Some questions about pfsense. Newb edition

Hi.

I recently set up this i3-7100 machine with pfsense, with the sole purpose of “bypassing” the ISP router. Bought a 4-port Intel NIC, put it in.
Basically just to hide the LAN-mapping of the house that the ISP router just rubbed in my face, showing all the device names, smartphones, and connections and IP addresses of the entire house.
It was all shown on the router page itself and made me cringe a bit (and hold the towel a bit closer to my body, after a shower). And btw, I also have to get online and login to it through the internet, to get on my own router settings page.
wtf?

So I set the ISP-router to bridge-mode on port4, linked that port to a WAN port on the pfsense machine. And went to town thinking I could use it as a switch, and connect all my devices on all 4 Intel ports.

Got over that misconception quite abruptly, with all the “pfsense is not a switch” thing I read in forums…
And all the networking snobs basically bashing anyone who considers bridging different interfaces. And all the
Oh, not written down all the rules to every interface you have assigned, have you? mmm…haha! Are you bridging connections, sir? muahah so foolish! Why don’t you stick to your ISP-provided-router if you cannot handle such complications for your feeble little mind, sir? Shows us your screenshots, so we can laugh about it! :face_with_monocle: muahahahaha!

So… Anyway (sorry about the rant).

I have some really basic questions:

1º Does my ISP still have access to my home-LAN, and the devices hwid or IP addresses in it?

2º Without a VPN on pfsense, is any of the inbound traffic hidden, somewhat-hidden, encrypted in any way? All they see is one device (router), asking for all the internet traffic, right?

3º If I’m not using interface bridges, is there any easy way to connect all the LANs in the house? Wifi devices on LAN1, to my PC on LAN2, to the proxmox+truenas on LAN3?

4º Difference between Interface Bridges, VLANS, Groups? <— In a very basic way, please. I understand a lot of basic stuff already (I think)

thanks, sorry for the long read

  1. Depending on the size of your tinfoil hat possibly (can pretty much said to any kind of computer that’s on and have Internet access) but in practice most likely not and unless you’re doing something interesting you’re like not a very interesting target to being with

  2. Yes, you have layer 7 protocols such as https that uses encryption so it’s just as good or bad as before but that doesn’t mean that clients can’t leak information about “their” network such as using WebRTC.

  3. Yes, route(s)

  4. Have you tried looking at the official documentation?

2 Likes

Hello zCaptain and welcome to the forum! Both pfSense/OPNsense are great drop-in replacements for your ISP’s router and good starting point in reducing your ISP’s visibility into your network. And while preventing them from knowing what devices are on your local LAN is good, I’d also recommend switching to an external DNS provider such as Cloudflare or Quad9 and configuring pfSense to use DNS-over-TLS. If your ISP is monetizing your network traffic it’s far more likely they analyzing your DNS queries than selling a list of hostnames and MAC addresses to advertisers.

If pfSense is configured to NAT traffic (default option) then your ISP’s modem will only see a single MAC address of the Intel NIC port. They will not be able to see broadcast traffic or hostnames on your LAN. But they could still be doing additional analytics on unencrypted traffic upstream logging browser user-agents and DNS queries (check your ISPs privacy policy).

No. pfSense does not add any security enhancements to inbound traffic. It functions as a router and just passes the packets along to their destination.

Correct.

What are you trying to accomplish here? Are you looking to segment your network so that WiFi clients are isolated from your PC/server LAN? Or should a WiFi client on LAN1 be able to access TrueNAS on LAN3?

Bridges act similar to network switches but lack the accelerations/performance you get from hardware switching. VLANs in pfSense are going to require a managed switch or device such as Proxmox that does vlan tagging to work properly. You’re really want a vlan capable switch if going that route… And lastly interface groups are just used to apply blanket rules to multiple interfaces. They are not used to enable network communication between interfaces but rather for device administration. Take a look at the Netgate’s documentation as it explains all three in great detail.

2 Likes

@diizzy I tried the documentation, yeah. But it gets really confusing after a couple of pages…
Thanks

@Four0Four Well, what I need is different than what I currently have. :money_mouth_face:
And I’ve had this piece of crap D-Link gigabit 5-port laying around for a while.
I know a proper switch would be nicer, but I don’t want to spend a fortune on one, and it’s not worth it for me in the home.

So anyway, the thing here currently, is:

isp router > pfsense LAN1 > Dlink switch > all the Wifi* + the proxmox pc
____________ pfsense LAN2 > my main pc

I have it like this currently ^

*the wifi is really a bit convoluted because the house is kinda big, and I need a lot of coverage. So there’s 2 APs and 1 of them is connected through a powerline from that same switch. So the wifi alone takes up 2, of those 4 ports in the switch.

To my PC, I just want a good solid internet connection, but ocasionally I would like to access truenas, and maybe get to the config pages of all the APs and stuff if I need to do any more troubleshooting.
The TrueNas stuff, I would also like to be able to access it from the wifi through the smartphone and TV.

Problem is: I could connect everything through that small switch and it works… But I don’t think the little guy can handle it coz, I get hiccups and packet loss and ocasional disconnects. It can handle the wifi, and I guess that’s it.

Also, if I connect everything to different interfaces and use bridges, the thing slows to a crawl and I can’t do anything properly.

That’s why I was asking the difference between bridges and VLANS and groups and stuff. I wanted to connect everything. But the bridged connections between the interfaces seems to slow everything, even if I’m not using it.

Thanks for the help, anyway. I might just YOLO it and try to find a good switch 2nd hand

If you are asking if the IP can somehow detect what you are doing, the short answer is no. Long answer is that they still could do deep packet inspection.

They wont have any idea what the exact content of the messages are if you are connected to an HTTPS or any encrypted services only, but they see who you talk to and the timing of your conversation (the metadata of your communication). If they observe it long enough, they are able to guess some things about you and they can have a very very vague idea about the content of your discussion (along with your cellular phone movements, satellite image data, etc).

But this is a state level kind resource intensive venture and if you are a nobody, they wont spend this much resources on you because governments are cheap assess, thankfully.

Traffic is traffic. Even if you use a VPN, if you visit a non-encrypted site, the ISP can still see into your movements through said websites and see the forms you submit (your comments, name fields, address fields, phone number fields, etc). Make sure you are on an encrypted connection like HTTPS or SFTP. If you do something on a non-encrypted HTTP site, anything you do there is pretty much guaranteed logged during each hop on the internet.

You need a managed switch for this. The problem is, pretty much all of them are closed source, if you want to put your tin foil hat on. The other solution is to physically segment your network - which can get very expensive fast.

@Four0Four while your statement is somewhat correct, The primary function of Pfsense is to act as a firewall, but it also does route Level 3 packets.

My advice to @zCaptain is instead of plugging all his ethernet devices in the device that’s bridged; He should purchase a level 2 switch to connect his ethernet items; make sure it allows you to set up VLANs in case you want to play around with them. But, of course, if money is tight, you must do what you must. But the best practice is never to connect your clients directly to your Gateway, even if that Gateway is in bridge mode. So if you need a recommendation on an excellent L2 switch, I highly recommend any wave 2 Unfi switch. But it doesn’t have to be Unfi; I don’t have any other experience with any other brand.

1 Like

Maybe not a great as the Unifi, but level 2 and cheap: TP-Link SG108E for ~$30 US.

1 Like