This document started out as my notes for building my home network. I was keeping notes because I knew I would have to start over many times and because writing them down helps me remember them.
I thought I would put this online to help others learn.
This document is heavily inspired by https://nguvu.org/pfsense/pfsense-baseline-setup/#Install%20pfSense with a lot of help from nguvu and various folks on reddit.com and https://forum.netgate.com/.
- nacho network
- table of contents
- overview
- configuration data
- set it up
- VLANs to seggregate zones/devices/traffic and minimize exposure between zones (see table below)
- centralized NTP server -- all LAN/VLAN NTP requests should be handled by the pfSense router
- centralized DNS server backed by CloudFlare DNS -- all LAN/VLAN DNS requests should be handled by the pfSense router
zone | purpose | to do |
---|---|---|
trust |
|
|
iot |
|
|
guest |
|
|
serve |
|
|
dmz |
|
yes |
alias | device | zone | notes | status |
---|---|---|---|---|
fios |
FIOS ONT | ethernet port enabled | ||
pfs |
pfSense box |
|
||
switch 8 lite |
Unifi Switch Lite 8 Poe | LAN |
||
wifi 6 lite |
Unifi 6 Lite Access Point | LAN |
||
personal desktop |
personal desktop | trust |
wired | |
unifi |
Unifi controller | LAN |
running in VM on personal desktop |
|
personal laptop |
laptop | trust |
wireless | |
phones |
family cell phones | trust |
wireless | |
roku |
Roku | trust |
wired | |
st |
SmartThings HUB | iot |
wired | to do |
iot |
various IoT devices | iot |
wireless | to do |
work desktop |
work laptop | guest |
wired | |
work laptop |
work laptop | guest |
wireless | |
nuc |
Intel NUC | serve |
Debian server | |
www |
web site | dmz |
Docker container | to do |
samba |
Samba | serve |
Docker container | to do |
fios
ethernet ->pfs
WAN (em0
)pfs
LAN (em1
) ->switch 8 lite
switch 8 lite
:wifi 6 lite
work desktop
personal desktop
nuc
roku
pfs
- new pfSense server with one 10G for LAN (to avoid switch to router bottleneck) and AES-NI
- new switch with one 10G for uplink
- https://nguvu.org/pfsense/pfsense-baseline-setup/#Install%20pfSense
- https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
- https://blog.flippedbits.io/2020/07/wrangling-dns-on-your-network-part-2-forcing-pfsense-dns/
- https://blog.linuxserver.io/2019/11/13/pfsense-unifi-wifi-vlan/
- reddit and pfsense forum posts
https://docs.google.com/spreadsheets/d/1L-rZIr-zx0nmQWmY8F8IweCcH0Wr6OeO1OPCs1ltiVI/edit#gid=0
- make sure WAN on
pfs
is not connected to internet until the FW rules are added - do a factory reset on
pfs
,switch 8 lite
, andwifi 6 lite
just to make sure we're starting from scratch - default pfSense username and password for
pfs
:- username:
admin
- password:
pfsense
- username:
https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html for how to install pfSense.
group | setting | sub setting | value |
---|---|---|---|
General Information | Hostname | pfs |
|
General Information | Domain | local.lan |
|
General Information | Primary DNS Server | 1.1.1.1 |
|
General Information | Secondary DNS Server | 1.0.0.1 |
|
General Information | Override DNS | Allow DNS servers to be overridden by DHCP/PPP on WAN | unchecked |
group | setting | sub setting | value |
---|---|---|---|
Time Server Information | Time server hostname | 0.pfsense.pool.ntp.org |
|
Time Server Information | Timezone | America/New_York |
group | setting | sub setting | value |
---|---|---|---|
RFC1918 Networks | Block RFC1918 Private Networks | Block private networks from entering via WAN | checked |
RFC1918 Networks | Block bogon networks | Block non-Internet routed networks from entering via WAN | checked |
group | setting | sub setting | value |
---|---|---|---|
Configure LAN Interface | LAN IP Address | 192.168.1.1 |
|
Configure LAN Interface | Subnet Mask | 24 |
group | setting | sub setting | value |
---|---|---|---|
DNS Server Settings | DNS Server Override | Allow DNS server list to be overridden by DHCP/PPP on WAN | unchecked |
DNS Server Settings | Disable DNS Forwarder | Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall | unchecked |
group | setting | sub setting | value |
---|---|---|---|
webConfigurator | WebGUI redirect | Disable webConfigurator redirect rule | checked |
webConfigurator | WebGUI Login Autocomplete | Enable webConfigurator login autocomplete | unchecked |
webConfigurator | Anti-lockout | Disable webConfigurator anti-lockout rule | unchecked |
group | setting | sub setting | value |
---|---|---|---|
Firewall Advanced | Firewall Optimization Options | Conservative |
|
Firewall Advanced | Firewall Maximum States | 1632000 |
|
Firewall Advanced | Firewall Maximum Table Entries | 2000000 |
|
Bogon Networks | Update Frequency | Monthly |
group | setting | sub setting | value |
---|---|---|---|
IPv6 Options | Allow IPv6 | All IPv6 traffic will be blocked by the firewall unless this box is checked | unchecked |
group | setting | sub setting | value |
---|---|---|---|
Power Savings | PowerD | Enable PowerD | checked |
Power Savings | AC Power | Hiadaptive |
|
Power Savings | Battery Power | Hiadaptive |
|
Power Savings | Unknown Power | Hiadaptive |
|
Gateway Monitoring | Skip rules when gateway is down | Do not create rules when gateway is down | checked |
-
Interfaces > Assignments > VLANs: add VLANs with priority 0 using the VLAN data in configuration data
-
Interfaces > Assignments > Interface Assignments: add all the available network ports
-
Interfaces: Go through the
OPT#
interfaces and configure them:heading setting sub setting value General Configuration Enable Enable interface checked
General Configuration Description set to associated VLAN description General Configuration IPv4 Configuration Type Static IPv4
Static IPv4 Configuration IPv4 Address from configuration data Reserved Networks Block private networks and loopback addresses unchecked
Reserved Networks Block bogon networks unchecked
-
Services > DHCP Server: Go through the
VL##_*
interfaces and configure them:heading setting sub setting value General Options Enable Enable DHCP server on ... interface checked
General Options Range from configuration data
group | setting | sub setting | value |
---|---|---|---|
NTP Server Configuration | Interface |
|
|
NTP Server Configuration | Time Servers | 0.pfsense.pool.ntp.org |
|
NTP Server Configuration | Time Servers | Is a Pool | checked |
NTP Server Configuration | NTP Graphs | Enable RRD graphs of NTP statistics (default: disabled). | checked |
group | setting | sub setting | value |
---|---|---|---|
General DNS Resolver Options | Network Interfaces |
|
|
General DNS Resolver Options | Outgoing Network Interfaces |
|
|
General DNS Resolver Options | System Domain Local Zone Type | Static |
|
General DNS Resolver Options | DHCP Registration | Register DHCP leases in the DNS Resolver | unchecked |
General DNS Resolver Options | Static DHCP | Register DHCP static mappings in the DNS Resolver | checked |
General DNS Resolver Options | Custom options | local-data: "local.lan. 10800 IN SOA pfs.local.lan. root.local.lan. 1 3600 1200 604800 10800" |
group | setting | sub setting | value |
---|---|---|---|
Advanced Privacy Options | Query Name Minimization | Send minimum amount of QNAME/QTYPE information to upstream servers to enhance privacy | checked |
Advanced Resolver Options | Prefetch Support | Message cache elements are prefetched before they expire to help keep the cache up to date | checked |
Advanced Resolver Options | Prefetch DNS Key Support | DNSKEYs are fetched earlier in the validation process when a Delegation signer is encountered | checked |
Advanced Resolver Options | Harden DNSSEC Data | DNSSEC data is required for trust-anchored zones. | checked |
Advanced Resolver Options | EDNS Buffer Size | 4096 |
- Firewall > NAT > Port Forward: use the port forwarding data in configuration data to add the requried port forward rules
- Firewall > Rules: use the firewall data configuration data to add the required firewall rules for each interface
- some FW rules will already be there; these are linked to previous settings and port forward rules
- now would be a good time to make sure everything except the WAN on
pfs
is hooked up. - mind what devices you plug into what port on
switch 8 lite
; you'll need to know what is plugged in where when configuring the VLANs inunifi
.
- we want all of the unifi stuff, including the controller, on the default
LAN
interface (untagged VLAN)- the
switch 8 lite
andwifi 6 lite
will automatically be on theLAN
interface (by default) - to make the unifi controller running on a VM on
personal desktop
, we have to set the NIC ofpersonal desktop
toVL10_trust
and the NIC of the VM to untagged
- the
- some of the settings in the unifi controller are not available in the new UI and you may need to switch to the classic UI
- make sure everything is hooked up, especially:
pfs
,switch 8 lite
,wifi 6 lite
, andpersonal desktop
- create a Debian VM for
unifi
inpersonal desktop
- in the hypervisor, set
personal desktop
toVL10_trust
and make sure the unifi VM is untagged - once Debian installed in the VM, install the unifi controller: https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776
- once the unifi controller is installed, navigate to
https://[IP of the VM]:8443
where[IP of the VM]
is the IP of yourunifi
VM - follow the on screen instructions to create an account and set things up
- adopt the
switch 8 lite
andwifi 6 lite
- configure your mail server in Settings > Controller
-
in
https://[IP of the VM]:8443
go to Settings > Networks -
Create New Network for each of of the VLANs:
group property name propery value Create New Network Name name/description from VLANs Create New Network Purpose Corporate
Create New Network Interface LAN
Create New Network VLAN VLAN Tag/ID from VLANs Create New Network Gateway Type Default
Create New Network Gateway IP/Subnet IPv4 Address from VLANs Create New Network DHCP Mode DHCP Server
Create New Network DHCP Range DHCP range from VLANs
- go to Settings > Wireless Networks and create the wireless networks per need
- to associate a wireless network with a VLAN, select the appropriate network for the Network option
-
go to Settings > Profiles > Switch Ports
-
create a new port profile
group property name propery value Create new switch port profile Profile Name [whatever you want] Create new switch port profile PoE Off
Networks/VLANs Native Network LAN
Networks/VLANs Tagged Networks VL10_trust
=checked
- go to Devices > click on the switch > click on Ports
- edit the port
personal desktop
is connected to and set the Switch Port Profile to the trunk you created in trunk port forpersonal desktop
andunifi
VM - after you apply, reboot
personal desktop
so it gets an IP inVL10_trust
- after you reboot, (re)start the
unifi
VM and navigate tohttps://[IP of the VM]:8443
where[IP of the VM]
is the IP of yourunifi
VM - navigate back to navigate to
https://[IP of the VM]:8443
and associate the other ports onswitch 8 lite
with their associated network/VLAN as needed- make sure the
wifi 6 lite
stays on the defaultAll
Switch Port Profile because we control which VLAN each wifi is on at the wireless network level (from wifi above)
- make sure the
-
add email capability to pfSense: System > Advanced > Notifications
group setting sub setting value E-Mail E-Mail server smtp.gmail.com
E-Mail SMTP Port of E-Mail server 465
E-Mail Secure SMTP Connection Enable SMTP over SSL/TLS checked
E-Mail Validate SSL/TLS Validate the SSL/TLS certificate presented by the server checked
E-Mail From e-mail address gmail email address E-Mail Notification E-Mail address gmail email address E-Mail Notification E-Mail auth username (optional) gmail email address E-Mail Notification E-Mail auth password gmail email password E-Mail Notification E-Mail auth mechanism PLAIN