PF Sense test box build

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
Hey everyone,

Since we are pretty much dead at work but I can still go in, my boss wanted me to focus on getting a test box built for PF sense. The budget is -$0.00. Effectively, I am looking around at 10 year old computers at this point to perform a proof of concept sand box. Now I understand computers and hardware somewhat but I am mainly a technician or what is called a field engineer at the company. Here is what I hobbled together so far.

Asus P5QPL-AM mATX board
Intel E 8200 Core2Duo It was that or a E5600 or something like that.
2 gigs of DDR2-8500
Toshiba SSD128GB
Realtek add on Ethernet 1Gb card
PFSense 2.4.4

We have static IP addresses from our ISP. Connected directly to the cable modem in the test configuration.

I figured the hardware would be good enough for a test run. So far I have been running into a wall with getting the software and possibly hardware to work. Atheros 1GB NIC is on board. 1GB Realtec expansion card. My boss and I can get the software running but we cannot make it work to the outside (internet). It doesn't ping out. From my readings we might be going the wrong direction with the test build. This also supported my theory that maybe the NICs are the problem. I kind of felt like the test hardware might not be the best. However if proof of concept works, we have an X99 box that would run the software for a full time basis. From what I read, it's better to run the network through dual or quad Intel based NIC. I got no budget even without the Covid-19. I want to make sure if we invest in something like a 4 port card, that it would work. The boss generally handles most of this stuff but it got put into my lap as a challenge.

Let me know what you think.
 

ComputerBox34

[H]F Junkie
Joined
Nov 12, 2003
Messages
12,002
Does PFSense see both NICs?

You have to specify which is LAN and which is WAN during setup. You then have to assign the static IP address, default route, and a static DNS server on the WAN interface.
 

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
Yes PFSense sees both Nics and during one our builds, we were in the web portal. IPs were assigned on both sides WAN with the ISP and the LAN have a internal test format. We still were not able to get out of the box.
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
During install you should use the automatic method of finding which NIC port is used for what. This way you can verify during the install that the port is seen and gets a connection fine.

If you did that and are having WAN problems, make sure your configurations is set right. Right static IP you need the WAN address, subnet mask, and gateway address. If you dont really have a static IP, then DHCP on the WAN is probably the correct way to go.

You can verify WAN connectivity from the web portal using the ping feature
 

GotNoRice

[H]F Junkie
Joined
Jul 11, 2001
Messages
9,784
pfSense has known issues with Realtek NICs, in addition to the fact that Realtek NICs are terrible anyway. They straight-up recommend Intel NICs.

You can get dual-port PCIe Intel NICs for $15 or less on eBay, something like a dual port Pro/1000 PT adapter or even something slightly newer like a dual port I340-T2 adapter. Surely you can afford $15?

Examples:
https://www.ebay.com/itm/184191623363
https://www.ebay.com/itm/274077899887

I see that the motherboard has regular PCI slots also, so you could get a dual port Pro/1000 MT adapter for even cheaper. Though PCIe would be better as long as you don't need to use the 16x slot for anything else.

Example:
https://www.ebay.com/itm/333542492594
 

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,682
If you're using a static IP and a cable modem from say Comcast, sometimes that connection can be sticky in their system. Restarting the cable modem can some times fix that issue. If it's an SMC gateway, those things love to be a hassle to actually get it to assign the IP to the system.

I assume you've had this static IP? There's no other routers or the gateway itself that's trying to hoard it? On the PFSense side it's literally go through the wizard, assign one interface to WAN, one to LAN. If you plug into one side and can get into the 192.x address space, then you have the right one. If not the the other interface is the LAN and you should reverse the connections.

I don't necessarily buy that the NIC doesn't work at all. It might not work well, but I can't say as I've ever come across a hard wired NIC that shows up in the system but just doesn't work. But either way you could easily just reset the system from the command line and swap which NIC is the WAN.

My guess is that your issue is less PFSense and more modem related if it's not just a surfboard and the modem has it's own ability to hand out leases. If you normally get a private IP like 10.x from the modem you're using, then PFSense blocks those networks by default so it's not going to pick up a lease from that on the WAN port. You may need to fiddle around with getting the modem to bridge to actually get your static IP working correctly. I've seen where you can use a static + have the modem also get a real world IP and do NAT, but it requires some modem configuration to make it happy.

What I'd probably do first if you're unsure about the static IP is first set that on a Windows box, and get that figured out and working with the modem. Once that's sorted unplug the modem, unplug the windows box, plug in PFSense WAN, wait 30 seconds, then power the modem back on. That way you should clear any sticky settings and hopefully it might work.

Another point, everyone thinks they need a monster machine to do general firewall / routing. If you're not turning on IDS / IPS (Snort) or doing a ton of VPN traffic, then even the E8200 will basically blow away most appliances you'd normally be buying. That thing is more than enough to handle medium sized businesses with like 1,000+ pcs and gig interface traffic. It might seem small on the desktop computing end, but on the networking side it's a lot more powerful than an ARM or atom based appliance.
 
Last edited:

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
Hi Everyone,

Just to clarify I am a field tech for large printing equipment not a computer tech persue. I can perform basic diagnostics on systems to determine if they are causing a problem with the equipment. In some cases, I build systems to run the printing equipment when needed. Most of the time we are sourcing a system that will meet our requirements and also alleviates us having to give support. As customers see it, you sold them the system they want to maintain it as well. However we tell them we source from Microcenter so they can have them troubleshoot the system instead of us. I digress.

During install you should use the automatic method of finding which NIC port is used for what. This way you can verify during the install that the port is seen and gets a connection fine.

If you did that and are having WAN problems, make sure your configurations is set right. Right static IP you need the WAN address, subnet mask, and gateway address. If you dont really have a static IP, then DHCP on the WAN is probably the correct way to go.

You can verify WAN connectivity from the web portal using the ping feature

Yes I installed the software with standard options. It does seem to show the Atheros on board NIC and Realtek Expansion NIC. Both my boss and i reviewed the WAN settings. They seem to be OK with our static IP addresses we have with our ISP. As for rebooting the modem, I will let the boss handle it. I don't like messing with that stuff plus I rather him do it so I don't take the blame for it :)



pfSense has known issues with Realtek NICs, in addition to the fact that Realtek NICs are terrible anyway. They straight-up recommend Intel NICs.

You can get dual-port PCIe Intel NICs for $15 or less on eBay, something like a dual port Pro/1000 PT adapter or even something slightly newer like a dual port I340-T2 adapter. Surely you can afford $15?

Examples:
https://www.ebay.com/itm/184191623363
https://www.ebay.com/itm/274077899887

I see that the motherboard has regular PCI slots also, so you could get a dual port Pro/1000 MT adapter for even cheaper. Though PCIe would be better as long as you don't need to use the 16x slot for anything else.

Example:
https://www.ebay.com/itm/333542492594

Afford $15? me? yes. If this was my personal PFsense box, a card would be ordered. Since this is for work, see next statement. Management? IDK. The boss said do not spend any money on this project. Source everything from inside the building. I was trying to see if a few friends in the IT business have any dual or quad Intel based NICs around but I drew blanks. One of my friends deals with enterprise level hardware based stuff. I told that to my boss, he nearly ran me out of the office. LoL Honestly, with Covid-19 our business has been down like many other people. SO I don't think management wants to spend money to make sure they can keep us on the payroll and hopefully through it all.

As for the NIC brand/based types, I have come across this in several web page searches. I watched a few videos on it, it was like the first thing they went to in the review/ build. I showed it to the boss and it was like you can pay for it if you think it's going to work.

If you're using a static IP and a cable modem from say Comcast, sometimes that connection can be sticky in their system. Restarting the cable modem can some times fix that issue. If it's an SMC gateway, those things love to be a hassle to actually get it to assign the IP to the system.

I assume you've had this static IP? There's no other routers or the gateway itself that's trying to hoard it? On the PFSense side it's literally go through the wizard, assign one interface to WAN, one to LAN. If you plug into one side and can get into the 192.x address space, then you have the right one. If not the the other interface is the LAN and you should reverse the connections.

I don't necessarily buy that the NIC doesn't work at all. It might not work well, but I can't say as I've ever come across a hard wired NIC that shows up in the system but just doesn't work. But either way you could easily just reset the system from the command line and swap which NIC is the WAN.

My guess is that your issue is less PFSense and more modem related if it's not just a surfboard and the modem has it's own ability to hand out leases. If you normally get a private IP like 10.x from the modem you're using, then PFSense blocks those networks by default so it's not going to pick up a lease from that on the WAN port. You may need to fiddle around with getting the modem to bridge to actually get your static IP working correctly. I've seen where you can use a static + have the modem also get a real world IP and do NAT, but it requires some modem configuration to make it happy.


I know my boss wants to run something different LAN IP scheme, it was like 172.18.10.xxx with a /24 subnet. After reading what you have to say, it might be an issue with the modem being pissy with PFsense box. I know we set up the ips on the WAN side correct to everything else we have in the office. (I know we have a server but i really know nothing about it.) All I know it's a box behind my boss's desk. I will have to see if I can work on monday.
 

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
Update!!!

We got it working this afternoon. The boss gave it another shot this morning. It seemed like we were doing everything right to get it working. He gave in and said if I could source the part, buy it to verify proof of concept. At work, one of our vendors is an electronics supply house. I called them only to find out he had a couple of NICs in stock. When I got there, it was a dual NIC Intel Pro based. He said it was a good thing he asked what we were building. When he went in the back he said he saw the Dual NIC and was like perfect. So I got 2 of them for 30 bucks. Got back to the office. The boss downloaded PF Sense build 2.4.5. The NICs worked instantly. The system loaded up. Within about an hour of reloading the software using yet our original tower, turning off On board NIC, we were in business. A quick bit of additional set up, we were operational for sand box testing. Right now the phone app is being a pain but they set up guide we were working with for PF Sense. Most likely it's a simple setting that needs to be configured but once done, the boss wants to move the company over to the once things are finalized and tested but he can see it happening sooner rather than later. The boss seemed to be happy being able to move around in the web client and locating and understanding the menu structure. He was pretty much we should have been doing this a long time ago.

Once the phone app is verified, there will be a push to get the desktop phones removed from the network. We will not be at the mercy of Cisco and its messed up protocol with PoE phones if the switch dies. The only thing we would have update are the computers with blue tooth adapters and headsets for the all the phones. However there are 2 locations in the office that will require a phone. I think we can press a couple of older brick powered IP phones in their places. We had 2 of them there before prior to the Cisco phones in service.

So I am happy that I pushed for the dual NIC this morning when tried again.
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
If you are doing testing and such you should try out some other firewall OSes like Untangle or OPNsense. IPFire is cool too but a bit more cumbersome and less hardware support.
Untangle costs money, but is the best one IMO. PFSene's antivirus is just CLamAV which is kinda sucky. Untangle paid version gives you a multi-threaded virus scanner powered by BitDefender. You also get things like SSL inspection, spam blocking, and threat protector that scans encrypted traffic too.
 

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
I guess it will be up to whatever my boss decides. 3 coworkers and I were laid off this morning due to low call volume and no incoming sales, no business in general. Management is hoping they are going to be able to call us back in in a few weeks or less once things settle. Simply put, I removed my employers tooling from my one rolling tool box. Secured my items. Said a few good byes. Left at around 1 PM. There was no reason to hang around more than I needed. Currently my boss and his dad are finalizing the remaining inbound shipments, verifying some stuff and seeing what happens in the next week or two.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
19,456
Untangle is great, ease of use in terms of web filtering and doing all of that, This is the reason they charge you money for it. While you can do all of this in pfsense, it is more complex and tedious. All depends on how much time do you want to spend baby sitting your firewall to get it configured how you want. I love Pfsense, use it at home, but if you wanted complex web filter rules and groups and such, Untangle is worth it. As for OPNSense, i trust them as far as I can throw them since they blatenly stole pfsense code and didn't even bother to remove commenting...
 

EniGmA1987

Limp Gawd
Joined
May 2, 2017
Messages
429
As for OPNSense, i trust them as far as I can throw them since they blatenly stole pfsense code and didn't even bother to remove commenting...
Thats because it is a fork of PFsense from some of the old developers back when PFSense went corporate and then started removing drivers and kernel modules for things the new owner company didnt like.
PFSense is the one lying about supporting all the same things as FreeBSD, when they have a good bit of hardware support removed.
 
Last edited:

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
8,973
Just install two nics in your contemporary office workstation and use a VM to test out pfsense. A damn calculator cpu can run pfsense basically cool thing about vm is that you can do all the changes you want and see how it performs. Take a snapshot, fuck it up badly, load snapshot back up and running in 1 min.

If you have a layer 3 switch you can use just one nic

You can use an old laptop with a single nic but you need a l3 switch as well.or use buikt in nic and toss a usb nic on there for testing.
 
Last edited:

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
8,973
Thats because it is a fork of PFsense from some of the old developers when PFSense went corporate and started removing drivers and kernel modules for things the owner company didnt like.
PFSense is the one lying about supporting all the same things as FreeBSD, when they have a good bit of hardware support removed.

Im just glad aesni is not required like they originally planned. No reason you need hardware encryption unless youre VPNing. Not everyone needs vpn usage.
 

shaggy77

Gawd
Joined
Jul 2, 2005
Messages
763
Well I got a small update. The system is pretty much on line. A few settings being figured out still but overall on line. My boss is no longer at the mercy if the POE or even the old firewall. I gave him a few minutes of help every week or so testing outbound and bound communications while furloughed. Today was the first test with a live customer. It was new experience for the company and the customer. We would not have capacity it was not for the slow down to catch our breath on this project. So my boss is finalizing his tweaks and he is likes it. It works and well.
 
Top