Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Building Our Own Router = Let’s dive into the first step: setting up '''pfSense''' on an '''Intel NUC''' (a small-factor barebone PC, [https://en.wikipedia.org/wiki/Next_Unit_of_Computing Next Unit of Computing]) to serve as your router. We’ll be setting this up with OpenVPN, which is very important for connecting securely to your home network. As for the hardware, I’m using an Intel NUC because it’s compact, reliable, and it has two Ethernet ports, which are necessary for setting up a router. One port is used for your '''WAN''' (internet), and the other for your '''LAN''' (internal network). For a '''pfSense''' router, we must choose a machine with '''TWO''' ethernet ports, not one! <span id="why-pfsense"></span> == Why pfSense? == I chose '''pfSense''' ten years ago because: # It’s open-source. # It’s fast. # It gets regular updates for security issues. # The parent company has paid corporate & business clients relying on their software, which is based on an open source core. The developments with regards to making certain network cards work well with FreeBSD get included upstream to the free versions. # This means that me, as a scrub who didn’t pay for it, get something that is very similar to what corporate clients who are paying $10,000 or more are getting. # If I mess something up with my very unusual custom setup, I can pay the developers of the software to fix it for me. This level of support is not common in many open source projects. If I want to cry uncle & pay them an annual fee, they will respond to my questions & provide me with '''''REAL''''' answers rather than tell me to go ''“rtfm”''. # It comes with features like '''pfBlockerNG''' to block ads, scams, and malware at IP & DNS level with regular updates. I use '''pfSense''' now because: # I’m used to it. # The idea of redoing my complicated setup from scratch gives me hives. # See #2, in regard to becoming acquainted with the unique quirks of other open source software. I had very good reasons for choosing '''pfSense''' ten years ago – and I have good reasons to use it today. That doesn’t mean it’s the best. Feel free to use whatever you want to use. For the purposes of this guide, I will be using '''pfSense'''. There’s a bit of a debate between '''pfSense''' and <code>OPNsense</code>. TL;DR, the developers of '''pfSense''' are [https://opnsense.org/opnsense-com/ not the nicest people sometimes]. If this bothers you, consider checking out <code>OPNsense</code>. Since I’ve been using '''pfSense''' for a decade, I’ve built much of my infrastructure around it. I am well aware of its quirks and don’t feel like setting up my network from scratch, so I am using '''pfSense''' for this tutorial. Regardless of the [https://news.ycombinator.com/item?id=17431809 developers], you are infinitely better off using '''pfSense''' on your own hardware than standard routers. <span id="choosing-the-right-hardware"></span> == Choosing the Right Hardware == <span id="why-an-intel-nuc"></span> === Why an Intel NUC? === When searching for hardware to build a '''pfSense''' router, you’ll often come across a variety of mini PCs on platforms like Amazon. However, there are several issues with these options: # '''Inconsistent Quality:''' You’ll find reputable brands like Mikrotik listed alongside unknown generic random stuff. I trust Mikrotik - I don’t trust random junk. Amazon allows random junk from unverified, untrusted vendors to show up routinely at the top of the search results. # '''Unreliable Reviews:''' Amazon’s review system has known issues: #* Reviews from [https://www.youtube.com/watch?v=qZCMislL6_I&list=PLkVbIsAWN2ls4fzQbP9fdW66tjcIs4JNQ&index=5&pp=gAQBiAQB unrelated products (e.g., digital picture frames) applied to air conditioners]. #* Vendors [https://www.youtube.com/watch?v=eS698R-bxuc&list=PLkVbIsAWN2ls4fzQbP9fdW66tjcIs4JNQ&index=4&pp=gAQBiAQB bribing customers for positive reviews] without consequences. #* Potentially fake or misleading reviews. # '''Safety Concerns:''' Amazon has a history of selling mislabeled or dangerous products, including: #* [https://www.youtube.com/watch?v=B90_SNNbcoU&list=PLkVbIsAWN2ls4fzQbP9fdW66tjcIs4JNQ&index=2&pp=gAQBiAQB Incorrectly rated electrical fuses]. #* [https://www.youtube.com/watch?v=y83BS_mK9GE&list=PLkVbIsAWN2ls4fzQbP9fdW66tjcIs4JNQ&index=1&pp=gAQBiAQB Faulty electrical crimps]. #* Litter boxes that [https://www.dailydot.com/news/cat-stuck-in-automatic-litter-box/ kill cats]. …and the list goes on. This guide is going to be 600+ pages when done; do you want to do all of this work only to have the primary component be a piece of junk from a website that sells cat guillotines? No. <span id="the-better-alternative-repurpose-an-old-desktop-pc"></span> === The Better Alternative: Repurpose an Old Desktop PC === Instead of risking your project with unknown mini PCs, consider using an old desktop computer: # '''Reliability:''' A 10-12 year old desktop is likely more reliable than no-name mini PCs. # '''Choice of Network Card:''' Desktop PCs offer PCI Express slots for additional network cards, so YOU can choose the network interface card for your setup. You often do not know what chipsets are used in the no-name-mini-PCs. '''pfSense''' & other FreeBSD-based routers are sensitive to poor-quality chipsets. # '''Cost-Effective:''' You can re-purpose an old desktop you already have & save money on purchasing new hardware. <span id="choosing-the-right-network-interface-cards-nics"></span> === Choosing the Right Network Interface Cards (NICs) === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_12bd653b.png File:lu55028jxaty_tmp_a186c0a7.png File:lu55028jxaty_tmp_a7b91798.png </gallery> To transform your old desktop into a capable router: # '''Add Quality NICs:''' Install high-quality network cards, preferably Intel-based. # '''pfSense Compatibility:''' Check the '''pfSense''' forums for compatible chipsets and cards. # '''Examples of Good NICs:''' #* Intel X540. #* Intel 350. <span id="caution-when-purchasing-nics"></span> === Caution When Purchasing NICs === # '''Avoid Realtek at all costs:''' Read '''pfSense''' and FreeBSD forums to learn about the issues from people who use Realtek network interface cards. Sometimes you’ll get something working, but often you will get headaches and nightmares that are not worth the cost savings. Realtek network cards are best avoided in pfSense & similar setups due to known issues with poor performance & compatibility. Intel network interface cards are preferable for reliability & better support in open-source projects like pfSense. <blockquote>'''Note of Appreciation''': pfSense developers have created drivers for network interface chipsets like the 225 ([https://github.com/freebsd/freebsd-src/commit/517904de5ccac643589c71ac0d2751797f89e4f9 citation 1], [https://github.com/pfsense/FreeBSD-src/commit/9ffb4c0adab4853ab752ecda6a5ff59ea943af4e citation 2]) that didn’t exist before. Intel network interface cards are known to have better performance & reliability in FreeBSD systems than Realtek chipsets. The ecosystem of open source firewalls are invested in providing support for these chipsets, providing solutions when the manufacturer doesn’t. This is an excellent argument in favor of [https://www.reddit.com/r/PFSENSE/comments/uuigfy/is_the_intel_i225v_nic_ok/ paying money for open source software]. The igc driver for the i225 Intel network chip was made available to everyone! Commercial users, non-paying users of pfSense, and other FreeBSD based routers/firewalls all benefit from people paying for open source software. Top notch programmers wrote these drivers because they were able to pay their rent & bills doing so. When you pay for open source software, you are sending a message that it makes sense for top notch programmers to spend money developing open source code that doesn’t abuse you rather than going to work for facebook. </blockquote> <ol start="2" style="list-style-type: decimal;"> <li>'''Buy from Reputable Vendors:''' Avoid counterfeit products by purchasing from trusted sellers. There are many counterfeit cards out there.</li></ol> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_42645421.png File:lu55028jxaty_tmp_3d7f0c6c.png </gallery> <ol start="3" style="list-style-type: decimal;"> <li>'''Vendors don’t know the difference:''' Many vendors selling knockoff cards do not even know they are doing it. Wholesale liquidators operate with low profit margins while selling a wide variety of equipment and lack the time and expertise to vet all of what they sell. As a result, many vendors sell counterfeit and fake Intel network cards.</li></ol> * '''Recommended:''' ''The Art of Server'' on eBay ([https://www.ebay.com/str/theartofserver link]) * '''Example product:''' Intel X540 ([https://www.ebay.com/itm/166585171595 link]) '''Verify Compatibility:''' Make sure the card fits your PC’s available slots. * Be wary of non-standard form factors or connectors. '''HINT:''' Buying cards that are branded from server re-sellers is a good way to avoid fakes. For instance <span id="dont-buy-digiorno"></span> === Don’t buy Digiorno === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_19879e61.png File:lu55028jxaty_tmp_be9591e5.png File:lu55028jxaty_tmp_cb6dfb59.png </gallery> Buying used network cards, and used hardware, is ok. Actually, it’s encouraged; it’s a great way to buy better hardware than you’d otherwise be able to afford, and it avoids senseless waste. However, be careful to not buy Digiorno. There are amazing deals to be found in the used server world, but it is also a jungle ready to eat you alive if you’re naive enough to believe those crazy folks have any respect for the civilized world of standardized connectors. '''Good vendors will be able to tell you the difference between normal hardware and Digiorno. If they do not know the difference, YOU DO NOT WANT TO BUY FROM THEM!''' Building a DIY '''pfSense''' router with an old desktop PC and quality Intel NICs is likely to provide a more reliable and expandable solution than generic mini PCs. With a random mini PC, if you get a bad network interface card, you’re out of luck. With your old desktop PC, you can choose the network interface card. Want 2.5GbE? Get another card. Want 10 Gbps? Get another card. Want fiber? Get another card. Have a card with the wrong chipset? Swap in another card. We are going down a 10+ hour rabbit hole of hell setting up all sorts of confusing, crazy GNU/Linux software. Even a 1% increase in the likelihood of this being more difficult as a result of random garbage Amazon hardware isn’t worth it to me for $100-$200 in savings. I chose an Intel NUC because it has two quality NICs, and I was able to find one affordably. You do not have to buy the computer I bought to use as a router: this is your journey! '''Note:''' There is no one “right” way to do this. As long as you use a stable, quality computer with GOOD network interface cards that the '''pfSense''' & <code>FreeBSD</code> community approve of, you are set! <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_62a48d1.png File:lu55028jxaty_tmp_3759a8d9.png File:lu55028jxaty_tmp_ac097d76.png File:lu55028jxaty_tmp_1ae997fd.png </gallery> <span id="step-1-downloading-pfsense-and-preparing-a-bootable-usb-drive"></span> == Step 1: Downloading pfSense and Preparing a Bootable USB Drive == <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_f0537346.png File:lu55028jxaty_tmp_8ddd142e.png File:lu55028jxaty_tmp_487b2ff3.png </gallery> <span id="download-pfsense"></span> ==== 1.1 Download pfSense ==== '''pfSense'''’s website has unfortunately become [https://www.pfsense.org/download/ cancer] in recent years. While I am all for paying for software, the concept of having to add to cart, checkout, and insert billing information to download a free image… no. Avoid using this version of the website. Instead, [https://atxfiles.netgate.com/mirror/downloads/ go here]. Feel free to buy it and pay for their support, but don’t jump through stupid hoops. # Open your web browser and visit the [https://atxfiles.netgate.com/mirror/downloads/ pfSense mirror site]. # Choose the correct architecture for your system (usually <code>amd64</code> for most modern computers, including Intel NUCs). If you don’t know what the difference is between these, pick <code>amd64</code>. # Select the USB installer image (.img.gz) from the available options. <span id="unzip-the-downloaded-pfsense-file"></span> ==== 1.2 Unzip the Downloaded pfSense File ==== # After the download completes, you’ll need to uncompress (unzip) the file. # The file typically ends with <code>.gz</code>. Use the right tool for your operating system: <ul> <li><p><code>Linux or macOS:</code> Open a terminal and run the following command:</p> <pre>gzip -d pfSense-CE-memstick-*.img.gz</pre></li> <li><p><code>Windows:</code> Use a tool like 7-Zip. Right-click the file, choose “Extract Here,” and let the tool unzip it.</p></li></ul> <span id="create-a-bootable-usb-drive-with-the-pfsense-image"></span> ==== 1.3 Create a Bootable USB Drive with the pfSense Image ==== '''Warning:''' This process will erase everything on the USB drive. # Insert a USB flash drive (at least 4GB in size) into your computer. # Use one of the following methods to write the pfSense image to the USB drive: <span id="windows"></span> ===== Windows: ===== # Download and install [https://en.wikipedia.org/wiki/Rufus_(software) Rufus]. # Open Rufus and select your USB drive. # Click the ''“SELECT”'' button and choose the unzipped <code>.img</code> file you downloaded. # Click ''“Start”'' and let Rufus create the bootable USB. <span id="GNU/linuxmacos"></span> ===== GNU/Linux or macOS: ===== <ol style="list-style-type: decimal;"> <li><p>Open the terminal and type one of the following commands depending on the system used:</p> <pre>sudo fdisk -l # GNU/Linux</pre> <pre>diskutil list # macOS</pre></li> <li><p>Make note of drives in the system. Do not erase these.</p></li> <li><p>Plug in the flash drive.</p></li> <li><p>Open the terminal and type one of the following command again:</p> <pre>sudo fdisk -l # GNU/Linux</pre> <pre>diskutil list # macOS</pre></li> <li><p>Make note of the drive that was not present before. Write it down.</p></li> <li><p>Double-check size/brand/model to make sure this new device is the device you plugged in.</p></li> <li><p>Now, unplug the drive you just plugged in.</p></li> <li><p>Run:</p> <pre>sudo fdisk -l # GNU/Linux</pre> <pre>diskutil list # macOS</pre></li> <li><p>Does the drive you wrote down in step 5 still appear? If so, you made a mistake, and you’re on your way to deleting all of your data. Don’t do that. Do not pass go, do not collect $200 – back to the beginning. If not, you can now plug your drive back in.</p></li> <li><p>Run:</p> <pre>sudo fdisk -l # GNU/Linux</pre> <pre>diskutil list # macOS</pre></li> <li><p>If the drive that did not appear last time, appears this time, and is the same device as in step 5, you are likely on your way to not erasing your entire system. Good job, that makes you less of an idiot than me; a low bar, but it’s something.</p></li> <li><p>Run the following, replacing <code>/dev/sdX</code> with your drive, and replace the pfSense img file with the filename of your image file:</p> <pre>sudo dd if=pfSense-CE-memstick-serial-*.img of=/dev/sdX bs=1M status=progress</pre></li></ol> Your bootable USB drive with pfSense is now ready for use! If you managed to erase your entire computer by writing pfSense’s image to your operating system drive EVEN AFTER all of this, congratulations, you’re almost as stupid as me. <span id="step-2-disable-secure-boot-and-install-pfsense-on-the-intel-nuc"></span> == Step 2: Disable Secure Boot and Install pfSense on the Intel NUC == Before you can install pfSense, you’ll need to disable Secure Boot if you are using a modern computer. Many modern computers, especially those pre-installed with Windows 10 or 11, come with Secure Boot enabled, preventing you from booting into an operating system that isn’t signed by Microsoft initially. Since pfSense is open-source and unsigned, we need to disable Secure Boot to start our installation. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_827ab6bb.png File:lu55028jxaty_tmp_582a2319.png </gallery> <span id="disabling-secure-boot-in-bios"></span> === 1. Disabling Secure Boot in BIOS === # '''Insert the USB Drive''' #* Plug in the USB drive containing the pfSense installation image into one of the USB ports on your Intel NUC. #* Make sure this is done before you power on the device. # '''Enter the BIOS''' #* Power on the Intel NUC and immediately start pressing F2 (or the designated key for your system) to access the BIOS settings. #* Keep pressing this key until you enter the BIOS. On some systems, the BIOS key may be different (e.g., Delete or Esc), but F2 is common for most systems. # '''Disable Secure Boot''' #* Inside the BIOS, navigate to the Boot section. #* Locate Secure Boot and toggle it to Off. Depending on your BIOS, Secure Boot may be located under the Security or Boot sections. #* Once Secure Boot is disabled, you’re ready to install pfSense. # '''Set Boot Priority''' #* In the BIOS, go to Boot Priority settings. #* Set your USB drive as the first boot device. This will allow the system to automatically boot from the USB drive containing the pfSense installer. #* Alternatively, you can press <code>F12</code> (or the appropriate key) during boot to manually enter the boot menu & select the USB drive each time. # '''Save and Exit BIOS''' #* Press <code>F10</code> to save your changes and exit the BIOS, or whatever key does it on your machine. #* The system will now reboot, and if the USB drive is set as the first boot option, it should boot directly from the USB flash drive and load the pfSense installer. <span id="step-3-installing-pfsense-on-the-intel-nuc"></span> == Step 3: Installing pfSense on the Intel NUC == <span id="boot-from-the-usb-flash-drive"></span> === Boot from the USB Flash Drive === <span id="power-on-the-intel-nuc"></span> ==== 1.1 Power on the Intel NUC ==== * Make sure the USB drive containing the pfSense installer is still plugged into the Intel NUC. * Power on the NUC and press <code>F10</code> (or the relevant boot menu key) to select the USB drive as the boot device. <span id="select-the-usb-drive-in-boot-menu"></span> ==== 1.2 Select the USB Drive in Boot Menu ==== * In the boot menu, you’ll see a list of available boot devices. Select the USB flash drive that contains the pfSense installer. * Press <code>Enter</code> to boot from the USB drive. <span id="begin-the-pfsense-installation"></span> === Begin the pfSense Installation === <span id="pfsense-installer-menu"></span> ==== 2.1 pfSense Installer Menu ==== * After a few moments, the pfSense installer menu will appear. * Use the arrow keys on your keyboard to select '''Install''' and press <code>Enter</code> to begin the installation. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_8890b270.png </gallery> <span id="choose-installation-method"></span> ==== 2.2 Choose Installation Method ==== * The installer will guide you through the process. When prompted to choose an install method, select '''Auto (ZFS)''' for the file system. * ZFS is a great file system that offers data integrity, snapshots, and other advanced features. You probably won’t use most of them, but it’s still an excellent choice. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_41fc31d.png File:lu55028jxaty_tmp_e354a54e.png </gallery> <span id="select-the-correct-installation-drive"></span> === Select the Correct Installation Drive === Raidz1 is a good option in that it allows one of the drives in your machine to die, and the router to keep going. This requires you have not one, but two drives inside your router machine. This is not a bad idea. You should be making a backup file of your router anyway so that you can restore regardless of what happens to any and all of the hardware on this one: but, this will allow the router to keep working even if a single drive dies. I am using stripe, no redundancy, which is the option you will be picking if you have only one drive in the router. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_bcad25ab.png </gallery> <span id="select-internal-ssd-or-hard-drive"></span> ==== 3.1 Select Internal SSD or Hard Drive ==== * The next step is to select the disk where '''pfSense''' will be installed. This is a very important step, so pay close attention. * You will see a list of drives. The USB drive will usually appear as a small capacity device (e.g., 4GB or 8GB). * Choose the larger drive that represents your Intel NUC’s internal SSD or hard drive (e.g., 256GB, 512GB). * '''Important:''' “generic-mass-storage-class” is usually your external USB flash drive. '''If you’re using a PC with an internal drive, there’s a 99% chance that “generic-mass-storage-class” is NOT what you want to select unless you’re intentionally installing to a USB mass storage device (which is not recommended for a permanent installation).''' * In my case, the Micron SSD was my internal SSD. Your drive name may be different, but look for a larger capacity drive that matches what you know is inside your NUC or PC. * Use the arrow keys to highlight the correct drive, then press Enter to confirm your selection. <span id="confirm-erase-and-installation"></span> ==== 3.2 Confirm Erase and Installation ==== * Once the correct internal drive is selected, the installer will ask if you want to erase the drive and proceed with the installation. * This will erase all data on the selected drive. Make sure you’ve backed up any important data before proceeding. * Confirm by selecting '''Yes'''. The installer will now copy files and set up '''pfSense''' on the internal drive. This may take a few minutes. <span id="complete-the-installation-and-reboot"></span> === Complete the Installation and Reboot === <span id="remove-the-usb-flash-drive"></span> ==== 4.1 Remove the USB Flash Drive ==== * After the installation is complete, you’ll be prompted to reboot the system. * Before rebooting, remove the USB flash drive from the Intel NUC. This makes sure it boots from the newly installed '''pfSense''' system on your internal drive. <span id="reboot-and-load-pfsense"></span> ==== 4.2 Reboot and Load pfSense ==== * After removing the USB drive, press <code>Enter</code> to reboot the system. * The Intel NUC will now boot into '''pfSense''' from the internal drive, and you’ll be greeted with the '''pfSense''' console screen. Now that '''pfSense''' is installed, you’re ready to proceed with the initial configuration. This includes setting up your WAN (external network) and LAN (internal network) interfaces to make the NUC function as your network router. <span id="step-4-first-time-configuration-of-pfsense"></span> == Step 4: First-Time Configuration of pfSense == Now that you have pfSense installed on your device, it’s time to set it up and configure the basic settings. This step will cover configuring the '''WAN''' (internet) and '''LAN''' (local network) interfaces, setting IP addresses, and making sure everything is ready for further setup. <span id="connecting-and-booting-up-pfsense"></span> === 1. Connecting and Booting Up pfSense === <span id="connect-your-devices"></span> ==== 1.1 Connect Your Devices: ==== * Plug your cable modem into one of the Ethernet ports on your pfSense device. * Plug your desktop computer (the one you’re using to set everything up) into the other Ethernet port. * At this point, you don’t need more than these two connections. <span id="power-on-and-watch-the-boot-process"></span> ==== 1.2 Power On and Watch the Boot Process: ==== * Turn on your pfSense device. * You’ll see a lot of text scrolling on the screen as the system boots up. Don’t worry if it seems overwhelming—this is normal. * Pay close attention to the information displayed, especially towards the end of the boot process. Look for any text related to an '''IP address''' or '''interface name''', like what is pictured below: <blockquote>'''NOTE''': Interface names can be ascertained by looking at what is going on as the machine boots. This is helpful for later! Refer to images below. </blockquote> <span id="initial-configuration-steps"></span> === 2. Initial Configuration Steps === <span id="vlan-setup-prompt"></span> ==== 2.1: VLAN Setup Prompt ==== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_4cd80f0d.png </gallery> - One of the first prompts you’ll see is: '''“Should VLANs be set up now?”''' <span id="vlan-setup-prompt-1"></span> ==== 2.1: VLAN Setup Prompt ==== * What is a VLAN? VLAN stands for '''Virtual Local Area Network'''. It’s a way to create separate networks within your network. For example, if you have a switch with 52 ports and want to have five different networks all connected to your router with just one cable, you’d use VLANs. However, this is way too advanced for what we’re doing here. * You may see a bunch of random text appear before you have a chance to respond. Don’t worry, you haven’t missed your opportunity to input. You can still type ‘n’ and hit enter when you’re ready. * This is just normal open-source nerd UI/UX that is not designed for normal people. You will see a lot of this. That is why we’re here! * For now, press '''‘N’''' to skip VLAN setup. We’re setting up just one local network, so VLANs aren’t necessary at this stage. You may do this later with the wifi section to have segmented wifi networks for trusted & untrusted devices & to limit their access, '''but that does not have to be done right now and can be done later!''' <span id="wan-and-lan-interface-assignment"></span> ==== 2.2: WAN and LAN Interface Assignment ==== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_78cbbbb8.png </gallery> * Next, pfSense will show you which interfaces are available on your device. This is where you assign the Ethernet ports for '''WAN''' (internet) and '''LAN''' (internal network). * Pay close attention to the bottom third of the screen. You’ll see information about which interface (e.g., <code>em0</code> or <code>igb0</code>) has received an IP address. The interface that received an IP address is most likely your '''WAN interface'''. In my case, <code>em0</code> is the interface attached to Spectrum cable internet; makes sense that it’s sad… * Your desktop PC is not going to “provide” an IP address to the router; it is going to try to '''retrieve''' an IP address from the router. This is how we determine that the interface that has received an IP address is the WAN interface connected to our modem. * The names of these interfaces may vary depending on your hardware and pfSense version. Don’t worry if they don’t match exactly what you see in this guide. When prompted: # '''Enter WAN Interface Name:''' #* Input the name of the interface that received an IP address (e.g., <code>em0</code>). # '''Enter LAN Interface Name:''' #* Input the name of the other interface (e.g., <code>igb0</code>). Confirm the interface assignments when prompted. This tells '''pfSense''' which port to use for '''WAN''' (internet) and which for '''LAN''' (local network). <blockquote>'''NOTE''': This is the IP address that you would be accessing the '''pfSense''' web interface on. This is also your “gateway” address, i.e., what your computer connects to in order to get an IP address, and before it connects to any IP outside of this subnet (subnet = other devices on your LAN, e.g., cellphone, TV, file server, etc.). </blockquote> <span id="configuring-lan-ip-address"></span> === 3. Configuring LAN IP Address === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_ebc6f9c0.png </gallery> <span id="default-lan-ip"></span> ==== 3.1: Default LAN IP ==== After assigning interfaces, '''pfSense''' will show you the default LAN IP address, usually '''192.168.1.1'''. This is the IP address of your router ('''pfSense''') within your local network. Any device that connects to the router will be assigned an IP address in the '''192.168.1.x''' range by default. For instance, your PC may grab an IP of 192.168.1.46, 192.168.1.16, etc., if set to connect automatically via <code>DHCP</code> (Dynamic Host Configuration Protocol). <code>DHCP</code> means when you connect to a router it grabs an IP address/DNS server/etc. to you by default, “Plug N Play” style. This is the default configuration of most devices you will ever connect to the internet unless you went out of your way to re-configure them. This includes your computer, cellphone, game console, IoT devices, security cameras, etc. They’re all connecting via <code>DHCP</code>. <span id="changing-the-lan-ip-optional"></span> ==== 3.2: Changing the LAN IP (Optional) ==== Requirements: You don’t need to change this unless you have a specific reason to do so, such as conflicts with other networks you’re using. I have chosen to change it, and will be working with the following configuration throughout this guide. '''You do not have to follow what I am doing, but if you want to be able to copy & paste along with me addresses of things, feel free to do it this way, it won’t hurt.''' # '''Set Interface IP address''' #* The number for the LAN interface was <code>2</code> in my case # '''Configure the new LAN IPv4 address via DHCP''' #* Choose <code>n</code> #* This isn’t referring to having DHCP so that clients who connect can get an IP address. This means should this interface have a dynamic IP itself, meaning the the router/gateway would have a different IP each time we connect to it. There is no need for this. # '''Enter the new LAN IPv4 address''' #* <code>192.168.5.1</code> is my LAN IPv4 address that I will choose for my router. #* This is where your '''pfSense''' router will be accessible via web browser. This will be your gateway address, and this will be your DNS server. # '''Enter LAN IPv4 subnet bit count''' #* <code>24</code> is the subnet bit count #* (This is shorthand for a subnet mask of <code>255.255.255.0</code>). # '''IPv4 upstream gateway address''' #* Press enter for none. # '''Configure IPv6 address for LAN interface via DHCP6''' #* Press <code>y</code> , we’re not using IPv6 in this guide anyway. #* I hit <code>y</code>, you can hit <code>n</code> and specify an address manually, but I will not be using IPv6 so it makes no difference to me, no need to specify an address I have to remember for something I will never use. #* You’re welcome to set up an IPv6 home network if you want; I am not covering that here. <span id="dhcp-setup"></span> ==== 3.3: DHCP Setup ==== # '''DHCP (Dynamic Host Configuration Protocol)''' automatically assigns IP addresses to devices on your network. This makes it easier to connect new devices without manually configuring IP settings on each one. This is what allows clients to be able to get an IP address automatically as soon as they connect via Wi-Fi or with an ethernet cord into your switch. You want this so that by default people can go online without having to specify their IP manually. # When asked if you want to configure DHCP, choose '''Yes'''. # Set the DHCP range. This is the range of IP addresses that will be assigned to devices on your network. For example: #* '''Start Address:''' <code>192.168.5.2</code> #* '''End Address:''' <code>192.168.5.254</code> # Since we have our router on <code>192.168.5.1</code>, the next address that’s available is <code>192.168.5.2</code> which is the start, and <code>192.168.5.254</code> as the end. # For ''Do you want to revert to HTTP as the webconfigurator protocol'', choose <code>n</code>. No need to use HTTP instead of HTTPS. We’re never going to connect to this without a VPN anyway, so HTTP vs HTTPS isn’t the biggest security deal in the world, but it’s a good practice to use HTTPS whenever possible. This allows up to 254 devices on your local network, which is more than enough for most home setups. If you have more than 254 devices at home, you’re likely not reading a beginner’s guide from a board repair person cosplaying as a sysadmin. If you want to go crazy, you can do a different setup entirely: change the LAN IP to something even less common if you want to avoid conflicts, such as <code>172.16.10.1</code> as a LAN IP, subnet 24. This would allow 254 devices that would be given IPs such as <code>172.16.10.2</code>, <code>172.16.10.30</code>, etc.—and your '''pfSense''' router web interface would be accessible on <code>172.16.10.1</code>. When you connect to other people’s networks, if you don’t disable LAN access in the OpenVPN android client, and their network has a <code>192.168.1.1</code>, and yours has a <code>192.168.1.1</code>… You see where this is going. Chances are they don’t have a <code>192.168.5.1</code> though. <blockquote>'''NOTE:''' If both your home network and a remote network you’re connecting from via VPN use the same IP range, you can end up with routing & connectivity issues. Let’s say you’re at a coffee shop. You connect via wifi. On their network, you are 192.168.1.3. You connect to your home network via your VPN, and you want to connect to your local mailserver… but you both have the same pos linksys wrt54g router, which defaults everyone to 192.168.1.*. so you try to connect to 192.168.1.3. Do you see where this is going? Changing your home network to a less common IP range can mitigate this risk. Always check the IP range of networks you frequently connect to and adjust your home network accordingly. Or, just make yours some weird-ass number that nobody else will be using. The latter works for me. </blockquote> <span id="finishing-up"></span> === 4. Finishing Up === At this point, the basic configuration is complete. You can now: # Unplug the monitor, keyboard, and mouse from your '''pfSense''' device. # Put away your keyboard and mouse. # Turn your cable modem off for a minute or two, and then plug it back in. Some modems get mad when you plug in a new router. <blockquote>'''NOTE:''' Configuring the LAN IPv4 address and subnet mask sounds confusing if you’re used to plugging in your 50 year old Linksys WRT54G & getting going. It’ll get easier with time, but for now, let’s go over what some of these pieces do. You can always come back to this later. '''What is the LAN IPv4 Address?''' The LAN IPv4 address is the IP address assigned to your router on your local network. All your devices from your computer, phone, or smart TV ''(if you are reading this and still using a smart tv…)'' use that address as the “gateway” to get to the internet & also to communicate with each other. The default configuration is that pfSense assigns <code>192.168.1.1</code> as the LAN IP address. This is the norm for most routers. * This address is special because it tells devices where to send data when they want to leave your network. For example, if your PC needs to visit <code>apple.com</code>, it sends the request to the router’s LAN IP (<code>192.168.1.1</code>, otherwise known as the gateway), which then forwards it to the internet. * If you’re not changing anything, you can stick with the default (<code>192.168.1.1</code>). I change it because everyone uses <code>192.168.1.1</code>. If you use a VPN or other networks frequently, changing it to something like <code>192.168.5.1</code> can avoid headaches down the line. If I am trying to connect to <code>192.168.1.1</code> on my home network, but <code>192.168.1.1</code> is the gateway IP of the wifi router my phone is connected to at my friend’s house… you see where this gets confusing. '''What is a Subnet Mask?''' A subnet mask is what defines the “size” of your local network. Your LAN is like a neighborhood; the subnet mask is like a property line that goes over how many houses can fit in the neighborhood. * The default subnet mask for most home networks is <code>255.255.255.0</code>. This tells your router that there can be up to 254 devices (playstations, phones, computers, etc) connected to your network. That’s a lot. If you have more than 254 devices in your house, you’re probably not reading this guide. * This subnet mask is written abbreviated as <code>/24</code> because the first 24 bits (the <code>255.255.255</code> part) of the address are fixed while it’s only the last 8 bits are available for device addresses. '''Why Configure a Static LAN IP?''' When you assign a static LAN IP to your router, you’re making sure that its address never changes. It would make no sense to have a router IP that changes constantly. Your servers & devices all need to connect to the router, so keep the router where it is. Moving it around senselessly makes no sense. It would be akin to Walmart changing its address every day. * Imagine your router’s address was constantly changing. One moment it’s at <code>192.168.1.1</code>, and the next, it’s at <code>192.168.1.87</code>. Your devices would be as confused as I am when I call a [https://www.youtube.com/watch?v=qFVwQCFhKSE New York state tax office]. * By giving a static IP like <code>192.168.5.1</code> to the router, I’m making sure that everything in your network knows where to go. '''Step-by-Step explanation if you’re still confused:''' '''Set Interface IP Address:''' - When it asks you to “Set interface IP address,” this is where you’re assigning the LAN IPv4 address. Think of it as giving your router its permanent address in your local network. Enter <code>2</code> to configure the LAN interface. '''Configure the New LAN IPv4 Address:''' - Here, you’re telling '''pfSense''' what address you want to use for the router. For example, <code>192.168.5.1</code> makes your router accessible at that address. - Remember: This is the gateway address that all your devices will use to connect to the internet. Write it down somewhere because you’ll need it later to log in to the '''pfSense''' web interface. '''Enter LAN IPv4 Subnet Bit Count:''' - This is where you specify the subnet mask abbreviated. For most home setups, the bit count is <code>24</code>, aka <code>255.255.255.0</code>. This allows up to 254 devices to connect to your network. If you’re just starting out, stick with <code>/24</code>. - '''To keep it simple when you see <code>192.168.5.0/24</code> what they mean is everything from <code>192.168.5.1</code> to <code>192.168.5.254</code>. ''' - ''Why not use a bigger subnet?'' Because you’re reading a beginner’s guide. How about you get one device to work in your broom closet before going for over 254? '''IPv4 Upstream Gateway Address:''' - This is asking if your LAN interface needs a separate gateway to reach the internet. Since your router '''is''' the gateway for your LAN, just press Enter to leave this blank. - '''Your LAN doesn’t need to forward traffic anywhere else because the router handles it.''' '''Configure IPv6 Address for LAN Interface via DHCP6:''' - You’re not using IPv6. Forget about IPv6 for now. We’ll get to how this makes using your VPN a nightmare later on. If you are not a datacenter or a sysadmin for amazon web services, you have no need for ipv6 in your life at this stage. </blockquote> <span id="accessing-the-pfsense-web-interface"></span> === 5. Accessing the pfSense Web Interface === Now that the basic network setup is complete, you can access the '''pfSense''' web interface to configure more advanced settings. # On your desktop computer (connected to the LAN port), open a web browser. # Go to <code>https://192.168.5.1</code> or <code>https://pfSense.home.arpa</code>. # You may see a security warning in your browser. This is because '''pfSense''' is using a self-signed SSL certificate, which is fine for local networks. Click '''“Advanced”''' and proceed to the site. # Log in with the default credentials: #* '''Username:''' <code>admin</code> #* '''Password:''' '''pfsense''' # Once logged in, you’ll be prompted to change the default password. Set a strong password to secure your router. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_d07f1499.png File:lu55028jxaty_tmp_d9cfd77d.png File:lu55028jxaty_tmp_e583100f.png File:lu55028jxaty_tmp_6d87d663.png File:lu55028jxaty_tmp_c9bf064a.png </gallery> <span id="initial-web-setup-wizard"></span> ==== 5.1: Initial Web Setup Wizard ==== # '''Set the Hostname:''' * Choose a hostname for your '''pfSense''' router. This can be something simple like “pfsense” or “home-router.” You will be able to access the router at <code>pfsense.home.arpa</code> once we set everything up with DNS later, instead of having to visit the router’s web interface based on its IP address. If you typed <code>roflcopter</code> into this box, you would be able to access your router at <code>https://roflcopter.home.arpa</code> rather than typing in [https://192.168.5.1/ https://192.168.5.1] – you get the idea. <ol start="2" style="list-style-type: decimal;"> <li>'''Set DNS Servers:'''</li></ol> * For now, you can use a public DNS provider like '''Google DNS (8.8.8.8)''', but we’ll replace this with AdGuard DNS or similar later for ad-blocking. * Uncheck the option to '''“Allow DNS server list to be overridden by DHCP/PPP on WAN,”''' so your ISP cannot override the DNS settings you choose. <ol start="3" style="list-style-type: decimal;"> <li>'''Time Zone:'''</li></ol> * Set the correct time zone for your location (e.g., '''US Central''' if you’re in Texas). <ol start="4" style="list-style-type: decimal;"> <li>'''Final Steps:'''</li></ol> * Once these settings are configured, hit '''“Next.”''' It’ll ask you to configure the WAN interface. Unless you have a funky setup, you need not change anything here. This is not for you to mess with. * It’ll ask you to configure the LAN interface again, but you need not touch anything, remember we already did this and the settings you put in earlier should be what shows up. * It’ll ask you to make a secure password; it is a good idea to set a secure password and save it in a password manager. No post-it note on the monitor nonsense! * You’ll be taken to the final page where you can apply the settings and restart the web interface. <span id="final-check-and-preparing-for-the-next-steps"></span> === 6. Final Check and Preparing for the Next Steps === At this point, '''pfSense''' is fully installed, and the basic configuration is complete. Here are some final steps and checks: # It’s a good idea to restart your cable modem when you make these changes, especially if it was previously connected to another router. # You might want to reset the internet connection on the device you’re using to access the '''pfSense''' web interface, especially if it was connected to a different network before. # Before we move forward to setting up additional features (like ad-blocking), make sure your internet connection is stable and working as expected. # Test your internet connection by browsing the web from a device connected to the LAN. # Remember, you can now manage everything through the web interface. You shouldn’t need to directly connect to the '''pfSense''' device with a monitor and keyboard again unless something breaks. Put the keyboard, mouse, and monitor plugged into that '''pfSense''' device away; we’re (hopefully) never touching that again. '''If you are, that means something bad has occurred.''' # If you encounter any issues, re-check everything you did. '''Congratulations!''' Your '''pfSense''' router is now set up and ready for use. Now the real fun begins. :) <span id="setting-up-freedns-for-dynamic-dns"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)