2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features

Quick Review of our Super Micro A1SRi-2758F 1u Intel Lab Server

Comprehensive Guide to pfSense 2.3 Part 9: Traffic Shaper

pfsense tutorial playlist

1 Like

That’s a good effort on the intro, it took me the best part of 3 months from scratch to move from my Asus router to pfsense with vlans, so I’d say there’s no short cuts.

Wanted to offer some feedback on the rationale for moving from a consumer router to pfsense which might not be obvious to those in that predicament.

Cons

  1. If you have a router that works and security is not an issue and you don’t have the appetite to invest the time then stick with what you have.

Pros

  1. Your router will after 3-5 years from release (not purchase) is likely to not be supported. Pfsense updates a couple of times a years and has been going for a while.

  2. At least with Asus if you want some of their pretty charts you have to “leak” your data to Trendscan otherwise that feature won’t be available to you. I can see this becoming the norm for the other vendors.

  3. Most routers do not support vlans.

  4. You can run “many” (I don’t know the limit) OpenVPN Clients and Servers, many routers do not support OpenVPN those that do will be limited in the number of clients and servers it will run.

  5. If you use a paid for VPN service you may need to set it up on a second router to be certain traffic is routed to the VPN for the network. pfsense will easily support the VPN service on an OpenVPN client on its own vlan.

Some new / refurbished kit will be required, a managed switch will allow vlans to be setup, unmanaged switches are cheaper but simply not worth it, an access point that can support vlans / multiple SSiDs will be needed, however, the old router might be able to act as an access point for a single SSiD.

Lastly wired ethernet is worth all the hassle to set up at home. Also it allows the access point to be placed in a better location for wifi.

Going from a router in the corner of a room to a secure networked home while an incredible amount of effort is ultimately worth it. Given that Finland has made internet access a human right might as well make it decent.

While Tom is running pFsense 2020 refresher I came across a functionality set which got me stuck in understanding the design. I need to route SIP traffic from a provider to my FreePBX host. Provider requires that I allow inbound traffic from 7 hosts on ports 5060-5061. The IP addresses of the hosts are not in a range. They are:

16x.xxx.xxx.100
16x.xxx.xxx.101
16x.xxx.xxx.107
16x.xxx.xxx.108
16x.xxx.xxx.109
66.1xx.xxx.73
66.1xx.xxx.75
1x.xxx.xxx.181

To avoid writing NAT and FW rules for each host I headed to Aliases and first created an alias for hosts where I listed all these addresses, each on a separate line. pFsense did not like this and told me (I selected ‘Network’ as the source - message from the firewall: “Alias entries must specify a single host or alias”. OK, I recreated alias and defined it as a network consisting of the same addresses in /32 subnets. Well, pFsense did not like it either and gave me the same error “Alias entries must specify a single host or alias”.

My question here is then what is network alias in pFsense architecture and if every NAT and firewall rule may refer to a single host/IP alias only then what is the point showing network in the drop-down of available options?

For the sake of fairness I have to say that I can select network as a source or destination and type in something like 192.168.50.0/24 and pFsense accepts this input. However, if I make an alias for the same network and assign it a name then pFsense says nada.

I have setup a new pfSense box (2.5.0-dev) and created a new administrator user other than ‘admin’.
When logging into the pfSense box (physically or SSH), the regular ‘admin’ user is logged into the console, while the new administrator user is logged into the shell.
Is there a way for the new administrator user to get to the console?

Don’t use /32 to just list one host. If you want single IP then use host of you want a block of IP’s use network.

pfsense defaults to root for the console menu, but that can be password protected if you are concerned about it.

I figure you were in a hurry when you replied. Can’t understand what you are saying.

If you are creating NAT rules you cannot specify multiple IP’s in the “redirect target IP” section. You have to create a rule for each one. I don’t think there is any way around that.

Thanks for this, my question is though about specifying multiple hosts grouped into an alias in the traffic source field, e.g. 5 different servers providing the same service and all hitting my firewall on the same port - can they be an alias? - I guess they can, at least pFsense allows me to create both aliases for hosts and networks. However, when I tell pFsense - traffic from this alias on this port should flow to this internal host pFsense tells me that I should specify a single host or IP address as the source. So, do I have to create 5 NAT rules for each server? The concept of alias turns out to be of little value in this regard.