pfSense newb, looking for tutorials

ThatGuyB · April 27, 2018, 8:13am

Hi, this is my first post and first topic on L1Techs forum (been watching Wendell since Tek Syndicate days).

So, I just recently made a pfSense router using an AsRock J3455M motherboard, 8 GB of RAM, 1x Quad Port HP NC365T (intel chipset) PCI-E x4 and 1x 1 Port Intel WGI210AT PCI-E x1. With the integrated Realtek port, I got a total of 6x 1Gb/s ports. I’m currently running it as host, but I’m thinking of virtualizing pfSense under Arch Linux and passthrough the Quad Port card to pfSense (I have experience with Arch, but not with KVM + QEMU, so noob on virtualization on Linux as well, except for VirtualBox).

I’m looking for things to learn for pfSense, so what should I first do? After I am initiated to it, I want to make an OpenVPN to force all traffic form other devices through my home network, but I also want to learn to setup a RADIUS auth (where I work, my Network Admin colleagues have setup RADIUS and OpenVPN, so I want to learn how to do that myself), not just use the integrated auth from OpenVPN. That’s where the Arch host would come in handy. I know it’s overkill for only 3 or 4 people (with 1 or 2 devices each at most) I would force through my home network, but I want to learn. Also, some documentations about VLANs would also be very welcome. By the way, I get free DynDNS from my ISP, because I pay for the best home contract they offer.

Lastly, I have some problems setting a Zyxel VMG8924-B10A into AP mode. I updated its firmware to latest version, I configured its WiFi, deactivated DHCP, set WAN into 5th LAN Port (and ended up still using one of the LAN ports instead, had some problems with the WAN port in bridge mode). If I connect my PC in any LAN port, I get internet connection and IP from the pfSense box, but if I connect any WiFi devices (my android phone), it connects, waits a few seconds, says “No internet access” and disconnects automatically, so I can’t use this router just as an AP, it has to be set into routing mode, not bridge mode. Also, I can’t access its web interface when it’s in bridge mode. Any tips on these ones?

Thanks for your patience with me. And if you are curious, here’s my home network map (sorry for my paint skills).

thro · April 27, 2018, 8:37am

2c, but not sure i’d bother with the NIC hardware pass-through (unless it is purely for educational purposes).

You won’t need it for performance (seriously, even 10 gig with a heap of VMs doing IO to other stuff on 10 gig ports on my cluster here is fine with virtualized network adapters under ESXi and I’d expect Linux network stack to be faster) and if you’re worried about a hypervisor escape from your firewall, well - its OS kernel is virtualized anyway.

It’s just another layer of complexity you don’t need. But that’s my opinion on that…

As to things to play with… check out the available PFSENSE packages. You can set up a certificate server for your LAN, you can do VPN as you mention, you can set up IDS, bandwidth monitoring/reporting, squid cache+AV scanning, etc.

Pretty sure level1 also started a youtube series on pfsense, so maybe also follow along with that.

ThatGuyB · April 27, 2018, 8:43am

Thanks for the reply. The virtualization isn’t for performance, but for convenience (as I mentioned, I want to setup a RADIUS, not sure if I can do it directly in pfSense / BSD, that would be great though). I am also thinking of learning to do Load Balancing (with Squid), but as my knowledge is not that advanced, I will wait to learn some more before I get into caching and load balancing. IDS and AV scanning sounds interesting.

And thanks for reminding me of the pfSense tutorials, completely forgot about them (watched some of them a while ago, but just watching is not enough to learn, so I’d better study on them). Now that’s really helpful now (and get to watch some Wendell greatness).

thro · April 27, 2018, 8:48am

Ah sorry to clarify - i didn’t mean don’t virtualize. I just wouldn’t bother with the VM pass-through for the NICs (as i understand it you were going to pass through a quad port network adapter to the VM exclusively?).

I’d just bind VM’s virtual network adapters to physical NICs (unsure of the kvm terminology on Linux, but on ESXi for example you’d treat each physical nic as a vSwitch so the virtual network adapters end up on different physical networks) on your VM host and let the virtualisation take care of it.

This would also let you add other things to those virtual networks (which IOMMU passthrough won’t) such as a vm (or your host OS) running a packet sniffer like wireshark, or whatever else you want to play with. Which could be useful for learning what is going on, or observing what happens to traffic “on the wire” when it hits your firewall on various interfaces.

ThatGuyB · April 27, 2018, 9:01am

Oh, I see. Well, I heard that pfSense suffers under virtual NICs, so I thought that passthrough would be the way to go. Never tried ESXi, I only know XenServer and VirtualBox and I’m not that advanced with the stuff. I did hear of vSwitch and I think Xen also supports it, but I wanted to give KVM+QEMU a go (getting to know as many things as I can) and also learn to passthrough. As for the WireShark thing, I think pfSesnse’s pfTop has a similar function of packet sniffer. Also, somebody recommended Snort to me for IDS. Thanks.

thro · April 27, 2018, 9:07am

Performance might suffer a little bit under virtual NICs, but seriously… unless you’re running 10 gig networking or faster, i really wouldn’t worry about it. edit: Also, does that board even support IOMMU? Not all intel hardware does… my H87 chipset haswell box does not, for example.

I could be wrong, as I haven’t dealt with pfsense specifically in production on virtual hardware, but i have plenty of other high throughput VMs or firewall VMs on virtual NICs and haven’t see any issues to speak of…

If you’re a typical home network on 1 gig networking i doubt you’d see much if any difference between pass-through or virtualised network adapters for pfsense (as your hardware is fairly over-built for 1 gig firewalling (yup, even low end like that is far superior to firewalls for several hundred megabit from CISCO :D) and even if the VM overhead is “horrible” its so far above what pfsense requires…).

ThatGuyB · April 27, 2018, 9:55am

I saw in UEFI that the Celeron J3455 supports VT-X and VT-D (and enabled both). Not sure about the IOMMU groups, but I wouldn’t really mind if I just passed all the PCI-E slots to pfSense, only really need just 1 NIC (the integrated one is fine) for the host, if I ever install a hypervisor (xen or arch kvm).

MichaelLindman · April 27, 2018, 4:56pm

If you want to get into pfSesne and you have the time this video series by Mark Furneaux is a really go start. goes though installation, some general networking background on the OSI model, tips for configuring pfSesne once you’ve first set it up and later into more advantaged features of pfSense such as traffic shaping.

AJBek · April 27, 2018, 5:09pm

I would also recommend Mark Furneaux’s video series as it helped me a lot. I am no IT professional and had almost no networking knowledge but managed to successfully set up 4 psfense routers with site to site open VPN networking, squid disk cacheing and full network AV at the router level as well as 2 seperate LANs (wired and wireless) at our 4 office locations using this series.

Dexter_Kane · April 28, 2018, 1:13am

Pfsense has a freeradius plugin, but I’d use it for your WiFi and not openvpn. You want to use certificate based authentication for openvpn which is built in. You could use radius if you really wanted to but I don’t see what the advantage is unless you were trying to integrate everything in to active directory or something.