Switching to pfSense

By · Published · dd-wrt, pfsense, networking

So after several years of successfully using DD-WRT, I finally decided to move to pfSense. There are a multitude of reasons for this move, but I'll try to enumerate some of them.

Why pfSense?

1. My new house is too big.

I know. First world problems, right?

In 2012, anticipating the arrival of our first child (and while the mortgage rates were low and prices were good), my wife and I bought a new house that was roughly double the size of our old one. While it's not huge, at 3,400 square feet it's a pretty large house even by American standards. And large enough that wireless access becomes an issue.

While the size in and of itself wasn't the main issue, the location of the Internet wiring in a closet upstairs meant that the wireless access point was on the far side of the house. Not centrally located. As a result, the master bedroom at the far side of the house from the access point has noticibly weaker signal.

But, to place a router/access point combo in middle of the house would be tricky because of the layout. The only real solution is to split the wireless access point from the router. Keep the router in the closet and put a separate access point on the ceiling on the second floor, that can cover the entire house.

But couldn't you add a repeater?

Yes, theoretically, I could add a repeater to extend coverage to the rest of the house. But that is undesirable for several reasons.

First, it's yet another thing that needs to be maintained. My experience with repeaters has been that, if all parts of the network are not working perfectly, the repeater won't work. Everything has to be kept in perfect sync. If, say, a power outage happens, and the repeater comes up before the master, too bad. Reboot the repeater.

Second, it adds an additional hop, and additional latency. Not a big deal for mindless web surfing. A very big deal when trying to stream 1080p video. My wife and I have a fully digital media library that streams to all the TVs. Any latency that can be avoided on the network is a must. And, in fact, almost all the TVs are now connected via Ethernet.

So, a repeater is not really what we're looking for. It's wired access points. After all, a little cable isn't a big deal if it fixes the problems.

2. DD-WRT is a hack.

DD-WRT is cool. I've been using it for four years now. I've turned friends on to using it. It's really neat that an open-source project is able to do all this cool stuff with off the shelf routers. I really don't want to take away from what all these guys have accomplished, because they push cheap consumer routers to their absolute max.

But. At the end of the day, it's a hack. It's a cool hack, but it's a hack nonetheless. And it never works quite right - on any of the 8+ routers I've tried it on. So hacks pile up on hacks. Scheduled reboots every night to keep things working. External drives attached by USB to store custom configs, and scripts that copy them into place after DD-WRT reboots.

The problem is, DD-WRT is always a step behind the hardware makers. They're always reverse-engineering the hardware to get DD-WRT to work on it when they can, but they're still at the whims of the device makers. Even the ones that come with "DD-WRT pre-installed" don't really work that well. And after awhile, you stop being able to update to newer builds (the last build for one of my routers was from 2012, for instance).

While it's a cool toy and a nifty way to squeeze more life out of a cheap consumer router, you pretty quickly realize that it's not a perfect world.

So, if I'm going to separate out the wifi and the router, why not build a custom router? That's where pfSense comes in.

Enter pfSense

A pfSense box is really nothing more than a standard PC with dual network cards, running pfSesnse. Which is, itself, just a customized version of FreeBSD and additional software, along with a nice web-based GUI.

Here's the machine I built for my router:

Parts List

Ubiquiti UniFi UAP-AC installed on the ceiling of the main room in my house, near the center. It's just a little bit larger than a smoke detector.

Notes

  • I used the "Quick Install" method of the pfSense installer. It worked as expected. The one thing it didn't do it set up trim on the SSD. So if you have an SSD, you may need to do some research on how you enable it.
  • I use 172.16.104.0/32 for a network range, because I've observed that most other people don't. This makes VPN easier.
  • My OpenVPN setup is identical to the one I used on DD-WRT. The one thing to note is to use UDP and not TCP. I know, it's weird, but OpenVPN has it's own built-in error checking. I wasn't able to even get it to work at all on TCP.
  • You generate keys using the Cert Manager in pfSense under System > Cert Manager. Use the OpenVPN Client Export Package, which will generate downloadable packages that you can use with a wide variety of OpenVPN clients.
  • Here's some info on running the UniFi access point software on the VPN machine itself. It's written in Java. Note, when you perform a major upgrade, you'll probably lose Java. So just go reinstall it and launch the controller software again, and you should be right back where you were.
  • The UniFi software, for some reason, takes a while to come up. Like 4-5 minutes. But once it does it stays up until you shut it down or reboot the machine.
  • When you install the UniFI softare, install the "shellcmd" package, and add the command to launch the UniFi software when you reboot:
/usr/local/openjdk7/bin/java -jar /usr/local/UniFi/lib/ace.jar start &

Conclusions

The pfSense box I built, before installing it in my wiring closet.

I've now been running pfSense in my house for about a year. I started on 2.1-release. I later upgraded to 2.1.5-release, and just recently to 2.2-release. All the upgrades were, for the most part, very painless. It literally says "upgrade available," you click upgrade, and it's done in 20 minutes. Considering you're upgrading an entire OS without losing any settings, that's pretty impressive.

Although when I upgraded to 2.2, I DID lose part of by Ubiquiti installation. But all I ended up needing to do was reinstall Java.

In building a machine, the thing I was worrying about was that this would be another thing I would have to maintain. Fortunately, it "just works." I only need to do anything on it every few months. It just sits on the wall upstairs quietly routing traffic. I have far, far fewer problems than with DD-WRT based routers or, really, just about any consumer router I've ever used. Every few months I might have to reboot the access point, but that's it. pfSense usually has months of uptime.

So, overall, I'm very pleased with this new setup. It solved many of the problems I was having with my previous setup.

( Comments )

Did something I wrote help you out?

That's great! I don't earn any money from this site - I run no ads, sell no products and participate in no affiliate programs. I do this solely because it's fun; I enjoy writing and sharing what I learn.

All the same, if you found this article helpful and want to show your appreciation, here's my Amazon.com wishlist.


Related Posts

DD-WRT Hacks, Part 2 - Setting up an OpenVPN Server

DD-WRT Hacks, Part 1 - Setting up a PPTP VPN Endpoint


comments powered by Disqus