PFSense setup to pre-existing network

AJ847.63 · December 18, 2024, 3:18am

Hi All,

Just wanted to get some advice on whether it is possible to split a WAN port to two separate networks? And if so, how I should go about it.

Basically, what I want to achieve is I want to complete the router and open VPN portion in the guide Louis Rossmann showed in his recent tutorial video on FUTO but already have a network in place that I do not want to touch as there are multiple “smart” devices on WIFI which are not mine and will be a major PITA to reconfigure. I do not use these devices, so I do not need, nor want, communication from them to this new PFSense based network.

If I remember correctly (I set this up several years ago, over 6+ months as it constantly kept breaking and driving me insane!) the network setup looks like this:

Telstra Modem/router/AP all in one setup as normal doing its own DHCP and DNS just with WIFI disabled. Yes, I know that is the wrong way to do things, I did want to use bridged mode but we have a landline so that is not possible. Disabling the router & AP portion and only using it as a modem stopped the landline from working. I spent a good 6 months trying to disable as much on the Telstra as I could but every time I changed 1 setting from default the landline stopped working so I eventually gave up and just disabled WIFI.

ASUS AX router setup as normal doing its own DHCP and DNS on a separate IP range. Some devices are connected to the Telstra via ethernet, but most are connected to the ASUS as it has far more ethernet ports. All WIFI devices connect to the ASUS.

My main concern is the family has setup some Eufy Cameras (ugh yes I know, do you think they listened to me?) which are connecting to WIFI on the ASUS. We also have some smart power outlets and also smart fans connecting again to the ASUS WIFI. I would happily use the ASUS as the WIFI AP in the guide Louis setup, but I’m worried that will mean I have to go in and reconfigure all the “smart” devices which I did not setup in the first place, and I recall much cursing from others when trying to setup in the first place, so I really do not want to touch them.

So ideally, I’d love to a old PC we have as the PFSense router and get a cheap AP and set the guide up as a entirely separate network not touching anything pre-existing. How would I do that though when the WAN port from the modem is already taken up by the ASUS router?

Additionally, if I can I’d love to link the network at work so I can access stuff on my work PC or our synology NAS from home.

Thanks for the assistance.

exovert · December 18, 2024, 10:42pm

pfsense has more than the capacity to segment networks, but it’s not a simple ‘split’ of a wan port and especially if you don’t want to ‘touch’ any existing equipment.

In principle

Internet
 |
Dumb ISP router if you have to use one
 |
 +pfsense (a) -- some switches, wifi access point (or asus in AP mode) == IoT garbage
 (b)
  \
  new network

This means the telstra whatever only sees one device on your net. the pfsense (a) lan should be setup to be on and offer the same DHCP/ IP range as the current setup.

The asus can certainly be reconfigured into an AP mode, but to not change the asus, you could configure another AP to broadcast the same SSID/password. this should be fine if it’s offering the same 2.4ghz/5ghz modes being used as on the asus and wpa (almost cetainly 2.0). Turn off the asus.

You may have to troubleshoot this or some of the devices further (I don’t know what they are), and if that’ll make your family mad and you can’t tell them to deal with it for a little while is probably not suitable, especially if you’re not familiar enough yet to work through any problems.

On (b) net you can setup as needed.

You can then just port forward from the external router to the pfsense for services (vpn) from outside and all the logic is in the pfsense (i.e. is critical equipment now, keep that in mind). and also don’t rush to set up anything more than the basics first.

don’t use any realtek nics in the pfsense.

if the above isn’t something you want to pick apart and deal with until it works, then zerotier/ tailscale may be useful instead to “vpn” to your home pc or nas and circumventing all of this, though I don’t think I’d connect someone else’s computer directly to my own at all.

AJ847.63 · December 19, 2024, 12:08am

Thank you for the advice.

FYI devices we’re using are:
Telstra “smart” modem, pretty sure it’s a gen 1 as the gen 2 has a fiber port which ours doesn’t. Were still waiting on FTTP. With bated breath!
Asus GT-AX11000 - Yes very overkill for what we use it for, but we somehow got it for 68% off hence why I bought it.
Gaming PC - ethernet
iPhones x3, oldest is a 13 all on WIFI obviously.
Shield TV X2 - Wifi
Laptops X3 - WIFI oldest being 802.11N.
Then we have the Eufy cameras, doorbell and 2 big ass (yes that is the company name) fans.
Pretty simple / basic network.
There are a few other things such as TVs and BR players but there rarely connected to the net, mainly just to update FW.

Theoretically if I record the SSID, security type, passcode, DHCP & DNS settings setup on the ASUS than disconnect it and plug those into the telstra smart modem and enable WIFI everything currently using the ASUS should connect and work on the Telstra, no? Only problem is the Telstra only supports DNS servers through a “approved” drop down menu so I would have to use either theirs or googles, sigh.

That way I can install pie hole and a few other things without having to worry about it blocking communication with the iot devices because there connected directly to the modem and before the pfSense router. Only my stuff will be going through pfSense so a shield TV pro, iPhone 16 pro max and a asus Zenbook Pro Duo (Wifi 6 if I remember correctly).

As for the work stuff I’m not worried about it, we run a small repair business so everything there is mine and under my control so famous last words but it shouldn’t be a issue. It would be nice to be able to check on stuff from home so if I’m in the middle of downloading something, or leave a task completing overnight I can check in and see what’s happening. Like freaking windows update. Left a download going overnight as it was going to take till 5am to finish to come in this morning and find the laptop rebooted and on the windows do you want to configure all this crap menu page after it does a windows update and that of course stopped and corrupted my download so yay now I have to start all over again. As MR Torvalds once said. Microsoft. Duck you! So tempted to switch to the dark side…

exovert · December 19, 2024, 9:58pm

Test and deploy one thing at a time. But I don’t know you’ll get a lot of advantage without expecting to get at least some equipment*.

first setup pfsense, with at least 3 network interfaces
1 wan (connect to the telstra), 2 lan

then play/test with a laptop wired behind it. ebay some switch/router that you can configure into acting like an access point, connect that to the lan side of your pfsense, then your laptop to that - and make it work for your things, because everything you do on the ‘lan side’ of the pfsense is only affecting those.

then when more comfortable with what is going on, you can look at the extra lan port on your pfsense (if you even want to by then) and move the iot + extras behind the other pfsense lan port as well.

*vlans seem well out of scope here