[lug] network question - pfsense, dd-wrt, etc

Bear Giles bgiles at coyotesong.com
Wed Jul 15 11:03:42 MDT 2020 

This might be too much of a niche question but I thought I would start
here. If nothing else it might give people some ideas.

My current network setup uses DD-WRT. Well, it will soon... my old router
had Sudden Death Syndrome and, based on recent painful experiences, I
bought *two* replacements. I'm using one and plan to put DD-WRT on the
second then swap it for the first. If something breaks I can always swap
the first router back in and regain network connectivity. They're identical
models so I don't have to worry about hardware limitations forcing me to
make changes.

I've also been planning to set up a physical firewall - I have a dual NIC
system for this purpose. It's not very powerful but should be able to do
the job. It looks like pfSense is the best choice for this. That's actually
a FreeBSD derivative but it's common for Linux systems to run it within a
virtual machine but I'll probably install it directly on the hardware.

I think pfSense can also support external wifi antennas - it's used in
offices and such where you might have a dozen antennas scattered throughout
the room. It could replace my DD-WRT router if I sprang for those
antennas... maybe next time.

The ultimate goal is to have four network segments:

 - mobile
 - IoT 1 - devices accessed from mobile devices
 - IoT 2 - devices not accessed from mobile devices, e.g., rokus
 - "wired" - which ironically has a few wireless components (work laptop,
Linux desktop downstairs, raspberry is)

The "wired" and "IoT 2" should be completely isolated.

The mobile and IoT-1 should have some interactions.

I want to be able to keep a close eye on what the IoT devices send and
receive.

Many people also want a "kids" or "guest" segment. There would be similar
issues on deciding who gets what access to the other resources.

My question is whether anyone has set up this combination and, if so, how
did they configure it. There's two obvious places to put it - either
between my cable modem and router or between my router and switch. In the
first case I'll have to reconfigure the router as just an access point (I
think) and handle all of the actual routing in pfSense. Otherwise I won't
be able to access it to configure and monitor it. In the second case I can
leave the router as-is and only use the firewall on the wired part of my
network

There's a lot more flexibility here, e.g., DD-WRT lets you specify routing
between the SSIDs and physical network ports, or I could set up a second
access point, but I'm not looking at that level of detail yet. Just a
general question of whether anyone else has set up both DD-WRT and pfSense
and which one was upstream.

BTW my standard netgear software doesn't seem IPv6 ready but I'm pretty
sure DD-WRT is and I know that pfSense definitely is. In fact I saw someone
talking about getting 16 IPv6 segments, not just 1, from Comcast by using a
simple configuration change. IPv6 can't be segmented so you can't partition
devices like above. However with that change you can have separate IPv6
segments for each of the network segments I mentioned.

Ideas?

Thx, Bear
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200715/207cd0e7/attachment.html>

More information about the LUG mailing list