HOW-TO: pfSense with Single NIC, VLANS and a Wifi-AP (Router on a Stick)

LyricX · August 23, 2021

I had to revisit this the other day to help a friend and I have it written up on my blogspot (not going to advertise as I don't really post there anymore). I figured I'd share this for anyone looking to dink around with a Router on a Stick configuration. I had to use this awhile back when I only had one physical PC and still wanted pfSense to have a lot of oversight of my home network / security. Obviously RTR on a Stick is not the best setup, but it'll do in a pinch if you know what you're doing. Enjoy

Introduction

The current hardware configuration is setup to run on my PC in a virtualized environment using VirtualBox (64bit) for the Win10 Pro (x64) HOST PC.

System Specifications:

Processor: Intel G3258 Pentium 4 @ 4.2GHz
CPU Heatsink: Stock Intel Cooler
RAM: EVGA 8GB (2x4) Superclocked @ 2133MHz
Graphics: Sapphire R9 380 Nitro 4GB GDDR5
HDD: PNY 240GB SSD
Motherboard: Gigabyte H81M-H mATX
PowerSupply: EVGA 500W
Case: Fractal Design Core 1100 MATX Mini
Monitor (Living room TV): Magnavox 55" HDTV
Operating System: Win10 Pro (x64)

Configuration

pfSense
switch: TL-SG108E v2
wifi-ap: NG-N300 (wnr2000v5)

VLAN Config(s):

VLAN99 (WAN) - DHCP @ ISP
VLAN10 (LAN) 192.168.10.1/24 (.5-.254 Range & .2-4 for Static IP Management)
VLAN20 (WIFI AP) 192.168.20.1/24 (.5-.254 Range & .2-4 for Static IP Management)

TL-SG108E Config:

***NOTE*** The current firmware on the TP-LINK SG108E will only support one physical "Save Config", anything after that will not be held in the data until they release a firmware fix (**Source link**) - They also indicate here that you can actually flash the v3 firmware to the v2 version (the one I have) although I have elected to not do this. Whichever way, the bug is still persistent in all firmware versions as of 03/05/2018.

1.) Connect a laptop and set your IPv4 Address to the following:

2.) Navigate to: 192.168.0.1 ---> login with usr: admin / pw: admin (I recommend to change these immediately)

3.) Change the IP Settings to what will be your new internal LAN sub-net for easier access. (192.168.10.2 - MGMT Interface - will be setup for easier management access via Ports 4-8 on your Switch).

4.) **DON'T FORGET TO SET IPv4 BACK TO DHCP**

5.) Navigate to VLAN --> 802.1Q VLAN --> Enable VLAN Config --> Apply

Default VLAN --> Leave as is
VLAN ID: 10, VLAN Name: LAN, Port 1 Tagged, Not Member Port 2&3, Untagged Ports 4-8 --> Add/Modify.
VLAN ID: 99, VLAN Name: WAN, Port 1 Tagged, Untagged Port 2, Not member 3-8 -> Add/Modify
VLAN ID: 20, VLAN Name: OPT1 (Wifi-AP), Port 1 Tagged, Port 3 Untagged, Not Member 2, 4-8

6.) Navigate to 802.1Q PVID Setting (and set the following by typing the PVID (10,99,20) and selecting the corresponding ports.)

Port 1: 10, Port 2: 99, Port 3: 20, Port 4-8: 10

**Now it's safe to use Save config** If you used it prior to getting all of this setup, then you'll unfortunately need to reset the switch and start over unless they've fixed this bug.

7.) Now you can continue to configuring the pfSense Installation. I'd recommend using Rufus if you need to create a bootable USB to proceed. I didn't need to as I virtualized my pfSense router and just downloaded the ISO on my host machine.

8.) Once you get to this step you need to proceed with a "y" and then configure all of the pfSense VLAN Interfaces or any other extra Interfaces needed. This could be skipped and done later manually in the GUI but I'd go ahead and do it here.

Your interface(s) may be different than mine.

em1.99 (WAN) -> vlan99
em1.10 (LAN) -> vlan10
em1.20 (Wifi-AP / OPT1)
em0 (OPT2) -> (set on 192.168.30.1/24) Extra virtual interface which will be configured within VirtualBox to be "Virtual NIC Adapter 2" so my HOST PC (pfSense router) can access the internet as it also serves as a HTPC. This may be an unnecessary step depending on your desired configuration.

9.) Once you set this to your specifications, then you can go into your Network settings and adjust the Virtual Adapter to pull DHCP from the em0 Interface you setup @ 192.168.30.1/24 if you need to pull internet on your VM HOST Machine.

Physical Configuration:

Switch:P1 -> Phys NIC
Switch:P2 -> Cable Modem (ISP)
Switch:P3 -> Wifi-AP (Configured to be 192.168.20.2 for MGMT and Set in AP Mode)
Switch:P4-8 -> LAN Ports for any wired devices you may have.

***Issue(s) with: Realtek PCIe GBE Family Controller NIC***

I had to spend hours upon hours trying to figure out why I could not get a WAN IP (DHCP from my ISP). It turns out that the Realtek PCIe GBE Family Controller is known for stripping vlan tags unless you perform the latest driver update, and also add the following registry edits:

Update drivers: Realtek PCIe GBE Family Controller
Find reg sub-key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Add/update the following DWORDs:

MonitorModeEnabled = 1
MonitorMode = 1
PriorityVLANTag = 0
SkDisableVlanStrip = 1

Tools:
https://www.wireshark.org/
https://wiki.wireshark.org/CaptureSetup/VLAN

***Issues with websites not resolving and ping requests timing out***

I spent a significant amount of time figuring out why some websites would resolve fine, and others would not. It ended up being that I needed to find the optimal MTU & MSS settings to input in pfSense. (My personal settings are notated below, and in my diagram as well.)

Great tutorial on how to find your own optimal MTU & MSS Settings - https://forum.peplink.com/t/how-to-determine-the-optimal-mtu-and-mss-size/7895

This was my first technical write-up ever, and for a portion of my network setup. Here is an overview of the diagram I made as well: