Thursday, December 31, 2020

Things I wish I had known about pfsense before buying my box

1.  pfSense does not generally support more than one network connection per LAN.

That is:

Most off-the-shelf routers have one WAN port (for internet) and multiple LAN ports (for your stuff).  You can plug any/all stuff into any/all LAN port(s) and it just works.

pfSense is not like this.  It expects to have one WAN port and one LAN port.  That's all.  

If you want more, you're supposed to use a network switch.  This may seem counterintuitive, but switches do everything in hardware and are actually faster. 

This means there is really little need to buy a pfSense box or NIC with more than two Ethernet ports (at extra cost).  It won't use the extra ports by default; they are NOT plug-and-play.  In fact, they won't even work until you set them up!

I wish I'd realized this, as I purchased a pfSense box with six ports, which cost more.  I didn't realize the extra ports weren't intended to be plug-and-play for one LAN.

It also means that if you need more than 1 LAN port, you really should invest in a switch as well.  This obviously costs in addition to whatever hardware you are purchasing to run pfSense itself.


However:

A.  If you have already invested in a multi-plug box and want to use the extra ports, you can use the extra ports via bridging.  

pfSense gurus hate this, but it's useful for lots of things - especially if you have good pfSense hardware that can handle the extra load without a big speed penalty.  See here and here.

 

B.  If you have a managed switch that supports Link Aggregation (LAG or LAGG), you can gang multiple ports on your pfSense box to multiple ports to your switch.  

It probably won't speed anything up, but why not?  Can't hurt!  See here.

 

C.  If you can wrangle multiple subnets, you can assign the extra Ethernet ports to their own subnets.  

(If you don't know what that means, don't try.)


Now, a lot of the Qotom boxes (and similar) come with four NIC ports by default, and that's fine.  Same for a lot of popular NIC cards.  Just don't expect the extra ports to be immediately usable like on a Linksys or Netgear.


Sunday, December 6, 2020

How to set up a better separate parental control network for your kids using the Synology RT1900ac router

Again, this is to set up a private, separate, controllable network to implement parental control for the kids, without affecting the main network.

First, don't do what I did here and use a Netgear with Circle built in.  The Synology is SO much better.

Very briefly: set the Synology in bridge mode, then set up Safe Access for parental control.

Basically:

1.  Get an RT1900AC or other Synology router.

2.  Boot it up, go to router.synology.com.

3.  Set it to Access Point mode.

4.  Give it a unique SSID.

5.  If you want, set it to a static IP address.

6.  Let it start up.  If you haven't already, plug it into your "first" router.

7.  Go to router.synology.com or the static ip:8000 to get to the web interface.

8.  Go to "Safe Access" and set up the profiles/settings you want.

9.  If you want, download the app "DS Router" for mobile management.

OK, I probably got the order wrong.  You get the idea.

Compared to using the Netgear, it's soooooo easy.  Everything works: logging, history, filtering, off times, bedtimes, the mobile app, everything.

And there's no subscription fees.  Unlike Circle.  It just works.

Surprisingly, the router started blocking illicit requests from my son's tablet.  It seems there is some hidden process that is trying to ping X-rated websites.  It wasn't him and I can't find any bad apps with Bitdefender, so it's either a bug in Synology (which I doubt) or some really sneaky nasty.  Circle never caught it.

Notes:

-  Leaving tabs open on a PC will cause the PC to drain their time quota,  even if they're not actually using the PC.  The same doesn't happen for tablets or Chromebooks as they're battery-operated and a lot more frugal with their Wi-Fi usage.

-  Pausing the Internet will also cut off all access to everything upstream of the Synology access point, including any NAS devices.  So: no access to stored music, video, or files.  This could be a pro or a con, depending on your needs.

-  The Synology app supports pause, editing of filter level and time-based access, and rewards.  Pretty much just like Circle.

Regrettably, the Synology doesn't support renaming devices, and doesn't allow you to discover the MAC access of some devices directly, which makes setup harder than it needs to be.  These are the only areas where Circle has an edge, but it's not nearly enough to make Circle better.

You could also (obviously) use the Synology as your main router, in which case kids will have LAN/NAS access without having internet access.  

I didn't do this because I have a bunch of port forwarding already set up in my main router, had limited time, and plan to swap my main box for pfsense later.  Keeping the Synology as a parental support bridge made more sense.

But the RT1900ac looks like a very capable router - easily as good as the R7000 Nighthawk I already have.  I wouldn't be scared to swap the Synology in as my primary router.  

It even supports OpenVPN to allow PIA, NordVPN, ExpressVPN or whatever other service you prefer.  Parental controls AND OpenVPN client in a single box!

Ironically, the person who sold me the Synology has also had problems with Circle Gen 1.  So I'm not the only one.

Obviously I highly recommend the Synology routers over the Circle.