Sturdy Questions About pfSense!

Hi Tek Syndicate.

I have more questions about pfsense since thel last time I wrote to inbox.exe

So here's what's on my mind. Firstly when in the "turn your old pc into an epic router" video i saw a tab on the pfSense interface that there was a 'VPN' tab, what is that all about? Does it mean that I can have my own VPN that will (in my case living in New Zealand) give me a MUCH lower ping and much higher speeds as the server will be local? As apposed to the closest one being in Australia? If so, would this mean that my internet would only go as fast as my upload speed due to my packets double hopping by going to my isp and then back to me before then going to the website or other ip address? 

Secondly, I also noticed that in your video you used the old pc as just a access point if i am correct, but I was wondering about modems..

Can you use pfSense as a modem? I managed to find an old RJ11 pci board which i'm assuming has something to do with modems. Another way to ask this question would be; can I use my epic pfSense router and that's it, no other modems or routers or anything like that if I can use the pfSense router as a modem?

And thirdly as a sum up question; is there anything pfSense can't do? haha. As in do I HAVE to buy anything, like a branded modem or anything like that?

Cheers!

Yes you can use pfsense to run your own VPN server, you can also use any computer to run a VPN server you just need to install whichever VPN software you want to use on it, such as openvpn. But if you plan on connecting to your own VPN server using your own internet connection then what exactly to you hope do accomplish? I mean you'll still have your same IP address and your ISP will still be able to see your traffic.

You can rent a server online and install a VPN server on it and connect to that, which will protect you while you're on a public network or stop your ISP from seeing what you're doing, but if you're worried about someone using you IP address to find out who you are then they will just be able to contact the company supplying the server rather than your ISP.

The advantage of running your own VPN server is to allow you to access your network remotely or to encrypt your traffic while using a public network. But you will be limited to your upload speed.

I'm not sure if pfsense works with PCI adsl cards, I'm sure you can google it and see if the card you have will work, but a modem costs like $20 or something which is all you need. You don't need to buy some $100 modem/router just to disable the router and plug it in to pfsense, any old modem will do aslong as it's the right type for your connection. If you already have a modem you can just use that. All you need on pfsense is a network interface to connect to the modem which will be your WAN port and a network interface to connect to your network which will be you LAN port. Just connect the LAN port of your pfsense box to a switch to connect the rest of your devices. If you want wi-fi then you're better off getting a wireless access point or router with wifi and using that rather than using a wireless card in the pfsense box itself. Reason being that the support for wireless cards is pretty limited on pfsense and it has no support for modern standards like the n or ac wireless cards.

Thanks for the quick reply! Hmm, ok so it's pretty much worth it just to rent one? Because I live in New Zealand there isn't much on offer. If I had one at another location would that work? Like a friends house? Or would that use up his data plan too?

So does a VPN do two things? Encrypt your packets and change virtually change your ip address to which ever one it is connecting to where ever the VPN server is?

And for the pfSense side of things. So i should just use or buy just a regular adsl router and use a regular access point? If that's the case then what does pfSense and a use of a pfSense box actually do? Does it just let me monitor things?

A VPN is a virtual private network, it lets you connect to a network using another network as if you had a direct cable connecting you. It was originally used to connect (for example) two locations of the same business without them having to buy or rent a dedicated line.

When you connect to a VPN you are creating an encryoted tunnel between you and the server, all traffic on this tunnel cannont be seen by anyone between you and the server, once it leaves the server though it is just like normal internet traffic - a vpn does not encrypt your traffic between you and whatever you are connecting to, only between you and the vpn server. This is useful of you are on an untrusted network like a public wifi hotspot where someone else on the network could be looking at what you're doing, using a VPN would encrypt your traffic on this network so they wouldn't be able to see it. It also stops you ISP from being able to see it.

All of your traffic will apear to be comming from the VPN server so you will appear to have the IP address of the server, this protects you from anyone who will try to find out who you are by finding out which ISP owns the IP address and getting them to hand over your personaly details, they can still ask the VPN provider to do this but most of the time they are set up in a way where they either won't or can't give out your details. IT won't really protect you if you're doing something criminal but it does offer some protection from other things.

You can also use it to access stuff which you normally can't access in your country due to censorship or copyright protections.

Yes, you could connect to a friend's network using a VPN, but why would you want to, it means that all of your traffic will appear to be coming from him, why would he agree to doing that? And yes it would use his data and bandwidth and you would be limited to his upload speed.

Renting a server online and setting it up as a VPN will work, and should be fast, but you need to know exactly what you need the VPN for. If you just want to stop your ISP from snooping on your traffic or are worried about using public networks then that is a good option, but if you want to annonymise your traffic then it won't really help because your IP address will lead back to the server which you are renting, rather than an internet connection which you are renting, so your details will still be available to someone who wants them. Plus depending on which country the server company is in they may be required to keep logs and stuff like that.

A VPN will always be slower than your normal connection and if you're on DSL then it will never be that great, I'm in Australia and i've never been able to get any more than 10mbps on any of the VPNs that I've tried (I can normally get about 20mbps). I'm not sure why this is but I think it's because the DSL connection is already tunneled using PPPoE so when you try to stick a VPN tunnel inside a PPPoE tunnel you end up with a lot of fragmentation which slows the connection down and creates overhead.

I was using vyprvpn but I wouldn't recommend them. They kicked me off for apparently violating their terms of service but wouldn't tell me exactly why I did. But it turns out from this that they are able to link activity to a user so they're not really very anonymous. If you want anonymity then look for a VPN which shares an IP address with multiple users so they can't tell (even if they wanted to) which user is generating which activity. I'm currently using torguard and they seem pretty good. But my speed so far has not gone above 8mbps, but they is with a server in Europe, a closer server might be faster.

As for pfsense. It's basically software to turn a regular PC in to an enterprise level router firewall. So what it is good for it routing and firewalling. You can use it for a bunch of other things too, like a proxy server, caching server, VPN server or client, IDS/IPS system, etc. But at it's core it is a firewall router. So if you don't need anything enterpriseish then there isn't much advantage over a normal consumer router.

I use it, and I will never go back. It's not going to improve your speed (unless whatever router you're using is really crappy) but it can handle much more connections that any other router i've used. It never crashes under load or needs to be rebooted, and gives me a lot of control over everything. I have three networks which I use the pfsense box to route data between and control access as well as being my internet gateway. I wouldn't be able to do that without something at least semi enterprise, but even just for a normal home network it's pretty good too. But like I said if you don't need anything too fancy there's not much advantage to using it unless you just want to play around with it, you definitely shouldn't spend a lot of money on it if you don't need the features.

Ahhh ok thanks! That answers a lot of my questions on the VPN side. My friend gave me some VPN software named SoftEther https://www.softether.org/ can you tell me if it's good and also why is it free? Generally you always want the paid version as it'll most likely be of higher quality but my friend seems to swear by this one. Or should I just be using the one with the closest server as I can't afford to loose many more mbps?

As for pfSense, hmm, well the protection sounds nice, and i think I should still make one. Also, how does the VPN in it work? And what do you mean by it can handle many more connections? How is you network set out?

That is VPN software for connecting to a VPN server, I don't know if it's any good. Most VPN services will have their own software or you can just use openvpn. You'll still need to get a VPN service to connect to, and if you don't need an IP address in another country then just go with something with close servers as that will give you the best performance. But like I said, you will never get the same kind of speed you would on your normal connection, especially of you're on some kind of DSL connections. The reason that Logan and others in America were able to get a gain in speed is because of the way their ISPs were throttling certain connections and protocols, but if your ISP isn't doing that to you then you won't see a gain in speed.

By more connections I mean firewall connections, so when you do stuff on the internet everytime you need to connect to a server to get something it needs to establish a connection through your firewall. This uses memory and CPU cycles, so the more connections you have, the more hardware utilization you have. Cheap consumer routers are limited by the small about of RAM they have as well as not having the best cooling, so they can crash if you start opening up a lot of connections, this used to happen to me all the time with torrenting if I had to many going at once. A normal router can handle maybe 10,000 open connections, whereas pfsense with 4GB of ram will be able to handle 400,000. Plus the hardware is more stable so it doesn't just crash randomly or overheat like normal routers do.

As for my network, it's reasonably complex and totaly overkill, but the jist of it is - I Have 4 networks; LAN, DMZ, Public and VPN, as well as the internet. The LAN network is for my laptop, desktop, phones, server, etc. Stuff that I trust. The DMZ is for web facing services, like my mail server and web server, the idea of this network is that if someone is able to hack in and gain control of my web server for example, then they won't be able to get in to my trusted network because of the firewall. so it's kind of like LAN - firewall - DMZ - firewall - Internet, it lets me open ports to the internet without opening those ports in to my trusted network. The public network is for my open wi-fi which only gives users access to the internet but not to the LAN. And the VPN network is for VPN clients connecting to my VPN server, Mainly it's so I can connect to my network using my phone if I need to mess around with config files or whatever. The pfsense box sits in the middle of all this and routes traffic between the networks, aswell as controlling access between networks with the firewall.

The VPN in pfsense can be set up as both a VPN server, allowing you to connect to your network remotely, or as a VPN client allowing you to connect pfsense to a VPN sever and share that connection with your network. If you want to set up a VPN server you can use pfsense and it works well, but you can install a VPN server on and OS so you don't have to use pfsense for it. Using it to connect to a VPN server and share that connection with your network is pretty handy if you want everything to go though a VPN connection though. 

That SoftEther does look pretty good, it might be worth using if you do get a VPN service. Test out your performance using whatever software they give you and compare it to softether. It night give your a performance boost or it might make no difference, but it's worth giving it a shot.

Hmm, so what would you recommend for best performance? The only time i'd use a server in a different country would be if i needed to get past copyright things n stuff, but that's fine because you can just flick between servers. 

Ok, so for connections you're saying that every time a web site needs to get through my firewall it makes a connection, and then is that permanent unless changed? Because I most likely won't be going on 400,000 web sites at once hahaha.

And for the pfSense/ VPNs I should just use a regular program on all my computers like (insert your recommended one for best performance NZ use here) for when i'm just doing general use?

Also, how does using pfSense as a VPN work for when wanting to access your files from outside of your LAN?

If you've never had a router crash because of it getting overloaded then you don't have to worry about it. Mine used to crash all the time if I had too many torrents going at once and stuff like that. Now that I'm using pfsense it's always stable.

I have no idea what a good VPN is for New Zealand, I haven't found one that works well in Australia either.

Don't get hung up on pfsense, you can run a VPN server or client on anything. If you run a VPN server then you can access your LAN remotely as if you were connected directly to it. That's what VPNs do. Running a VPN client on pfsense is useful if you want to share your VPN connection with your whole network, but it's a little tricky to set up. You can also do the same thing with a custom firmware like dd-wrt or openwrt for a normal router, as long as it supports the firmware. But if you just want to connect one computer or connect your computers individually then it's probably easier just to use whatever software the VPN service gives you, you won't have to mess around with manually configuring it that way.

Ok, well should do you think I should just get a router that supports dd-wrt then? As it seem that with my usage I won't see much advantage, especially at this stage of using pfSense.

I was thinking about the accessing my LAN part actually because I might use that and you also said that you have used your phone to access it which also sounds very useful. So how would I go about remote LAN access using A VPN?

Also, can you, using dd-wrt change the frenquency like in pfSense to an un common one in your area like Qain showed in the video?

If you're talking about the wifi channel frequency then you can do that on pretty much every wireless router. So yes, dd-wrt will let you do that. But you should stick to channels 1, 6 or 11. Because you're better off sharing a channel with someone than using a channel which overlaps. 

Connecting to your LAN via a VPN is as simple as connecting to your VPN server, that's all you have to do because that is what a VPN is, a way of extending a network over another network (such as the internet) and having it function the same as if there was a direct connection. If your VPN server uses a different subnet to your LAN (for example let's say your LAN is 10.1.1.0 and the VPN is 10.1.2.0) then when you're setting up the VPN server just add your LANs subnet to the VPNs routes. Then once you're connected to it you can access your LAN exactly like you do when you're at home. Find a guide on google to help you set it up with step by step instructions. 

What I'd do if I were you is start by finding a VPN service which gives you the performance you want, just use their software to connect to it. Once you've found one then you can set it up on a router to share it with the rest of your network. Most VPN providers have guides for setting it up on dd-wrt, pfsense can be a little tricky and most of them don't have guides for it, but they all use the same VPN (openvpn) so it's easy to adapt a different guide to the service you're using. 

Ok cool, so how would I go about putting VPN on my network for accessing my stuff remotely?

And is openvpn not a service but a server? and is Private tunnel their personal service software? And for example, would PrivateInterentAccess's VPN software connect to their own server?

Openvpn is the software, it's a type of VPN, there are others like PPTP L2TP IPSec, and some propitiatory ones. But Openvpn is the best to use because it's free, secure and pretty fast. Private internet access's vpn software is basically a modified version of the standard openvpn software which is preconfigured to connect to their stuff, so all you have to do is log in and choose your server, you don't have to mess around with manually configuring it and setting up the certificates and stuff. It just makes it easier to use the service's software, but you can just use the standard openvpn software and connect to any vpn with it. It's up to you.

Setting up a VPN server on your network is pretty easy, just install openvpn on a computer, set it up as a server and forward the port in your router. But look up a guide because there's a little bit to configuring it and a good guide will make it a lot easier for you.

You can also run a VPN server on dd-wrt, not sure what the performance would be like but for a single user and under 100mbps bandwidth then it should be fine.

Ok cool! So can I just use openVPN software to connect to my VPN at home remotely? And then at home I set up openVPN's (i'm guessing) server software and then after a few guides and that port forwarding thing I should be good to go? Also, do I need a dedicated computer as a VPN? Or can I just run it on my main PC as long as it's always on?

Also I have decided to go with pfSense, I wanted either a router with dd-wrt or custom firmware options or pfSense, and the cheapest ones I can find are $100, about $80-90 AUD which is unnecessary if I can make one for free :) I do have another question about pfSense though and that is; what kind of hardware do I nedd? Will I benefit from a dual core? Or is the 3.0ghz Pentium 4 with 4GB of RAM just fine?

Thanks for all your help with these two threads! It's been bloody amazing!

Hardware for pfsense depends on your usage, for home use with only a few users then a single core pentium for and 4GB of RAM is heaps. All you really need is at least 2 network cards. 

And yeah, you can run openvpn on any computer (the openvpn software includes both the client and server parts), you just need to forward the port in your router to that computer, you'll probably also want to set up DDNS so that you don't have to remember your ip address. If you go with pfsense then you can set that up as your VPN server, but look for a guide. I can help you out if you get stuck.

Ok cool! In what circumstances would you need more computer power than what I have? I was thinking of getting http://www.trademe.co.nz/computers/servers/server-components/auction-741332914.htm and i'm getting this wireless card from my friend ftp://ftp.dlinkla.com/pub/drivers/DWA-510/DATASHEET_DWA-510_v2.00.pdf but i'll be upgrading it later.

Once i've set it up do I have to plug it in and turn off other routers in the house? This will be for my house when I move out but i want to try it at home first if that's possible?

I think I will use the pfSense router as a VPN server too, It will take me a while before I get up to that stage but i'll let you know if I need help after consulting google :)

The faster your internet connection, the faster the machine needs to be. It needs to process each packet that it receives and run it though the firewall, so the more packets per second the more processing power it needs. But you don't have to worry about that. Having a lot of VPN connections will also slow it down because of the encryption, but again you need a lot before it starts becoming a problem. There are other packages you can install on pfsense which can be resource hungry, like snort, but if you're just using the standard setup and it's just for regular home use then there's no advantage to getting a faster computer, other than a newer computer will use less power than an old P4.

Pfsense only has limited support for wi-fi, that card might work because it is the older 802.11g standard but it also might not. Most people use a separate wireless access point rather than incorporating it in to pfsense.

You have two options for setting up your pfsense box on your network. You can replace your current router with it, in which case you would either turn that router off and connect everything to the pfsense box instead (Modem to the WAN interface and everything else on the LAN interface) or use your current router as a switch/access point by disabling the DHCP server on it and connecting it to the LAN side of the pfsense box. Just make sure your pfsense LAN interface is on the same subnet as the rest of your network.

The other option is to connect the WAN interface of the pfsense box to your network just to test it out. To do this you set the WAN interface to DHCP and make sure your LAN interface is on a DIFFERENT subnet to the rest of your network. In this configuration you will be behind two NATs though (one in your current router and one in pfsense) so if you set up a port forward in pfsense or use upnp then it won't actually open the port to the internet until you manually configure your current router as well. But this will work fine for testing, and then when you move it to your house you can set it up as the default router. 

OK well, lets say I just unplug the router and put the pfSense box in it's place, will I have to figure out how to make it the same as the original router? Or can I just follow the guide in the tek syndicate video by Qain to set up just fine?

When it comes to access points having been having very annoying problems. I have two Dlink ones, the dwl-700ap which works and a DAP-1150 that also works but they are absolutely shit when it comes to the interface. I just simply CANNOT log on to ANY of them, i've typed in the right IP addresses too and it just will not god damn work! The main reason why I want to is because the aren't protected by any pass words. I've been into both of them before, the 1150 quite frequently in the past actually but I can't get onto them at all now. Do you know what the hell could be making that happen? It's this stuff that is making me want to totally switch over to pfSense.

I will also most likely be using firewall stuff and anti virus stuff on pfSense and a couple other of those add on things shown in the video.

Also, I will be wanting to do that caching thing. Will a 7200rpm 320GB sata drive be ok?