[guide] pfsense VM on QNAP in 2020

[Qmann]

if they are on separate vlans, they both can have internet access. difference is, they can't talk to each other.

so your pc cannot talk to your chromecast, vice versa. but both have internet access. however they can talk to other devices on the same vlan. so you can separate out private network vs iots, vs wireless guest

I have phones and PCs that all use chromecast, and homeassistant that needs to run IoT but accessible on PC and phones to signal devices,,,, so I've never been able to VLAN anything . It seems they all need to be on the same network. Seems like there has to be a way to bridge certain traffic over to the other VLAN by some type of rule, but that is far beyond my mojo.

I could do guest wifi, but seems like that's about it.

[Moogle Stiltzkin]

o.... ur using expressvpn.

that kind of vpn only tunnels your internet traffic so that your ip uses the one of your vpn provider. (i use mullvad)
https://www.youtube.com/watch?v=oja3UzuuqGQ

this is different from the vpn server you run from your own router, then provide your client elsewhere e.g. desktop, laptop, smartphone, so they can connect to your router via vpn for a secure encrypted tunnel. NO Vpn subscription required for this. Lawrence explains how to setup this kind of vpn for remote access
https://www.youtube.com/watch?v=PgielyUFGeQ

if they are on separate vlans, they both can have internet access. difference is, they can't talk to each other.

so your pc cannot talk to your chromecast, vice versa. but both have internet access. however they can talk to other devices on the same vlan. so you can separate out private network vs iots, vs wireless guest

I have phones and PCs that all use chromecast, and homeassistant that needs to run IoT but accessible on PC and phones to signal devices,,,, so I've never been able to VLAN anything . It seems they all need to be on the same network. Seems like there has to be a way to bridge certain traffic over to the other VLAN by some type of rule, but that is far beyond my mojo.

I could do guest wifi, but seems like that's about it.

i watched lawrence's video, he says it may be possible using the avahi, so that devices on your private lan can communicate with your guest vlan, but not the otherway. or maybe i misundertood what he meant was possible with that kind of setup he even cites usage for chromecast in a vlan segmented network. i highly recommend you watch this video

https://www.youtube.com/watch?v=HW9mUrF1ZgU

[MikeLagit]

You can do both.

Client: Express VPN in pfsense tunnels outgoing traffic to a public shared IP.

While

Server: Is configured in pfsense so you can connect back into the network remotely with Openvpn client on a phone and laptop. You don't expose any ports on the pfsense except 1194 for incoming OpenVPN.

[Qmann]

Thanks for the IoT tip! I figured it could be done, I just hadn't spent the time on it yet.

[patricepm]

Hi everybody,

I’d like to know your experiences with having pfsense virtualized, and configured the OpenVPN client in pfsense with a vpn provider.

I’ve got it all up and running but the download speed is soooo slow, nearly 30mbps while connecting to the same vpn server using qvpn gives me over 300mbps.

I’d like to hear your comments on this one.
Thank all!


==================================================
QNAP TVS-473
- 4x WD Red Pro 6TB (RAID 10)
- 16GB Memory
- Firmware: QTS 4.5.1

[Qmann]

I didn't have any issues with speed using Express VPN and got around 170mbps down on my 200 mbps connection. That's using 256-bit encryption on my TS-877.

Verify your cpu is aesni, and you have hardware crypto enables properly in pfsense.

[matthewoliver]

Hi,

Trying to install pfsense on my nas, except I can't as I can't find a proper keyboard mapping for my mac... Any ideas? (I've been struggling with other linux VMs but I eventually managed) or should I buy a usb keyboard to plug in the nas. If so, which one would you recommend?
Thx!

[finalwish]

anyone try to enable traffic shaper on their setup?
When I enable traffic shaping using altq, it causes slower download and upload speed.
If I used limiter, there is no issue with speed.

[FastLaneJB]

Quick question on this but do people have issues on reboot with their NAS when running a virtual firewall? I'm new to QNAP but had the 4.5.x builds on my TVS-h1288X (Running QTS and not Hero) and it seemed fine. I upgraded to QTS 5 and had a hell of a lot of issues with it that I've wiped it and set it up cleanly but without OPNsense on it at the moment so just using ISP's basic router. Looking in some of their init scripts they have stuff happening on the NAS which is all Internet focused before Virtual Station comes up and hence the virtual router so it has no access.

This seems to cause issues with some things on bootup I think, I think it might be the cause of the nvidia-udm device missing on bootup as it seems to be working fine when it doesn't have a virtual router on it. So for instance the Nvidia Kernel driver has a ton of wget's in it's script, those no doubt take ages and then fail. Not an issue itself if the drivers are all loaded before hand but it does take a lot longer though. If that's not up and the Nvidia GPU before Container Station comes up which creates the nvidia-udm device then it doesn't seem to appear. It seems hit and miss with a virtual router but seems OK without at least in a few reboots I've tested it so far. Basically I think with the virtual router the Container Station is then starting before the Nvidia side is ready because it's stuck trying to pull data from the Internet when it cannot.

Wondering if others have issues or it all works fine other than taking a lot longer to come live?

Maybe I'll give up on OPNsense and just use something like gluetun and a VM for any sites that need VPN access, it was more nicer though having OPNsense handle all that automatically in the background though.

My other thought is to use another router into NAS, then just have OPNsense with double NAT on-top of that so I can control the rest of the network via it but the NAS would end up bypassing it. It doesn't feel ideal though as that traffic won't be visable to OPNsense so things like shaping / limiting won't be possible. With containers on the NAS it'll be generating a lot of traffic itself.

[Moogle Stiltzkin]

Yeah, I need entire network protection over VPN, so the Qotom does it all on the fly for all traffic. Client to manage the traffic, while Server so i can remote in and work on the network as well.

https://www.expressvpn.com/support/vpn- ... n-openvpn/

there is an update, if u need something like a qotom but has 2.5gbe ports
https://www.youtube.com/watch?v=wUcDg_ms0is


i imagine this is for people needing a router for high speed broadband in the 1gbps or better

i only use 100 mbps so i don't need it urgently. but i could use 2.5gbe for my local lan networking speed

[Qmann]

Pretty cool little box! I wish I had the 2.5G on my Qotom as I do backups with borg across the interfaces to a different network.

-Q

[Moogle Stiltzkin]

Pretty cool little box! I wish I had the 2.5G on my Qotom as I do backups with borg across the interfaces to a different network.

-Q

looks better than the official pfsense boxes
https://www.youtube.com/watch?v=Kg1tKcohsQE


you pay more for less. basically you're just paying for the brand rather than the hardware. this is why i rather get something like a qotom -ish device that has good hardware and i know i can install pfsense onto it

pfsense still works on non official pfsense hardware still for now
https://www.youtube.com/watch?v=cDgF6UoyThQ

-M

[Moogle Stiltzkin]

Pretty cool little box! I wish I had the 2.5G on my Qotom as I do backups with borg across the interfaces to a different network.

-Q

update
https://www.youtube.com/watch?v=IJhlqb4iGn4

[Qmann]

Very cool! Those boxes are such a great solution for a hardware firewall.

The only watch out with this one would be if you have a very fast connection in which you want to run VPN. You might need more than the celeron to get your full throughput with something like 256 bit encryption.

-Q

[Moogle Stiltzkin]

Very cool! Those boxes are such a great solution for a hardware firewall.

The only watch out with this one would be if you have a very fast connection in which you want to run VPN. You might need more than the celeron to get your full throughput with something like 256 bit encryption.

-Q

my best router to date for the past 2 decades. rely liking pfsense

i'm still not a full expert, but once you set it up, you don't have to mess with it. at most u just need to know how to maintain it by backing up the config, and how to update it. for initial setups there are many guides on youtube out there that show u what to do

and you're right, for people wanting to use vpn on it for high speed, then you have to be particular about the cpu u get. if u dont use suricate, pfblocker, vpn, then the low power cpu should be fine, it will even save you on electricity bill.