pfSense Box: Adding a Switch?

Hey,

I finally got my pfSense box built. Everything works like a charm out of the box. The only issue I had was the onboard Intel I218-V NIC not being recognized in BSD for whatever reason. I solved that by adding a second Intel Gigabit CT PCI-e card.

 

Anyways, I want to add my Asus RT-N16 Router as a switch and access point. I had Tomato on it, but it was behaving very oddly. I tried to switch back to the latest factory firmware for testing purposes, and it's acting bricked now since I manually set a different IP (I have no idea why). I will figure that out before attempting again.

 

I would assume that instead of coming out of my pfSense box's second NIC (the LAN) and going directly into a computer like the one I am on now, I should be able to just go into the router's WAN port; thus, completing my intended setup of:

Modem -> pfSense Firewall -> RT-N16 LAN <-> Computers and Devices

 

What I have found researching this online is in order to use the router as a switch it must have it set to use:

  • non-conflicting IP (different IP for accessing the browser GUI than anything before it in the network)
  • DHCP Disabled
  • DNS Disabled
  • Firewall Disabled
  • Port Forwarding Disabled
  • Wi-Fi set to Access Point Mode if Option Given

 

I understand why eliminating all of those conflicts is required, so I want to make sure I am still doing everything correctly. I mean, this should be the most common and basic LAN setup for average use, so I can't figure out what the problem is.

 

By the way, I had to call Comcast's Technical Support in order for them to let my pfSense box access the modem's WAN ... they just kind of had to make it sound ambiguous like they "could not give support for personal hardware" because of whatever. I was still able to get an IP during the phone call when I reset the modem and rebooted pfSense.

 

I am going to try hard resetting the Asus router and starting over now. I will check back later.

TL;DR

If at first you don't succeed... You are doing it wrong.

 

The main mistake you have made here, is plugging the LAN side of the PfSense into the WAN side of the Asus running Tomato.

you have a couple options here.

First Option:

You set the WAN port on the ASUS to DHCP or "Disabled" if the option is there.

Then you plug the LAN side of the PfSense into a LAN port on the ASUS.

So you get a setup like:

Modem <--> (WAN:DHCP) PfSense (LAN:192.168.1.1/24) <--> (LAN:192.168.1.2/24) ASUS (LAN/Wifi) <--> Computers and other internal devices.

(using 192.168.1.x for example)

OR 

Second Option:



You turn the WAN port on the ASUS router into a LAN port, and repeat the above setup.
The reason you turn off all those other services, is you only want one (1) device handing out IPs (DHCP server) and the rest of everything will just conflict with your setup.


The part I am having trouble with is "turning the WAN port on the Asus router into a LAN port" because that is what I have been trying to do in order to retain full use of all 4 Ethernet ports.

The first option just seems lazy to me personally. I am going to try to get DD-WRT back on it again and will respond later with any changes. Thanks again, Qain! ^__^

DD-WRT has that option, I'm not sure about Tomato.

I've used it many many times.   Mostly when I set a second router up as a wireless bridge.

Option 3: Sell the ASUS, get a Gb switch and a Ubiquiti AP. Will save you from a lot of frustration.

Agreed, I tried for several months to get reliable WiFi out of a cheap N router from Target, and eventually I gave up and bought an Ubiquiti, and let me just say if angels needed a wireless AP I'm pretty sure that's what they'd use.

I have this same setup and just ran the LAN side of the PF box into my old routers LAN ports.
Disabling DHCP and changing the routers IP so i can still manage the wireless.

For more Ethernet ports i just purchased one of these.
http://www.amazon.com/NETGEAR-8-Port-Gigabit-Desktop-Switch/dp/B00KFD0SEA/ref=sr_1_10?ie=UTF8&qid=1417809413&sr=8-10&keywords=netgear+gigabit+switch 

just get a simple switch like http://www.newegg.com/Product/Product.aspx?Item=N82E16833704173&cm_re=tp_link_switch-_-33-704-173-_-Product or if less ports suffice the http://www.newegg.com/Product/Product.aspx?Item=N82E16833704179&cm_re=tp_link_switch-_-33-704-179-_-Product.

You only need one intelligent device in your network and keep the rest stupid this way you only need to look in one place :)

And yes if you need wireless get a Ubiquiti Unifi AP (the cheapest one is actually the best) and quite frankly the 5Ghz Pro are too damn expensive anyway :) You wouldn't know how much piece of crap most routers wifi signals are when you use a Unifi. an example

I have my Unifi upstairs on the ceiling and a router downstairs when I sit in my livingroom (clear view for my router at 20 ft and 30 cm armoured concrete and 25ft for my Unifi) my Unifi gives a more stable and faster connection than my router. It really is that good.

DD-WRT has this option (turning the WAN port into a LAN port), at least on the old revisions of the WRT series routers. I use an old WRT router as a 10/100 switch with full use of all five ports.

Bought one of these a while ago: http://www.amazon.com/TP-LINK-TL-SG108-1000Mbps-Desktop-Gigabit/dp/B00A121WN6/ref=dp_ob_title_ce Works great. Just ordered one of these on Black Friday: http://www.amazon.com/Linksys-8-Port-Metallic-Gigabit-SE3008/dp/B00F3NUUF4/ref=pd_sim_pc_4?ie=UTF8&refRID=1PZXXJ4SKRN2KM1FZGMD Can't wait for it to show up. Bought the 24 port version.

If you really need to be frugal then those switches work fine. However if you're doing like I did, and you built your pfSense machine so you could learn more about networking, I would consider a smart switch. This will allow you to do VLANs and other things. The one I have is a Linksys LGS308, its great, but you can grab some bigger fully managed switches off Ebay for not too much money.

I have mine set at my pfsense mainly because I don't need Vlan splitting somewhere else  I do it with accounts in the programs which gives me more flexibility but if you need them managed then just get the E versions of them

The TL-SG108 becomes the TL-SG108E and the same for the 5 port version.