I want to add pfsense to my server; how/where to get started?


Recommended Posts

I restarted 3 more times and finally got access to the GUI.

 

I made a bit more progress, but was never able to get both cards passed to pfSense and then connect to the pfSense GUI.  I mucked about a bit more and I've got pfSense configured to be on my LAN IP range, have connected to its GUI and navigated around a bit.

 

I don't know enough yet to really work on any setup stuff, especially since the WAN port is really just connected directly to my router, so any setup wouldn't be right anyway at this point.

 

Tomorrow, I'm going to try (yet again) to get the second card passed thru to pfSense without killing the unRAID server.  I don't know why this happens, but I'm hopeful that now that I have the pfSense sort of setup and available at it's GUI (instead of the VNC console), I'll have better luck.

 

If anyone has any more suggestions, I appreciate them all.

Link to comment

The NICs still show up, even after I start VM.

 

You can use the VNC monitor to make sure it is running correctly. Plus there is some minor stuff that might be useful for trouble shooting like plugging in the NICs wrong.

 

The other thing is what NICs are you using? Are they on the preferred list for pfSense?

Link to comment

The NICs still show up, even after I start VM.

 

You can use the VNC monitor to make sure it is running correctly. Plus there is some minor stuff that might be useful for trouble shooting like plugging in the NICs wrong.

 

The other thing is what NICs are you using? Are they on the preferred list for pfSense?

So I only have 2 NICs, and I need to pass them both thru to pfSense. When I do that, by adding them to my syslinux.cfg file, they are no longer available to unRAID, so I can't connect to unRAID to launch the pfSense VM, or to launch the VNC window. This means, to me, that I have to auto start the pfSense VM and hope its configured properly to use the 2 NICs. I can't figure any way to assign them to the VM to configure it from unRAID. Maybe I'm just missing something.

 

Link to comment

The NICs still show up, even after I start VM.

 

You can use the VNC monitor to make sure it is running correctly. Plus there is some minor stuff that might be useful for trouble shooting like plugging in the NICs wrong.

 

The other thing is what NICs are you using? Are they on the preferred list for pfSense?

So I only have 2 NICs, and I need to pass them both thru to pfSense. When I do that, by adding them to my syslinux.cfg file, they are no longer available to unRAID, so I can't connect to unRAID to launch the pfSense VM, or to launch the VNC window. This means, to me, that I have to auto start the pfSense VM and hope its configured properly to use the 2 NICs. I can't figure any way to assign them to the VM to configure it from unRAID. Maybe I'm just missing something.

 

If your system only has 2 NIC's total you cannot pass them both through to pfSense. unRAID will never get an IP address because it thinks it doesn't have a NIC. unRAID needs a NIC, you could only passthrough 1 NIC and then one one virtual NIC (br0), that might work. Honestly though, go on eBay and buy an Intel dual NIC PCIe, it will save you so much headache.

Link to comment
  • 3 weeks later...

... buy an Intel dual NIC PCIe, it will save you so much headache.

 

Done.  This should give me the ability to have a 3 NIC pfSense, plus the NIC for unRAID.  I will resume this project on Thursday, when it's supposed to arrive.

 

I'm also looking to do this... If I wanted to also cover my WiFi devices.. do I need one or two WiFi cards? Are USB ones okay?

Link to comment

I'm also looking to do this... If I wanted to also cover my WiFi devices.. do I need one or two WiFi cards? Are USB ones okay?

I strongly recommend setting up a real Wifi access point on your network instead of trying to drive it through a pfsense VM. You can get a really good radio for not a lot more than a USB Wifi card and mount it wherever you can run a Cat5 instead of being limited to USB near your server. http://amzn.com/B00HXT8R2O You don't even need power located at the access point, it sends the power through the Cat5 line with the included POE injector. You can manage it with a docker, or just set it up and let it run on its own.
Link to comment

... buy an Intel dual NIC PCIe, it will save you so much headache.

 

Done.  This should give me the ability to have a 3 NIC pfSense, plus the NIC for unRAID.  I will resume this project on Thursday, when it's supposed to arrive.

 

I'm also looking to do this... If I wanted to also cover my WiFi devices.. do I need one or two WiFi cards? Are USB ones okay?

 

I just use old routers set into AP mode (disable DHCP, set static IPs for something other than my pfSense IP. That said, my IBM branded Quad NIC doesn't seem to like being run in a VM and having UPNP work correctly (kills online gaming after five minutes)... so back to my low AMD 5350 low power box... works fine.

Link to comment
  • 1 month later...

... buy an Intel dual NIC PCIe, it will save you so much headache.

 

Done.  This should give me the ability to have a 3 NIC pfSense, plus the NIC for unRAID.  I will resume this project on Thursday, when it's supposed to arrive.

 

Justinchase. I have a very similar case as you. I had an Asus RT-AC88U up until "someone" spilled wine on it last night. I quickly replaced it with my "Old" WNDR3700v2 (because god forbid we are without an Internet connection) and everything was back up and running. Issue I have seen today though is that the 88U handled permanent VPN connection just fine for my 25Mb/s connection BUT the WDNR3700v2 drops that 25Mb/s down to a steady 7Mb/s :/

 

The 88U has a Broadcom BCM4709C0 (1.4 GHz, 2 cores) while the poor old workhorse WNDR3700 has a Atheros AR7161 (680 MHz, 1 core). CPU on that old fella clearly can't handle AES256-CBC, SHA256 at a full 25Mb/s.

 

Anyway, did you ever get this setup? Did it solve your VPN performance issue? I am thinking for the cost of a Dual Intel NIC it sounds VERY viable. I'll mitigate the running it in a VM issue (on the off chance that unRAID Server is down or I need to do maintenance) with redundant H/W so I can access the GUI in an emergency so good on that front.

Link to comment

... buy an Intel dual NIC PCIe, it will save you so much headache.

 

Done.  This should give me the ability to have a 3 NIC pfSense, plus the NIC for unRAID.  I will resume this project on Thursday, when it's supposed to arrive.

 

Justinchase. I have a very similar case as you. I had an Asus RT-AC88U up until "someone" spilled wine on it last night. I quickly replaced it with my "Old" WNDR3700v2 (because god forbid we are without an Internet connection) and everything was back up and running. Issue I have seen today though is that the 88U handled permanent VPN connection just fine for my 25Mb/s connection BUT the WDNR3700v2 drops that 25Mb/s down to a steady 7Mb/s :/

 

The 88U has a Broadcom BCM4709C0 (1.4 GHz, 2 cores) while the poor old workhorse WNDR3700 has a Atheros AR7161 (680 MHz, 1 core). CPU on that old fella clearly can't handle AES256-CBC, SHA256 at a full 25MB/s.

 

Anyway, did you ever get this setup? Did it solve your VPN performance issue? I am thinking for the cost of a Dual Intel NIC it sounds VERY viable. I'll mitigate the running it in a VM issue (on the off chance that unRAID Server is down or I need to do maintenance) with redundant H/W so I can access the GUI in an emergency so good on that front.

 

If you are going to go external box route, there are Intel based mini-ITX boards that have dual Intel NICs on them that have enough power to run pfSense for most home users. I want to say it's a J1800 chipset, but I'm probably wrong. I went a different route as I already had some parts and getting an AMD combo deal from my local Microcenter was basically buy a CPU get a free motherboard.

 

My current pfSense build is:

iStarUSA D-213-MATX Black Aluminum / Steel 2U Rackmount microATX Server Chassis (NewEgg $37, sale price)

AMD AM1 5350 Quad-core CPU + ASRock AM1H-ITX (Microcenter $53 after combo, went with this MB for mini-PCIe & 19v DC power option)

Westronix Universal Laptop Charger ($22)

Intel PRO/1000 Quad NIC (eBay $30 for card, $4 for low profile bracket)

2GB DDR3 (laying around from an old build)

60 GB SSD (laying around from an old build, overkill space wise)

Link to comment

... buy an Intel dual NIC PCIe, it will save you so much headache.

 

Done.  This should give me the ability to have a 3 NIC pfSense, plus the NIC for unRAID.  I will resume this project on Thursday, when it's supposed to arrive.

 

Justinchase. I have a very similar case as you. I had an Asus RT-AC88U up until "someone" spilled wine on it last night. I quickly replaced it with my "Old" WNDR3700v2 (because god forbid we are without an Internet connection) and everything was back up and running. Issue I have seen today though is that the 88U handled permanent VPN connection just fine for my 25Mb/s connection BUT the WDNR3700v2 drops that 25Mb/s down to a steady 7Mb/s :/

 

The 88U has a Broadcom BCM4709C0 (1.4 GHz, 2 cores) while the poor old workhorse WNDR3700 has a Atheros AR7161 (680 MHz, 1 core). CPU on that old fella clearly can't handle AES256-CBC, SHA256 at a full 25MB/s.

 

Anyway, did you ever get this setup? Did it solve your VPN performance issue? I am thinking for the cost of a Dual Intel NIC it sounds VERY viable. I'll mitigate the running it in a VM issue (on the off chance that unRAID Server is down or I need to do maintenance) with redundant H/W so I can access the GUI in an emergency so good on that front.

 

If you are going to go external box route, there are Intel based mini-ITX boards that have dual Intel NICs on them that have enough power to run pfSense for most home users. I want to say it's a J1800 chipset, but I'm probably wrong. I went a different route as I already had some parts and getting an AMD combo deal from my local Microcenter was basically buy a CPU get a free motherboard.

 

My current pfSense build is:

iStarUSA D-213-MATX Black Aluminum / Steel 2U Rackmount microATX Server Chassis (NewEgg $37, sale price)

AMD AM1 5350 Quad-core CPU + ASRock AM1H-ITX (Microcenter $53 after combo, went with this MB for mini-PCIe & 19v DC power option)

Westronix Universal Laptop Charger ($22)

Intel PRO/1000 Quad NIC (eBay $30 for card, $4 for low profile bracket)

2GB DDR3 (laying around from an old build)

60 GB SSD (laying around from an old build, overkill space wise)

No, I haven't gotten this done yet; real life got in the way. I have this weekend free and am planning on getting all my server projects done then. I'll let you know how it goes.

Link to comment

If you are going to go external box route, there are Intel based mini-ITX boards that have dual Intel NICs on them that have enough power to run pfSense for most home users. I want to say it's a J1800 chipset, but I'm probably wrong. I went a different route as I already had some parts and getting an AMD combo deal from my local Microcenter was basically buy a CPU get a free motherboard.

 

My current pfSense build is:

iStarUSA D-213-MATX Black Aluminum / Steel 2U Rackmount microATX Server Chassis (NewEgg $37, sale price)

AMD AM1 5350 Quad-core CPU + ASRock AM1H-ITX (Microcenter $53 after combo, went with this MB for mini-PCIe & 19v DC power option)

Westronix Universal Laptop Charger ($22)

Intel PRO/1000 Quad NIC (eBay $30 for card, $4 for low profile bracket)

2GB DDR3 (laying around from an old build)

60 GB SSD (laying around from an old build, overkill space wise)

 

Hi, I am NOT going to go down the external box route in the first instance. I think I will keep the old router plugged in and "Ready to Go" if there is ever a need to take the VM down for maintenance etc. I've decided I can live with the odd unRAID server reset IF it happens.

 

No, I haven't gotten this done yet; real life got in the way. I have this weekend free and am planning on getting all my server projects done then. I'll let you know how it goes.

 

We might end up doing this at around the same time then. I have just ordered 2 x DUAL Intel NIC from eBay. Not sure I REALLY need 2 BUT they were very cheap in comparison to the store prices, so I figure I might be able to have a redundant VM in the Backup Server if I don't put both NIC cards in the Main Server.

 

http://www.ebay.com.au/itm/252245863355?_trksid=p2060353.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

 

Should be fun!

 

Link to comment
  • 2 weeks later...

Well, I've done it. I have pfsense running as a VM on my backup server serving as my router for my network and it is GREAT! It was so much easier than I thought it was going to be. I am going to write a detailed guide for people who want to do what I have done and follow it but here are the highlights.

 

done this on an asrock c2250 board. ipmi interface in switch. 2 motherboard nics bonded in unraid into switch. modem into port 1 of new intel nic (wan). switch into port 2 of new intel nic (lan).

 

did this on my backup server as this h/w is mostly un-used and machine sits there backing up main server once a day. i understand that my internet connection is dependant on unraid being up and the vm being up on the backup server but it is always up anyway. it has hardly anything but bare bones unraid running on (baring 1 windows 10 vm and a few essential plugins) and is basically rock solid up all the time.

 

- went to pick up my new 2 port gigabit intel server card;

- came home and installed it in my server, so far so good;

- overcome unraid / bonding issue with the new nic by editing network.cg to just bond motherboard nice;

- decided that i didn't need to passthrough the intel server nic card to the vm i could just use bridges;

- setup 2 bridges manually to each nic port on the server card and tested it (named one in and one out);

- created freebsd vm with 4gb ram and 2 cpu cores (of an avoton quad atom cpu);

- configured the two bridges to the vm only;

- assigned unraid and imac with a static ip address (not via dhcp) to allow constant access to unraid box even when pfsense vm is down;

- booted into pfsense and assigned wan and lan port to each bridge (as named);

- configured pfsense with isp username and password and changed interface password;

- boom it works;

- added bridge commands to go file;

- didn't set anything to autostart for now;

- rebooted to test static ip and to see what happens when vm is down and unraid was accessible as normal (emulating array / vm down) but of course there was no internet connection;

- set array to autostart and vm to autostart;

- rebooted;

- everything booted fine (unraid booted quick as it had a static ip). array came up. vm came up;

- within 5 mins everything was running perfectly;

- checked configuration everything fine;

- repeated boot / check config 15 times. each time was fine;

- configured old dd-wrt router into access point mode to allow for wireless clients and plugged that into network;

- tested wireless clients and they all worked first time;

- done.

 

total time taken 2.5 hours and plenty of scotch.

 

next step is to configure permanent openvpn connection for some ips and clear net for others.

 

:)8)

 

edit:

 

i have started to play with the vpn. i have decided that i am going to drop the bond and just run unraid off one gigabit nic. what am i going to do? well i think i like the idea of assigning a physical interface to clear net and one to vpn rather than just doing things via ip address. so i am going to add another bridge (and change the names of the bridges) and ill end up with brinclearnet0 and brinvpn0 and brwan0. ill connect a switch to each of the internal ports and then distribute as i see fit around the ports around the home. ill run the wireless router off the vpn interface ( as well as the majority of other connections) and ill save the clear net for the xbox, voip box and steam gaming machine (via ip).

Link to comment

Great news, and great report.  I never got around to working on mine yet, but am more motivated after reading your report.

 

I had planned to do as you seem have changed to, which is using one 'clear' NIC for internet access even when the server/pfSense is down.  Especially since I think it will be good to have internet access to diagnose server issues on occasion.

 

I thought I'd read that using bridges was not good, but i can't say/remember why, and could be totally wrong. 

 

I'll try to start working on mine soon.  I can't remember if someone else posted this already, but this is the setup guide I'm probably going to follow...

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/

Link to comment

Great news, and great report.  I never got around to working on mine yet, but am more motivated after reading your report.

 

I had planned to do as you seem have changed to, which is using one 'clear' NIC for internet access even when the server/pfSense is down.  Especially since I think it will be good to have internet access to diagnose server issues on occasion.

 

I thought I'd read that using bridges was not good, but i can't say/remember why, and could be totally wrong. 

 

I'll try to start working on mine soon.  I can't remember if someone else posted this already, but this is the setup guide I'm probably going to follow...

 

https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/

 

I had read (and like you I cannot remember where or can find the reference) that there was nothing "wrong" with using bridging but there was perhaps a performance issue (if I remember correctly) with conflicting drivers between nix and freebsd (pfSense2.1).

 

Anyway, I could not find the reference and I certainly didn't find any performance issue last night when I tested. I ran my 25/5 Mb/s internet connection at full speed and I sent 7 20GB HD streams over the network to each tv node in the house and all run flawlessly. IF there is a performance issue there I cannot see it.

 

As for guides, that is the one I found too and that is my VPN provider too. I am following that right now!

Link to comment
  • 4 weeks later...

Hello!

 

I'm planning on moving my pfSense box (currently a Mac mini) to a VM with unRaid (parts should arrive this week). How is working for your guys?

 

Thanks!

 

perfect. uptime is currently 7 weeks.

 

Glad to hear that! are you using the virtio drivers or just doing passthrough of the NICs?

 

Also, if you need to restart the unRAID server or do some maintenance, is there problems to get the pfsense VM running back again?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.