Need Advice: PFSense with Two Wifi Routers (1 VPN)

Discussion in 'privacy technology' started by Starlights, Aug 30, 2016.

  1. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    I am a CS student and enjoy tinkering, however compared to most here I would probably be classified as a novice, especially in networking. As a part of self learning, I am in the process of creating a PFSense firewall for my home network. I would like some advice layout from networking and pfsense gurus out there if possible.

    At this time I have two ASUS AC1900 routers. Router1 is connected directly to my Fios via ethernet (No Fios Modem since I have ethernet enabled connection). This router creates a ISP based connection for devices and appliances in my house. Router2 is connected to Router1 (Lan to Wan) with DHCP enabled so it acts as a second network. This second network (Router 2) is VPNed through AirVPN.

    Depending on which network i connect the client devices to, I get the benefit of both US and VPNed network. I haven't had any issues with double NATting so far.

    I am creating a small PFSense box as a firewall and will probably install Snort on it once I am comfortable with PFSense. I am not sure how to deploy this firewall so I can maintain the VPN/Non VPN functions with the benefit of having a firewall and would appreciate advice.

    I plan to use my two routers for Wifi, via Lan/Opt1 on the PFSense box. If i let one of the routers handle the VPN as it does now, will the PFSense box be able to conduct deep packet inspection on the VPN packets? If not, how best to set up? What are the advantages (or disadvantage) or letting PFSense handle VPN vs the Router?
     
    Last edited: Aug 30, 2016
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Just to kick off since you have no feedback so far:

    what are your existing routers running? Dd-wrt? or something proprietary.

    There is no "best" answer, presuming you have open source, well-regarded, updated and configured firewall/VPN devices doing this.

    Regarding pfSense, you will need to ensure your hardware specs are up to doing VPN, any Lan-Lan, and Snort (which requires extra memory).

    Snort is a whole different level of complexity and commitment, not sure what your objective is with that, unless it's learning (as opposed to a production system that you carefully monitor as a way of life). I'd put that to one side, and do any Snort for VPN specific traffic on the "other" side of that VPN.

    One thing I would strongly recommend is that you consider (as well) running pfSense in a Virtual machine environment. This is frequently a more amenable environment for learning about different configurations (rather than a physical box), and it is also apt for running dedicated VPN environments, with other hosts with snapshot communicating via virtual networking through the VPN. You can also run multiple VPN/host suites for various purposes and persona.

    Finally, and fairly obviously, the pfSense forums are an excellent resource, and would be the go-to place for specific VPN configuration guides (you may be able to get the videos and documentation from the Gold subscription from your institution).

    PS - saw your hardware spec, seems OK, not sure the NIC type; you can find the HCL on the pfsense site, usually Intel NICs are well supported, although some of the more recent ones may or may not have all bells and whistles (e.g. native VLAN), or you might have to tweak some parameters.
     
  3. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    deBoetie, thank you for responding!

    You have put forward some good points. I think the hardware (as in my original post) should be fine to handle pfSense plus some other packages. I intend to start simple with pfSense as just a firewall that I will place on the outside of my routers. At this time, I have two ASUS AC1900 (68U?) routers (Tmobile Cellspot Routers actually). The first router (1) connects directly to my incoming Fios Ethernet (directly from ONT as I am not using any modem/router from Verizon). Router 2 (same make and model) is configured for open VPN and goes through Router 1. So far this setup has been working flawlessly for me. So at this time I think I will configure pfSense as a firewall and using an unmanaged switch, connect the two routers to its LAN. I am hoping that this will provide me with a similar setup as I currently have (1 vpn and 1 non-vpn wifi network) with the addition of a firewall.

    My primary objective is to learn, however, in the process if I can have a solid firewall for home, then that doesn't hurt.

    From some google searches, it appears that this box (along with the NICS that they use) seems to work very well with pfSense. I have my fingers crossed.

    Thank you once again for your response - I really appreciate it. Feel free to dispense any other tips (anyone) as you see fit.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't use WiFi, so ... But if you're going the pfSense route, I don't think that you need WiFi routers. You just need WiFi radios. But anyway, there's lots about this on the pfSense forum. Also, their paid support is very good.
     
  5. Starlights

    Starlights Registered Member

    Joined:
    May 2, 2016
    Posts:
    10
    Thanks for replying mirimir. After posting here, I did post on pfSense forum as well. Great people and lots to learn :)

    I would prefer to use my existing routers for Wifi / AP because our residence is wired with ethernet to all floors and this gives me the ability to have a central pfSense firewall and create low powered wifi for each floor thereafter instead of one central wifi. Additionally, it make the placement easier and if there is a problem with any one AP then that can easily be swapped with another router for AP. Lastly, I can always use the AP as switch for wired connection to any device that does not need to be on wifi.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    It's an interesting idea, for sure :) You could also have secure WiFi for family, and another for guests.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    To chip in on the Wifi support, I am using a separate TP-Link TL-WA901ND dedicated wireless AP (no routing functionality) and a VLAN switch on one port, rather than attempt to run wireless directly on the pfSense box. pfSense is fully VLAN aware so can treat each one as a distinct network.

    The reason for using this is that it supports 4 VLAN wireless SSIDs, and these can be recognised on a single physical pfSense port as distinct networks (which can of course be routed, but also given very different permissions and profiles). Reason for doing this is that guest devices, smartphones, Iot devices and webcams, printers, Voip, and trusted laptops all need to be able to connect through wifi (or LAN with vlan), but I do not trust any of them (especially the spyphones), and they could be attack mechanisms if you don't segregate them (which can be done on VLAN). Many of the webcams and Voip boxes aren't good at updating their firmware, so have vulnerabilities that may always be there.
     
Loading...