu.

Now you should be able to get back to the web interface. Go back to the Bridges tab on the Interfaces->(assign) page, click the e button to edit BRIDGE0, and Control-click OPT4 to complete the shuffling of ports so that all 4 LAN ports are attached to the bridge, along with the wireless interface. Don't forget to save the change.

And that's it! You should now get assigned an IP by the DHCP server on any LAN port (including Wifi) and the pfSense web interface should be accessible at the static IP you assigned it. Traffic will pass between ports/Wifi, NAT and firewalling should already be configured to NAT between WAN and LAN so internet should work, things will be fabulous, and great times will be had by all.

If that doesn't work... it should. I think. I tried most of it. Let me know how it turns out with the Wifi card, especially. I couldn't try that one out without hooking up real hardware, but if you run into trouble I'll see if I have a wireless card compatible with FreeBSD and try running through the steps.

14

Did you try to get into the box from other ports? After all, it's those settings you are playing with.

You can check the IP of the port in which you are connected: In Windows, open the command prompt and type in "ipconfig".

Or if you're running Linux, try "ifconfig" (i think the same command applies for OSX as well).

If your PC doesn't get an address, you might be connected to the WAN port.