pfSense Mobile Router for Public Venues

Looking to setup a Netgate SG-1100 to be able to take to public venues (convention center/etc.), and hook up the provided ethernet and have our equipment connect behind the pfSense. This way I can filter traffic, and also configure a static BOVPN via pfSense to connect to a remote office.

Is this feasible?

What considerations/setup need to be made on the Netgate?

Thank you in advance!

Yes, the VPN throughput will be enough for what these devices will be doing.

pfBlockerNG for filtering.

But mainly just need to know what needs to be setup as far as the interfaces go. Since the provided ethernet will be a private IP of course.

If the ISP/Convention Center is not in bridge mode, how would I need to have it configured? Checking with facilities to see, but just in case.

For internet access, you don’t really have to do anything special. Configure your “internal” networks the way you normally would and set the WAN to use DHCP. pfSense doesn’t care whether the IP on the interface named WAN (which is no more special than any other interfacel in this regard) is a “private” (i.e. non-routable) or “public” (i.e. routable) address. Obviously, don’t check the “Block private networks” box for that interface.

One thing to keep in mind though is that interfaces should not have overlapping networks assigned to them. So you might want to choose prefixes for your internal networks that you think are unlikely to be used by the venues you visit. For example, if you have a LAN set to use 192.168.0.0/24 and your WAN gets an address of 192.168.0.123/24, that obviously creates a problem. In such a case, if you know the network prefix beforehand or get assigned a static address, I suppose 1:1 NAT can be used to resolve the conflict, though I have not tested it.

2 Likes

Perfect, thank you. That is exactly what I was wanting to know before heading down this route.

Yeah, like @paolo says, the only thing you need pay attention to is the LAN IP range and don’t block private networks. I do this at home as a matter of course, playing with different routers “inside” my home network. I usually set my internal-internal IP range to 10.1.1.0/24 and turn on DHCP on the WAN, then plug the internal router into my internet router, voila, it’s up and running with a “WAN” address of 192.168.1.whatever. (This lets me “attack” the 10.1.1 network from the outside, without doing anything nefarious on the internet, so I can check out various security tools and settings in a controlled environment.)

You can test this at home quite easily and play around to get a feel for how it will work out in the wild. Plug in a couple machines, ping between them on the 10.1.1 network. Move one host to the 192.168 network, try the pings again, do some tracerts and so on.

I recently setup a SG-1100 for a friend with 3 (crappy) ISP’s with a Ubiquiti Toughswitch (now an Edge Switch with 8 ports, managed). He is semi-rural in Australia and depending on weather, any 2 of his 3 WAN connections could (would) be offline or crawling at a snails pace. I defined 3 Virt. WAN interfaces, plus the SG-1100 WAN interface with Gateway Groups. I also config’s 3 separate internal VLANs; WIFI Guests, Kids and Parents. I added QoS rules to the internal LAN’s; Parents above Kids, Kids above Guests. We connected up 3 x Ubi long Range WAP’s powered from the Toughswitch, all 3 doing zero-point hand-off with 3 SSID’s connected to the internal VLAN DHCP’s servers on the SG-1100. Worked perfectly and he had internet almost all the time.

My friend joined Starlink a couple of months ago. He’s connected the Starlink modem to the WAN interface on the SG-1100 and discontinued his 3 other ISP accounts.

All 4 WAN interfaces were configured to collect their IP settings via DHCP. Thankfully none of his internet modem routers were using the same DHCP scope.

Rural Australia can be pretty brutal for ISP choices

The main thing that will cause issues will be to make sure you uncheck the “Block Bogon Networks” checkbox during setup of the SG-1100. Otherwise, your WAN won’t pass traffic if it gets a private IP (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 IP spaces). From there, configure your SG-1100 like you want it as for your home firewall like usual.

I’m running an above setup at my Dad’s house as he refuses to get rid of the router from his ISP for some reason :T