From my vague understanding of them I don't see the usefulness of VLAN's in a home network. I don't have any significant data flows from one device to another except for the camera sub-net. Everything else just wants access to the outside world. The annoyance to me is that a typical home router provides no logging and very little information regarding what is happening.
Pfsense on Blue Iris PC or Separate PC?
- Thread starter bugsysiegals
- Start date
Then I believe I'd do the first thing I mentioned. Turn of all the stuff that makes the WRT a router and use it for switch ports and an AP. Use the pfSense box to do all the firewall and routing work, along with the logs and/or whatever else.
bugsysiegals
Getting the hang of it
As I looked at my connection, I’m actually on UDP so it must set it that way stock.
bugsysiegals
Getting the hang of it
Agreed, pfSense becomes the router, the router gets put into bridge mode and is an AP only. I’ve now picked up a Ubiquiti AC Lite for $62 which broadcasts up to 4 SSID’s and supports VLAN’s. I’ll be adding another and selling the routers.
As a side note, I ordered parts to put together a pfSense box to play with.
I had a small mini-ITX case, power supply, small SSD, and a DVD reader from a now outdated mini system. Pulled out the Intel Atom 230 board to put in an ASRock J4105B-ITX board and an Intel 4-port NIC.
Might just depend on the router and what you are willing to do to configure it. For example, on my old RT-N66U, you can setup a remote log server in Administration > System tab (but you would need a Log Server running somewhere). You also have to SSH into the router to tweak some other settings to set the Logging Level (SSH is not exactly the typical consumer interface).
pfSense can log to a local drive, but has the same problems as a router if you just connect a low durability USB stick (or in the case of router use the NVRAM) you have to deal with limited rewrite cycles.
I log my stuff to the Blue Iris box, in part because it is "always on" and the syslog service has minuscule hardware requirements. But also just in case of a pfSense failure I would have some data about what led up to the problem. Your router might be able to send data to a remote log server in much the same way. Bear in mind these logs are hard to read, and 99% of the content of the log will be "connection refused due to rule # X", while interesting to see how many port scans are happening on the "wild west" of your WAN, the real important bit is spotting the connect attempts that make it into your network (real needle-in-a-haystack stuff).
For perspective of exactly how needle-in-a-haystack, I have AVERAGED 2400 log entries per hour for over the past 2 years time.
Even the Atom board might have had enough horsepower to run pfSense if you don't use Deep Packet Inspection and you don't have at least a 100Mb connection. There are some forum posts referring to Atom 550 processors running 300Mb connections and oVPN (I assume with limited "advanced" features turned on but still respectable all the same). That ASRock J4105B-ITX should really rock!
Keep us updated what you like and dislike with your tinkering. I will caveat like I always do, its serious overkill for solid 99% of people, but still fun if you find networking interesting.
bugsysiegals
Getting the hang of it
I’ve been trying to setup Plex lately and figure out how I want to use (RAID or not) the 3 x 8TB WD EasyStore drives I just scored at BB for $150 each so I’ve not had much time to play with pfSense but I can tell you the firewall is amazing. I can create Alias groups for kids iPads, iPhones, etc. and use those groups in firewall rules along with many different schedules which is awesome but the best for me so far is the VPN speed and VLAN support for interfacing to a managed switch.
I have no regrets and will probably only return to a consumer router if pfSense crashes and I need something in between setting it back up on another machine.
I have no regrets and will probably only return to a consumer router if pfSense crashes and I need something in between setting it back up on another machine.
Just keep a backup of your pfSense config (Diagnostics > Backup/Restore), I do this before I make any changes where I might fack something up as well.
Then if something happens, repair the faulty device/drive, reinstall pfSense, reload config. I already had to do this once because I started with 3 Sandisk Ultrafit USB flash as "mirrored disk array" and they failed within the first year. It might have been the 22 million firewall events I logged on them, might have been something else I did wrong. Now I have an old 120GB SSD in there that isn't good for much else and had a lot of flash "life" leftover.
bugsysiegals
Getting the hang of it
I'm no networking expert but I've created VLAN's for the following reasons and I'm sure there are benefits I've not even considered.
- Easily isolate traffic on my LAN.
- Guests cannot access anything but WAN.
- Kids cannot access anything but WAN.
- Adults can access IoT, servers, AP's, and WAN.
- Blue Iris can access WAN and cameras but cameras cannot access anything.
- Prevent IoT or other computers which might be infected from reaching other devices
- Reduce broadcast traffic so I'm not flooded with all kinds of packets I don't need and perhaps reduce lag
bugsysiegals
Getting the hang of it
What software were you using to virtualize? I'm told Proxmox eats consumer SSD's but I've no experience as I'm to chicken to find out and am using HDD instead.
Isn't a VLAN just a logical mapping of network traffic? It doesn't actually "isolate" anything? So a malicious software or devious user would not be bound by the VLAN partitions.
No virtualization here, dedicated i3 pfSense box and dedicated i7-2600k Blue Iris box.
bugsysiegals
Getting the hang of it
I measured the CPU temps for both and the 4770 CPU averaged 74 C while the 3770 averaged 36 C. The 4770 is running more than twice as hot!!!
I moved everything back to the 8300 desktop but unfortunately found it can only hold 2 HDD's versus the 800 which holds 2 HDD's and 1 SSD. In addition I believe it has more USB 3.0 ports which would be nice. I'm going to check whether the CPU fan is simply not functioning but assuming it is do I simply need to delid the CPU and apply fresh thermal paste to bring the heat down and power usage back to similar level as the 8300?
Not done this myself, but I would recommend you do some research before "simply delid the CPU..."
I believe it takes a tool if you want to reduce the chance of killing the CPU, and even then the chance won't be reduced to 0% -- meaning you might literally turn your 4770 CPU into a paperweight. You also have to remove the black adhesive with a razor and its apparently very easy to knock a cap off the die.
You could try a better air cooler on the 4770 if you had room for it in the case, but supposedly running at up to 90c is feasible on that chip without degrading it's performance. And unless you are slamming that CPU it won't generate much heat just running Blue Iris and pfSense.
To get it closer to the 3770 you will probably have to do something exotic, unfortunately, or live with it the way it is currently running, and just plan to replace it in a few years if it breaks down (by then 8700/9700's will be cheap).
*correction* see here: The Intel 9th Gen Review: Core i9-9900K, Core i7-9700K and Core i5-9600K Tested seems they all are paste, none with pads. But Coffee Lake Refresh (9700/9900) is supposed to be soldered again.
Last edited:
bugsysiegals
Getting the hang of it
On a MANAGED switch, each access port is on VLAN 1 by default and everything on the same VLAN, assuming no restrictions are implemented, can communicate with each other. Now let's assume we have 2 devices plugged in ports 1 and 2 which are respectively assigned to VLAN 1 with IP range 192.168.1.0/24 and VLAN 2 with IP range 192.168.2.0/24. Even if malicious software or a user changes the IP of the device on VLAN 1 to be on the same subnet as VLAN 2, 192.168.2.x, the device will not be able to communicate with the device on VLAN 2 because it's port it not tagged with VLAN 2. Rules and routes can be created to allow inter-vlan communication to happen but without them being explicitly applied, VLAN's are isolated from each other at the hardware level which prevents infected devices or users from simply changing IP's, etc., and accessing devices on other VLAN's.
If any networking experts find this information incorrect, please advise so I can correct, but to the best of my knowledge and experience this is how it works.
bugsysiegals
Getting the hang of it
Thanks for the detailed explanation! I just find it hard to believe a newer CPU is running twice as hot doing the same job and at about the same CPU usage. I assume this is why it's drawing more Watts but will have to test. FWIW - the thermal fan setting in the BIOS of both PC's is set at the lowest setting.
I suggest starting with the basics.
Be sure the existing cooler and fan blades are clean.
Be sure the cooler is properly secured to the mobo
Be sure any case vents, filters, and or case fans are clean and working
All that failing, pull the cooler, clean off the old compound and apply new. A common mistake is using too much compound. It just needs to fill the microscopic air voids between the cooler and processor. Not trying to float the cooler on a layer of paste. And, generally, don't smear it around with your finger. There are instructions on the Internet for various processors.
Sorry in advance if you know all that 101 stuff.
bugsysiegals
Getting the hang of it
As soon as I received the computer I blew it down, pulled the cooler, wiped off the old paste, used rubbing alcohol to clean, pea size ball of Noctua thermal paste, and put the cooler back on.
Unfortunately I didn’t think to check the fan actually works but will check that next.
Unfortunately I didn’t think to check the fan actually works but will check that next.
Last edited:
Pea sized? That seems like a huge amount, but maybe I am wrong.