Converting single NIC mini-pc into pfSense router/firewall by using virtual LAN configuration on a managed switch

In this post, I discuss the process of converting an older single network interface Intel NUC mini-PC into a state-of-the-art pfSense firewall behind which I’ve placed my entire network. The whole process takes about 10 minutes and is accomplished by configuring two VLANs.

REQUIREMENTS

A managed switch that supports 802.1Q VLAN configuration.

Thankfully, such devices are very cheap nowadays, so if you don’t have one at home, you can easily buy one for under 30 dollars from Amazon.com or your local shop.

The switch I’ve selected for my deployment is TP-Link TL-SG108E 8-Port Gigabit Ethernet Easy Smart Switch, currently on Amazon for $27.89 USD: https://www.amazon.com/Ethernet-Unmanaged-Shielded-Replacement-TL-SG108E/dp/B00K4DS5KU

 

CURRENT CONFIGURATION

This is the starting network configuration, that I’ll be putting behind a pfSense firewall by using an existing Mini-PC. I see this type of configuration in most homes, where the ISP modem feeds the Wireless router with an internet connection, which is then through Wireless Access Point’s DHCP service distributed to all connected wireless and wired devices:

 

 

NEW ARCHITECTURE

The new architecture using the managed switch will look like this (image below).

  • The ISP modem in Port #2 configured as WAN VLAN and provides an Internet connection to pfSense firewall/router in Port #1, configured as LAN VLAN.
  • PfSense is controlling the entire flow of traffic (all network packets flow through it).
  • PfSense also runs DHCP on LAN, which gives access to the Internet to all other wired devices plugged into Port #3-8.
  • One such device is (in my case) is also a Wireless Router configured in a bridge mode.

If it at first seems clear as mud, don’t worry, it’s not that complicated.

Here is a photo of the completed configuration at home to illustrate the cabling in place:

Another view:

SWITCH VLAN CONFIG

The first thing we need to do is to configure our Gigabit Ethernet Easy Smart Switch. In my case, it’s TP-Link TL-SG108E v4 8-Port, for which the manual on how to connect to the device, can be downloaded from here.

We’ll need to configure the switch by accessing its web management tool. I followed these steps:

  • The switch uses the static IP address of 192.168.0.1, with a subnet mask of 255.255.255.0.
  • So I first configured my laptop to the same subnet, by changing IPV4 settings to 192.168.0.2 and subnet mask as 255.255.255.0.
  • Then I connect my laptop to port #1 on the switch using a network cable.

Once done, I launched a web browser on my laptop and go to http://192.168.0.1 and logged in by entering the admin for both username and password (in lower case) into the login window.

Once in the switch, I went o VLAN / 802.1Q VLAN Configuration and configured the ports on the switch by using the following setting.

Then I went into VLAN / 802.1Q VLAN PVID Setting and configured a Port VLAN IDs as follows:

PFSENSE VLAN CONFIG

We have the VLAN for WAN and LAN configured and tagged on our managed switch and thus we’re ready to configure VLANs in pfSense.

For this part, I assume you have pfSense router installed on the PC, if not, simply download the Latest Stable Community Edition version from https://www.pfsense.org/download and install it on your PC either by using CD (ISO) or USB stick. The process takes 5 minutes and it’s very simple to follow, but if you’re unsure, check my instructions for installing it, here.

Now that you’ve installed pfSense onto your PC, let’s plug it into port#1 on the managed switch and log into its web interface and plug your ISP modem into port #2.

Then, access the pfSense menu, because we need to configure pfSense single NIC (em0) with two VLAN connections one for WAN and another for LAN).

Select option #1 from the menu (Assign Interfaces)

When asked if you want to set up VLANs now, say yes:

Then set it as follows:

  • VLAN for WAN to em0.99 interface
  • VLAN for LAN to em0.10 interface

Then back in the main menu, select option #2 (Set interface(s) IP address) and set LAN IP address to 192.168.10.1/24.

Now you can access the pfSense web-based menu by going to https://192.168.10.1

Confirm that you see WAN and LAN interfaces in Interfaces > Interface Assignments:

And in Interfaces > VLANs you have two VLAN configured as follows:

Let’s configure LAN DHCP now, so all devices plugged into ports #3-8 will automatically get the address in 192.168.10.x space:

Go to Services > DHCP Server > LAN and Enable DHCP server on the LAN interface. Settings are simple.

Set range from 192.168.10.100 to 192.168.10.200 and gateway to 192.168.10.1 and press Save.

It should look like this:

Once done, pfSense is configured.

 

WIRELESS ROUTER CONFIG (optional)

If you have a wireless router, simply plug it into port #3 and then put in into bridged mode, so all wireless devices get their IPs from the DHCP server running in pfSense.

Here is how I configured the Wireless Bridge Mode on my Linksys Smart Wi-Fi Router:

Note: If your wireless is one of the devices that lose their web interface when in bridge mode(like my Linksys box), prior to placing it into bridge mode set it’s static IP to 192.168.10.200, subnet to 255.255.255.0, a gateway to 192.168.10.1, that should allow you to still control once it’s acting as a bridge.

 

SPEED TEST ON THE ROUTER & CONNECTED DEVICE

Let’s see how the internet connection performs directly on the router.

Here is a little chat how you can configure it: Measure the speed of your pfSense router’s WAN connection by executing the SpeedTest.net from a pfSense GUI

Directly on the pfSense router I am getting 245.25 Mbit/s download and 19.83 Mbit/s upload, which is consistent with my ISP bandwidth.

Going through a wireless device connected through a bridged wireless router, I am getting 249.41 Mbit/s download and 19.96 Mbit/s upload, which is consistent with the pfSense and shows that the traffic flows through the device as expected and without any issues.

 

Conclusion

Turning an unused old PCs into a highly effective security device is a good way to give a new lease on life to an old computer you might otherwise never use again. The following instructions are applicable to any x86 computer with at least one wired network interface on which open source pfSense software can be installed.

Note: If your old PC has two network cards; if you want to add a second network interface or if you are intimidated by configuring VLANs, please follow these instructions instead. However, if you do not want or cannot add a second NIC and still want to use pfSense with a single network card, this article should give you some pointers on how to go about it.

Leave me a comment here or join the discussion on Reddit: https://www.reddit.com/r/PFSENSE/comments/dx7hgv/converting_single_nic_minipc_into_pfsense/

 

Facebook Comments