Pfsense Interface setup

[defsoul]

Hi All,

I'm trying to setup pfsense for my small home office but I think i didnt setup the interfaces correctly, because the internet connection is "on and off".

my setup is like this

adsl router - no dhcp (192.168.1.1) ---->pfsense WAN port (192.168.1.10 255.255.255.0)--->pfsense LAN port (192.168.1.20)--->LAN switch-----> PC's.

WAN Interface: IPv4 Configuration type: Static IPv4
IPv4 Address: 192.168.1.10/24
IPv4 Upstream gateway: 192.168.1.1/24

LAN Interface: IPv4 Configuration type: Static IPv4
IPv4 Address: 192.168.1.20/24
IPv4 Upstream gateway: None

I get the dhcp from the router and that seems to work fine, its just that every few minutes the internet connection will drop but when connected to the adsl the internet still works so i know its not the adsl router dropping.

 

[Necropolis]

Put your LAN interface onto a different subnet...

 

[DMNknight]

Yeah I would concur with that.

adsl router - no dhcp (192.168.1.1) ---->pfsense WAN port (192.168.1.10 255.255.255.0)--->pfsense LAN port (192.168.2.1)--->LAN switch-----> PC's.
Or even use 172.16.x.x range for the LAN (or vice versa)

If you need DHCP, run it as a service on pfsense and switch it off on your Modem/router.

 

[defsoul]

I've changed the LAN ip range and it looks stable now, I'll monitor and see how it goes.

 

[Necropolis]

Awesome

 

[Sinbad]

ICMP redirects were pwning your ass

 

[defsoul]

Its still stable, I'm now trying to block facebook using this https://g7schools.wordpress.com/201...ebook-using-squid-squidguard-through-pfsense/, but im not winning, I've managed to block mp3,exe,etc downloads but I just cant get to block facebook.

 

[Arthur]

Just set up a free OpenDNS account and configure it in pfSense under Services > Dynamic DNS for the interface you're using. Then in the OpenDNS account set up your white- and blacklists. I find that easiest because I can easily get to the configs from any browser.

 

[Neo_X]

yup - concur with open dns - its the best way i have seen it being blocked.

the other option i went through at the office is running through a squid proxy, with WPAD.dat being provided via the DHCP.

works more or less, but i am sure there is some proxy gripes i are soon to encounter.

 

[Necropolis]

install squid + squidguard and install Shalla's Blacklists.

Should sort you out.

Just don't use the transparent proxy as https traffic bypasses the proxy.

 

[killerbyte]

So glad I stopped using pfSense. Its powerful but very frustrating when you are trying to do something as simple as blocking domains.

 

[Necropolis]

So glad I stopped using pfSense. Its powerful but very frustrating when you are trying to do something as simple as blocking domains.

With squid + squidguard it's very easy to do.

 

[killerbyte]

With squid + squidguard it's very easy to do.

I've done it but now I refuse to work on pfSense and usually upsell to a full Cyberoam solution at our medium to large client.

 

[Arthur]

Cyberoam solution

How much is their Community Edition?

 

[Tweebeenvis]

install squid + squidguard and install Shalla's Blacklists.

Should sort you out.

Just don't use the transparent proxy as https traffic bypasses the proxy.

Squid and squidguard are great until you need to failover to another WAN that is not the system default.

 

[Tweebeenvis]

I've done it but now I refuse to work on pfSense and usually upsell to a full Cyberoam solution at our medium to large client.

What was the biggest reason for moving away, if you don't mind me asking?

 

[Necropolis]

Squid and squidguard are great until you need to failover to another WAN that is not the system default.

Fail-over, who needs it.

 

[Gnome]

I get the dhcp from the router and that seems to work fine, its just that every few minutes the internet connection will drop but when connected to the adsl the internet still works so i know its not the adsl router dropping.

Just FYI, you should actually be creating the PPPoE session with PfSense. Not your ADSL router.

It really is a bad idea to have your router establish the PPPoE session.
Your router ends doing NAT, managing your DNS servers (as provided by the ISP), the router is another hop to get to your gateway (provided by the ISP).
Your security is worse because your ADSL router is exposed to the open internet (even if it blocks all ports, you really should have PfSense be the device exposed to the internet). For that same reason it makes managing open ports much harder.
Any attacks made on your public IP hits the ADSL router first, which is just sad.

I can list more points but I think I've mentioned most of the reasons.

#JustSaying

 

[Gnome]

I've done it but now I refuse to work on pfSense and usually upsell to a full Cyberoam solution at our medium to large client.

At this point in time FreeBSD has probably the strongest network stack of all OSs out there (underlying OS for PfSense)
PfSense definitely has some problems, the software suite I mean.
Principle, to me, the biggest is that they built their platform on a PHP GUI instead of a CLI with a GUI on top of that. (PHP in itself is a mistake IMO)

But the fact that it is FreeBSD under all of that is a massive win.
That is probably the reason they won out the x86 router software router war thus far.

I concede that there may be some ASIC based hardware out there that could outperform it but you would need to pour a massive about of money and R&D into it to get to that level.
I can think of one company that does offer such a device but they sell for more than $100k per device.

 

[killerbyte]

How much is their Community Edition?

Cyberoam has two flavours; physical appliance or virtual appliance. The cost depends on your need and if you are interested in using Cyberoam you are welcome to PM me and I can advise you on which appliance will suit your needs and the cost for the appliance and licenses.