I recently started doing a bit more defense-in-depth for my home network. I got a Raspberry Pi 4 and installed pi-hole. It got me to thinking about a firewall. I’m using a RATTrap but that limits me to 250Mbps of my 1G connection.
After a bit of research I found out about pfSense and realized if I had started there I would have a firewall and ad blocker.
That gets me to my question. Why more ports on an appliance? I’m looking at this Protectli 4-port device:
I currently have a Netgear wireless router and an additional 4-port TP-Link swithc for the LAN peripherals that are on my desk (Synology NAS, Desktop computer, VOIP, Smarthome switch, Printer)
I use a single WIFI name throughout the home for all devices. I use 2 extenders that rebroadcast the same SSID (Netgear extenders).
I assume I would set up my network like this:
Cable Modem -> pfSense -> Wireless Router
Would I put the wireless router in hotspot mode since the pfSense would be the router?
How would I enable other vLANs? I can’t afford to run CAT6 throughout my home.
I’m no expert, still learning, have you looked at Netgate’s offerings in regards to appliances? I have similar requirements’ for my home network, I’ve used a purpose built box with an intel 2port nic, so I have three nic’s in total, WAN, LAN, IOT. I put all the important stuff on the LAN, separate all my IOT devices on the wireless. I’ve also setup 3 TP-Link Deco 20 as access point for wireless MESH. I have two network switches (non-smart…lol ) one for the wireless access points, the other for my LAN. Tom from Lawrence Tech has a whole bunch of videos that dive into all this stuff, I’ve been watching them, learned a ton, worth spending the time going through them. Cheers!
pfSense doesn’t have an ad blocker built in by default but you can definitely activate plugins that will help you achieve this (I don’t have one to recommend).
Why more ports on an appliance? It all depends on how many WAN/LAN ports you need and the type you need for each. Vendors put lots of connections and different connection types to allow people flexibility and it is easier to manufacturer a few different models with lots of ports to accommodate lots of scenarios versus having to manufacture lots of different devices. As long as the processing power of the particular unit is sufficient for your needs then you only need a device that has as many ports as you will use. I generally recommend your WAN(s) cables and a LAN out to your network switch. Therefore you may need as few as 2 connections.
In my specific case, I have a couple year old Gigabyte BRIX small form factor PC with dual NICs (i7 CPU & 8GB RAM) that I purchased new specifically to run my pfSense instance. It then plugs into my switch which houses all my LAN connections.
For your specific setup i’d recommend the order be your Cable Modem -> pfSense -> Wireless Router -> extenders. You’ll definitely need to switch the router to access point mode. I am a bit concerned though if all of this will actually work with VLANs. Lots of the consumer grade systems don’t work or support VLANs. You can try putting the router into hotspot mode and see if it lets you specify a VLAN tag anywhere. Same for the extenders to see if they support VLANs.
If you end up having to buy new equipment the Ubuiqiti Unifi stuff is great and does work with VLANs even if you use a pfSense router at the head end. I run this same setup.
I like those Protectli boxes, if your budget stretches I would buy it barebones and add the hdd/ram.
As for ports, personally I would get as many as I could within budget. Though the min would be 4; WAN, LAN and 2 on a LAGG for vlans optionally one more for an AP.
Moving from a home router to pfsense will cost 3x the price as a minimum, the kit you already have will give you more hassle to force fit into your new network. I’ve a cupboard with routers, hubs, access points, extenders which are now dead weights.
I would add simply buy a managed switch with LACP aggregation. Save up or buy off ebay but it will give you more options as you build out your network. Then you can easily add an access point but it will need to be a new one if you want to use vlans.
If you setup vlans then your current wireless kit can carry one vlan might be useful for testing but not much more.
If you add pfblocker you can use the same blocklist as pihole on your network.
