pfSense Deployment: Test Build Prior to SG-3100 Purchase

Hi all,

I’ve just been given the green-light to start on the process of replacing our existing DrayTek router as split tunneling is something it doesn’t seem to be able to handle, at least not easily.

With us all working remotely now, the dial-in VPN on the DrayTek is struggling to hold up because it’s tunneling everything, and no matter how hard I try to gently prompt my colleagues about using streaming services over the VPN they often forget.

My plan will be to do a split tunnel with DNS resolution (for internal resources) over the tunnel and routes set to our internal network, as well as the network on the other side of the site-to-site VPN with our hosting provider, everything outside of those IP ranges will go down the non VPN connections.

Partly based on Tom’s videos, we’ll be going for a SG-3100 as our actual deployment, with a new VDSL modem to go with it. Before we purchase, I’ve been asked to grab one of our spare Dell workstations (it’ll be pretty decent, probably a core i7 and 16gb ram) and do some testing of my own to make sure I’m comfortable with the configuration.

The workstation I’ll be grabbing, or rather my boss is grabbing and dropping off as I don’t drive, will only have a single NIC. I’ll need at least another port as I plan to use this as my own home router to really test this out.

We’re already investing a fair of money into the SG-3100, as well as all the over remote-working expenses, so I’m keen to not spend a fortune on another NIC. Ideally, I just need something that will work and is inexpensive. What would people think to maybe two of these TP-Link cards?

https://www.amazon.co.uk/TP-LINK-TG-3468-Gigabit-Express-Network/dp/B003CFATNI/ref=sr_1_9?dchild=1&keywords=intel+1gb+nic&qid=1587733729&sr=8-9

Hope that all makes sense, appreciate any suggestions - we’re in the UK so obviously under quite strict lockdown. Myself and my colleagues are, in case anyone is wondering, essential workers as we’re providing healthcare systems to the NHS.

I would worry too much about which make they are, those TP link are out of stock.

https://www.amazon.co.uk/Ziyituod-Network-Ethernet-1000Mbps-Software/dp/B07TD58PBQ/

This is a dual nic card that’s in stock that I have personally used and I’m happy with it, plus it’s got very good reviews.

Thanks! I hadn’t noticed the out-of-stock on the TP-Link (it’s been a long day already!).

That looks like a decent enough card.

Based on my research that card uses a Realtek chipset. Although they do have support in FreeBSD, I have heard they can be temperamental at times. That doesn’t necessarily mean it won’t run reliably, but may not be as known reliable as an intel card. Remember that putting a NIC in a router is different than putting it in a desktop.

If this is just being used for testing, it maybe fine. Just be aware performance and/or reliability cannot be guaranteed.

1 Like

Right, and to an extent that’s kind of okay, this is just for a test rig with the SG-3100 being ordered once we’re happy we can get everything set up the way we want it.

I may then ask if I can keep the workstation at home and invest in my own Intel NIC - they’re not massively expensive but I’m sure our directors are already cursing me for all the stuff we’ve had to invest in.

You can get by with AX88xxx based USB devices good enough for testing, you can get many of the USB2 versions for under $10usd. Yes you will have issues because it will drop the connection once in a while, but it will be serviceable while you are testing. Good enough to get a feel for the SG3100 and decide if it is a good purchase. I’ve run these USB adapters in production, and generally they are OK if you keep the heat away from them and the traffic is low. But they are NOT as good as a fully supported card! In fact they are not as good as a half supported card or onboard NIC. if possible I’d run the USB on the WAN side, that way when it does drop, you can still get into the firewall to see what’s going on. Until a few days ago, this is how I was running the home end of my site to site VPN. Finally broke down and spent a bunch of money to upgrade to something real and RELIABLE. You can see it here Best usb-ethernet adapter for pfsense?

I’m really interested in how you are going to do this vpn solution because I’m probably going to have to do something similar at work. I’m at a college and our department has been teaching remotely for the past 5 weeks. I can see that I’m going to need to build something so that students can get into my department network for some of the resources that would normally be classroom only. Either that or I’ll have to beg for the money to move everything out to the cloud, which is going to be expensive. So please keep this thread alive as you work through the set up.

LoL this is cheapskate Britain so your situation is nothing new.

If I was in your shoes, I wouldn’t bother with the SG-3100 (unless you buy support from netgate) and I would bother even less with the Dell machine, though if you do, just buy a Intel quad port NIC off ebay for 20 quid.

What i would do is buy 2 of something like this keep one for testing / redundancy, just seen this on ebay that will fit your requirement.

I have been running this since last summer with no issues, have ordered another off ebay for 200 quid. You just need to make sure the supplier has them in the country otherwise they will be coming from China.

Personally I would tell your Boss it’s better to keep DrayTek rather than half-arse it but this is the UK :rofl:

BTW unless you are already familiar with PfSense I wouldn’t under estimate the time it takes to suss it out then to get OpenVPN working. I have just set it up for an elderly neighbour of mine, it took only an hour but now she can more easily and securely communicate with her family in in the North.

Not really sure how this comes under cheapskate to be honest? My company have just spent a fairly large sum equipping our team to work remotely, the SG-3100 and VDSL modem is another £400+ of this.

They’re by no means cost-adverse, but I have other fish to fry in terms of our information security improvement plan.

The Draytek simply isn’t fit for purpose, without split tunnels and one of the worst UIs I’ve used, it’s almost a paper weight for us.

I’m more confident with going for a Netgate box because of the probablity of less issues with pfSense upgrades than a home-brew solution. We may also end up paying for support down the line.

Haven’t underestimated the time this will take, and that’s why I’m doing this on a test system first to make sure I’m confident. OpenVPN seems to provide us with the tools we need right now.

Thanks for the reply, though!

Hey Greg,

Thanks for this, I may have some spare USB ethernet gear here at home, so I could try them out.

With regards to the set up, I’ve watched a few of Tom’s videos on this and I think we can achieve what we want. Our internal resources are more in the form of servers, so we’d be doing RDP and SQL Mangement Studio connections, but we do have an internal dev server that’s serving the web app for our testers.

How much traffic do you see coming in for the remote learning resources?

Ah ok, then I’d buy two of these Netgate boxes, then you have your test environment and redundancy too.

One thing to keep in mind is, keep a copy of the ISO once Netgate updates a new version, the previous version is pulled.

Thanks, a redundant unit will be on the cards I think.

Right now, the traffic is just me. But in the future it might be a lot of traffic. Depends what we are going to expect students to own which might cut our enrollment by a lot. We teach radio and television production, so moving audio and video files around might be hard.

If the students need to remote into computers to edit audio/video, then I might need a different remote tool like Team viewer.

I agree on keeping the installed iso on hand or burn to disk. Makes recovery much easier. And spread your backup config into many places to keep it safe too.

I’d avoid TeamViewer like the plague… but maybe that’s just me?

Given this is media production, are the machines Mac based? Our Windows setup works well with RDP and we use Duo for two-factor when these are accessed remotely.

I agree. I, also, would avoid TeamViewer like the plague.

Also I agree about keeping backups of the configuration of PfSense, just make sure it is secure as well, as it will have your VPN keys included.

I’m going to split my use case off to a new thread, maybe I’ll come up with a clearer plan to research.

(IN UK)Good luck, we switched out sonicwalls for pfsenses from january with OpenVPN. Best decision i made, we use the BT VDSL modems, they dont sell them anymore but you can still pick them up from ebay. From experience i have not had any fail so i stick to what i trust. Yes they are EOL but i dont feel it matters as its just a modem bridge.

I wouldn’t say it was difficult, but sticking with the same hardware made things easier for us. We use the same template as we setup the first client on and it makes backups/restores simpler.
Yes you can restore backups to another piece of hardware but you have re-assign the ports etc. For convenience we only give out the SG3100. Keep a spare in the office incase of an issue.

Toms videos as always have been helpful, honestly its not that difficult once you have had to deal with sonicwalls.

Hi all,

Thanks to everyone for the great comments and suggestions. I thought I’d take the time to update this thread since it’s nearly P-Day (yes, pfSense Day).

I grabbed a workstation from the office and got a dual port Intel NIC for it, after having no joy with the original RealTek card suggested! Once the new NIC arrived, I got pfSense community edition rolling and this thing has been acting as my home router ever since.

Testing of the OpenVPN setup with Duo worked incredibly well and so the next phase of the project as nearly good to go… until it got iced whilst the directors considered a few things about the office.

Fast forward to about two weeks ago, I got an email saying that they’d decided to go ahead (since moving our dev and testing stuff to the cloud would be too costly right now) and we ordered the Vigor 130 modem and Netgate SG-3100. They’re sat in my office here (home) waiting to be taken up to the site later today.

I’ll be deploying all of this tomorrow (Saturday) along with some other network upgrades. I’ve learned a lot from these forums and Tom’s videos and live streams, so I’m pretty confident.

I’ll see if I can grab a photo of our new rack setup tomorrow too.

1 Like