Hello po,
Pwede po bang magtanong dito? Kita ko po kasi na for enterprise setup po yung mga post :)
Ok po ba pfsense for home network? Super novice po sa networking...hehehe
Balak ko po kasi bumili ng HP T620 plus with intel nic.
Or go na lang po ako sa omada?
Simpleng setup lang naman po:
router -> switch -> AP
or
router -> AP
Plan ko rin po maglagay ng NAS and ip camera in very far future :D
Thank you po sa mga sasagot. God bless.
-- edited by vhick on Dec 11 2022, 04:16 PM
Forum Topic
Unified PFSense Users
-
well unless you fully trust omada when it comes to your network security, by all means go ahead.
t620+ is fine, if you can get one.
for switch, a ordinary/dumb switch is fine, but if you can get VLAN capable switch, much better.
as for experience with omada products. their AP is meh, the range is not that great given their AP is only operating at 80mw or lower of transmit power. roaming is kinda dumb, mas ok pa yung roaming ng mesh wifi nila outside the omada lineup. in short ill avoid this lineup of product as much as possible and just invest a good ap from unifi, you can also go with ruckus is you have extra large budget on hand. in short omada ap is fine if you only use 1 ap, but once you get to multiple ap and want to get that roaming feature to work, your going to get a extra headache. -
@polka
Thank you so much sir, medyo leaning na ako sa pfsense. Sana makatulong sakin si Youtube university (wala kasing alam sa networking :D)
I remember din sir, kayo din yung nagsuggest sa akin ng tvbox for android home. Hanggang ngayon gamit ko pa :)
May recommend po ba kayo na murang VLAN capable switch? -
^ kung may extra router ka dyan na hindi nagagamit tapos compatible sya with OpenWrt, you can use that as a VLAN swich. else, there are cheap VLAN switch out there offered by tplink and netgear, both are functional when it comes to vlan but also both suck when it comes to securing the management interface of the switch, so all you can do with this cheap vlan switches is just put a extra hard to guess password on it.
-
Sakto! meron ako dito Sir naka OpenWRT.
tingin na rin po ako ng switch sa shopee. 12.12 po kasi ngayon. hehehe...
I looking for ruijie. Mukhang ok naman. I will invest na lang sa AP.
Thank you so much Sir for the help :) -
@polka
Curious ako sa crypto accelerator. Pwede Ba sya sa Windows 11 Pro. Yun nababasa ko kasi pang server lng sya. I use a lot of WireGuard at home. Baka sakali mas maibaba ko pa yun latency.
Anong brand yun gamit nyo? -
do i need to enable dial on demand sa wan setting gamit ko na pppoe account finally
-
^nope set it as always connected, you dont want on connect on demand since once na mag detect ng system ni pfsense na walang internet traffic na dumadaloy, disconnect yung pppoe connection mo until someone needs the internet access again.
to be honest this connect on demand only make sense in 56k dial up days, but in today standard, always connected is a must. -
Mga Sir, pwede po bang magpahelp. Currently installed pfsense in default settings. bale ang setup ko po:
pfsense <- tp-link TL-SG2008 switch <- dumb access point (openwrt)
Currently naka-allow lahat ng connection sa vlan firewall rules ng pfsense para wala po munang maging problem habang nagsesetup. Pero nagkakaroon po ako ng problem regarding DNS. Laging dns_probe_started or DNS_PROBE_FINISHED_NXDOMAIN po yung error, unless magbago po ako ng dns sa lahat ng devices na nakaconnect. Nagtry po ako magpalit ng lahat ng klaseng dns within dns settings sa pfsense pero same error po pag nagbbrowse. Sana po matulungan nyo po ako. Baguhan lang po sa pfsense.
Thank you so much po.
EDIT: I resolve by enabling DNS query forwarding.
-- edited by vhick on Jan 15 2023, 11:40 PM -
^if that's what's happening and DNS forwarding did fix it, something fishy on your ISP is doing either they blocked the access to root dns server or they intercepting port 53 traffic.
I suggest enabling DNS over TLS just to be sure.
<click here for link> -
Thank you so much po sa tip Sir @polka
Naconfigure ko na po :) -
Sir @polka,
As ko lang, ano pong recommended nyo? Should I go with pfblockerng or should I stick with Adguard home for pfsense. For home use of course.
ISP ko po is Converge :)
Many thanks!
-- edited by vhick on Jan 18 2023, 08:08 PM -
@vhick
Ganyan gamit ko. pfblockerng for IP blocking tapos Adguard Home for DNS resolver using NextDNS for upstream queries. Mas maganda yun features ng NextDNS pagdating sa queries. Pati device pwede mo ma logged using diffirent DNS technologies -
@vhick
ill stick with pfblocker instead for DNS related firewall stuff. less complication sa setup, I only recommend dns server like adguardhome, if your still using a normal router from ISP or 3rd party. No need to complicate stuff. -
Sir @polka/@MagikMark
Thank you so much for the tips. Nakakita po kasi ako ng tutorial running Adguard home natively in pfsense box. Medyo not overwhelming your dashboard ng Aguard home compare the pfblockerng para sa noob and still learning na katulad ko. hehehe..
Maraming salamat po ulit sa inyo :) -
@vhick
Kung san ka masaya. Tama si Polka. 3rd party dns resolvers are not supported by pfsense. Anything can happen. It adds some level of complication. There is no official support -
^ not to mention that it can potentially break when a new update pops up, either you ended up with broken installation of pfsense or the stuff you installed stopped working after the update.
sakit lang sa ulo, just stick with pfblocker instead. the only benefit you get with adguard is the fancy ui anyway, functionality wise, its basically the same. -
@MagikMark @polka
Thank you so much po mga Sir, so far gamit ko pa rin po yung pfblockerng-devel. It easy to whitelist and make regex for blocking ads. I enable unbound-python and para na siyang adguard home. I think I satisfying my ego kasi nakikita ko yung average processing time.
Good morning po sa inyo :) -
^dont bother with processing time, once it cached <1ms na lang response time nyan.
-
warpme11
Found a website selling OEM replcements NICs. Baka interested ka pa rin:
https://www.axiomupgrades.com/page/network-server-adapters/ -
mga sir patulong naman, sinusubukan ko kasi paganahin ung Squid packages ni PFSense, ung Man-in-the-middle for the sake na ma-read ko using lightsquid ung mga access ng mga user... kaso nagkakaroon sya ng problema sa pag access ng HTTPS sites, may way ba para hindi mangyari to? tyaka if possible hindi ako maginstall ng cert per PC? ung slice all gagamitin via squidguard ung blocking?
Bali ang current setup ko ay naka dual wan, with pfblocker,snort and ung mga rules lang sa firewalll... pero tingin ko naman di dapat sya maka apekto sa squid....
salamat -
deathgod29 Send Message on 10 Feb 23 @ 10:11 PM
mga sir patulong naman, sinusubukan ko kasi paganahin ung Squid packages ni PFSense, ung Man-in-the-middle for the sake na ma-read ko using lightsquid ung mga access ng mga user... kaso nagkakaroon sya ng problema sa pag access ng HTTPS sites, may way ba para hindi mangyari to? tyaka if possible hindi ako maginstall ng cert per PC? ung slice all gagamitin via squidguard ung blocking?
Bali ang current setup ko ay naka dual wan, with pfblocker,snort and ung mga rules lang sa firewalll... pero tingin ko naman di dapat sya maka apekto sa squid....
salamat
Unfortunately, that's the only way. You need to provision the CA cert from pfSense in each workstation in order for the MITM to properly work.
Popular NGFWs will be able to do what you require. However, it costs a few hundred thousand pesos per year (licensing). -
Hi sir pepspeps, I already tried to install CA on all my test computer, pero I still received error when accessing popular sites HTTPS sites like facebook, gmail, etc.
Can you guild me po sa setup? thank you. -
Hi, posting here, hoping may maka tulong sa aking issue. Been banging my head ilang araw na about this random freezing issue sa WAN
SETUP:
2 x RELATEK 1Gbit NIC
pfsense 2.5.2
ISP = converge
WAN = static
previous weeks pag nawawala net ng clients, pina pa restart ko lang ang pfsense, but now kahit ilang restarts pa di na talaga bumabalik ang net.
Troubleshooting:
- console -> ping google.com got result sometime 21 results sometimes 2 results lang tapos mag FREEZE.
- takeout the WAN cable sa modem side, Put BACK, then perform step ping google uli, results then FREEZE uli.
What Ive changed?
1. Realtek NIC change to Dual port Inetl Gbit NICS
2. Change the card assignments then do the "troubleshooting" (same issue nag rarandom freeze)
## Upgrade Version
1. Upgrade to pfsense version 2.6
2. Default config (factory default settings)
Still the same Freezing Issue
Note : Yes, may internet si converge at stable yung ping nya when im doing a standalone test
Hope may maka help or makapaturo sa tamnd direction.
Thanks -
@deathgod29
CA certificates should be installed on each web browser the end user will use. Assuming you properly configured the proxy settings and SSL MITM of squid, it should work.
@ensiferum
If NIC was only the one recently changed, might be faulty. What's the model of the Intel NIC? Can you check on Status > Interfaces to see if there are any errors? -
I still received error when accessing popular sites HTTPS sites like facebook, gmail, etc.
TLS 1.3 really hates self signed certs when doing MITM though intercepting traffic (aka rerouting port 80 and 443 traffic to proxy server). Dont bother it will not work at all, that's how TLS 1.3 designed to be.
work around for this is manually set the proxy setting of the web browser/application you want to MITM and import the certs, after that TLS 1.3 website should work.
Some enterprise solution install some sort of daemon application on each clients to manage certificates (basically they do those proxy setting stuff at the background).
-- edited by polka on Feb 20 2023, 02:42 PM -
polka Send Message View User Items on 21 Feb 23 @ 06:39 AM #
I still received error when accessing popular sites HTTPS sites like facebook, gmail, etc.
TLS 1.3 really hates self signed certs when doing MITM though intercepting traffic (aka rerouting port 80 and 443 traffic to proxy server). Dont bother it will not work at all, that's how TLS 1.3 designed to be.
work around for this is manually set the proxy setting of the web browser/application you want to MITM and import the certs, after that TLS 1.3 website should work.
Some enterprise solution install some sort of daemon application on each clients to manage certificates (basically they do those proxy setting stuff at the background).
Thanks for this Polka, im going to try your suggestion -
hi good day quick question pano ko ma restrict na di ma access yung pfsense ko outside of LAN? ngayon ko lang na discover na pwede ko ma access kahit nasa bahay ako omg im total noob pa talaga dito sa pfsense
-
^ kung accessible yung web admin from the WAN side (eg, outside your network like a phone connected via LTE) you probably did something that you should not be doing, check the WAN interface firewall rules, look for any rules that allow port 80/443. if you have port 80/443 allow rule make sure that the ip address is not pointing to your pfsense.
-
balak ko bumuli ng dual LAN port para sa pfsense ko. okay ba sa uplift? okay ba sila sa warranty?