pfSense Router Video, \ Discussion and Ideas

No worries.

I totally understand living in a place where you don't have the ability to make all the decisions :) Especially when there are parents involved that may not be as technically inclined as you are. Any changes to the existing setup (no matter what it is) can be very scary to someone when they don't fully understand what is being done.

If push comes to shove, you could always just set up your router behind the existing one and set up your own network separate from the rest of the house, you'd need to run in a separate subnet though.

1 Like

I setup pfsense on an old core 2 duo that I had laying around a few years ago. With the exception of power outages and the 2 times I have moved equipment around in the apartment, my pfsense box has literally been the most stable box in the whole house. I never have to restart it, or service it.
The only issues I have run into since it was setup was 1.) some DNS issues a few times, like Wendel mentioned in the video, which was easily solved by using Google's DNS as my DNS.
2.) I also have experienced major issues with Snort, where I ended up just removing the plugin completely. Something about the way I had the rules setup wasn't allowing it to work properly, or I should say it was working TOO well. Snort started blocking literally all traffic in and out. I was never able to get pfsense to work properly until i removed snort completely.
Now if anyone has an very very recent experience with snort please let me know, as I'd love to get it back up and running again. Knowing I'm being protected by snort is great peace of mind.
You can also setup ClamAV with pfsense and do real-time virus scanning of all traffic if you want. I also have this running and I have not noticed any performance issues with internet speeds.
Basically if you are considering building a machine for PfSense DO IT! It's so easy to do and will make you feel like the golden god of your own little network.
I also highly reccomend DD-WRT or Open-WRT for your old router/access point. This is the configuration I am running and I would not have it any other way. I had a Netgear WNDR3700 wireless router that started crashing and overheating regularly, and after flashing DD-WRT to it, all of the problems went away and the thing runs rock solid now.
If anyone has any questions feel free to reply to me and ask. I'm glad to help anyone who wants to learn how to setup pfSense, dd-wrt, etc.


I feel like that idea is something that would take more time and resources, but is more doable. I'll have to think about it.

1 Like

I had issues with Snort too. I ended up disabling a bunch of rules, mostly the (http-inspect) ones. The process lasted a few days where my fiance would complain about a site not working on wifi but fine over cell. I'd go check the snort alerts and sure enough it was blocking the site for some signature. After a little googling most people on the PFSense forums said it was safe enough to ignore those specific rules.


Yeah it was maybe 6 moths back that I had the issues. I had not changed anything in like a year and suddenly snort just started blocking everything. If I remember correctly it was right after a pfSense software update, so maybe something happened with the rules after the update. It's very likely if I enabled it again right now it would probably work just fine. I simply forgot about it honestly until I saw Wendel's video today. LOL the pfsense is so stable and rock solid I literally forgot it was running. That has to say something about how awesome pfsense is. =)

I don't think it would be any more difficult than setting it up directly behind your modem. You could think of it this way, the current internal network would be treated as WAN, and then your router would handle routing that traffic to your test machine, or even your daily driver if you wanted.

(Internet) -> {some external IP} (Comcast Modem) { }-> (Internal Network) -> { 192.168.1.x } (PFSense) { } -> (Second Internal Network) -> { 192.168.0.x } (Your Computer)

So the 192.168.1.x network would be treated as the WAN, and your new 192.168.0.x network would be your new LAN and you can set up whatever you like in there, DHCP, Domain Controllers, Game Servers, etc.

Anyway, hope this all helps.

Edit: Please excuse my probably totally incorrect method of rendering a network diagram :P

That does sound about right to me. My worry though is how port forwarding will go from there. The biggest issue I have right now, which I failed to mention before, is that ports pretty much refuse to forward unless I reboot the router after every change (known bug on commicast router). If the commicast box ignores anything related to ports so long as PFSense is managing the forwarding (most likely butchered the logic behind this..), then I think I am golden. I feel like that's not what is going to happen though since any port that I do forward is for my wired desktop.

(EDIT: Damnit keep hitting the wrong reply button. Apologies..)

A dual NAT setup can be a nightmare for some applications (games, torrents), UPNP won't work as intended.

You can still use a PFSense box for things like firewall, IDS/IPS, DHCP and DNS behind another NAT router. Just don't have NAT enabled on both at the same time.

Would it be possible to use the same subnet and route traffic? (btw, i'm no network admin, i just dabble)

I've seen a service called DHCP Relay, would this be a suitable situation to use it? If I'm correct in what i think the DHCP Relay does.

Routers are used to move traffic between different networks, no routing will happen within the same subnet. The ISP modem-router combo will still be responsible for routing outbound and inbound traffic (unless it has a bridging mode).

You can still use a PFSense box for internal routing if you want to segment your home network into subnets/VLANs.

A DHCP relay is essentially just a repeater for DHCP traffic, it allows DHCP traffic to traverse between different subnets.

Network setup idea.. In theory it looks like it would work. Any thoughts?

The AP is great, haven't had any major issues with it and uptime and stability are good. Also you don't need to buy into the ecosystem to use the APs as they can be setup from any Android and iOS phone using the Unifi app. You can also setup a Unifi controller on your own hardware (I have mine on a Raspberry Pi 2) for some extra functionality but if you don't need those features the basic setup is fine.

I don't know the Comcast modem, but I assume that it only has a Coax input for WAN.

Are you going to set it up as a wireless access point (if that's even possible, ISP modems are often locked down)?

I'd go: ISP -> 3rd party modem -> PF Sense box -> Switch -> Wireless access point/wired devices.

If you must use a cable modem with built in routing, and you still want to use another router, like pfSense, you can do this:

1: Set a DMZ address. This allows you to forward all incoming ports to the IP address you assign to your pfSense WAN. It's almost like it was never double NATted.

2: Don't use the same private address range as the cable modem/router. So if the cable modem uses, use Also, don't use network if possible (not mandatory, but it's bad form in the current year)

1 Like

I forgot that DMZ is a thing. o:

1 Like

I could do that, but I intentionally have the switch where it is because my desktop and where my server will be is not going to be too close to the router. I could pick up another switch if need be though.

DMZ'ing another router behind a locked down ISP box is a solution that I've used before, it can be a good compromise.

One concern for power users is NAT performance: some crappy routers lock up when they have to track too many concurrent connections (some mild torrenting can be enough to upset a cheap router, especially if multiple clients are involved).

@wendell will that caching work on steam/origin game downloads /updates ?
i could pop in a couple TB to the router, and never have to hit the internet to REdownload my games /??


It sort of works on steam but because the CDN server changes a lot the caching rarely works in practice which results in a low hit rate.

I actually made a thread about this here:

wonder if there is a workaround
i know in origin you can checkbox an option that just says
"save downloaded installers"
but having this done on a separate device would be pretty nice

with out having to setup a network shared file that syncs and then deletes from the main rig

1 Like