Skip to content

PF-Sense

Global layout

Current configuration overview

Interfaces

Interface Link omschrijving
WAN LAGG0 Internet verbinding
L1601 VLAN 1601 / LAGG1 LAN / Unrestricted
K1602 VLAN 1602 / LAGG1 Kinderen / Protected
G1603 VLAN 1603 / LAGG1 Gasten / Restricted
I1604 VLAN 1604 / LAGG1 IoT / Restricted
INFRA LAGG2 Infra backend
T1605 VLAN 1605 / LAGG1 IP-TV

Vlans

VLAN Description Interfaces
1601 LAN / Unrestricted LAGG1
1602 Kinderen / Protected LAGG1
1603 Gasten / Restricted LAGG1
1604 IoT / Restricted LAGG1
1605 IP-TV LAGG1

Physical

LAGG Description Interfaces
LAGG0 WAN igb0,igb1
LAGG1 LAN igb2,igb3
LAGG2 INFRA igb4,igb5

Rules

Plugins

Hardware

configuratie T-Mobile

To replace your provider's modem with your own hardware (pfSense), a number of specific settings are required. Below is the configuration for the 2 possible variants at T-Mobile.

  • ODF (Optical Distribution Frame) = Active operator T-Mobile (own equipment)
  • WBA (Wholesale Broadband Access) = Active operator KPN (shared equipment)

I once started with a WBA configuration but have now switched to ODF. The WBA configuration is listed below as a reference as there are still plenty of connections that run over WBA and the configuration can also be used with KPN fiber optic with some adjustments.

The equipment has now also been adjusted, the most recent design and hardware is available at ODF.

ODF

Telephony is not (yet) possible.

The VLAN data from T-Mobile:

Internet / Connected VLAN ID = 300

If you have an ODF connection, the setup is somewhat simpler, the IP-TV equipment no longer has its own assigned VLAN, so you only have to configure VLAN 300 on the WAN interface.

There is also no need for a media converter anymore, these do not work with T-Mobile's GPON equipment, so you get an ONT in your meter cupboard from T-Mobile and the firewall can be connected directly to it, since I switched to ODF I have also some other hardware available for my connection:

  • Netgear GS324T(P) managed switches
  • [HUNSN firewall](https://www.amazon.nl/gp/product/B095PCRMCT/ref=ppx_yo_dt_b_asin_title_o03_s00?ie=UTF8

WBA

Telephony is not (yet) possible.

The VLAN data from T-Mobile:

Internet / Connected VLAN ID = 300

IP-TV VLAN ID = 640

I used the following components:

  • TP-Link MC220L Mediaconverter
  • PFsense firewall
  • Netgear managed switches (GS108E / GS105E)

my network looks like this, the switches in the meter cupboard and living room are managed and support VLANS.

Network overview

The WAN connection is split into internet and IP television using VLAN tagging: Configure these VLANs on pfsense:

interfaces>assignments>VLANs

VLAN overview

In my setup the EM2 interface is the WAN interface with the MC220l connected to it. It is important to set the VLAN TAG and the Parent interface correctly.

image

If VLANs are created on pfsense, they must be linked to the correct interfaces, the WAN interface will already exist by default together with the LAN interface.

Link VLAN 300 to the WAN interface:

interfaces>assignments

Interface assignments

Then create a WAN interface for VLAN640, select VLAN 640 on EM2 under available network ports. A new interface will appear called OPTx (x can be any number from 1 depending on your own configuration).

Click on the OPTx interface and rename it if necessary and enable the interface:

Enable interface

On the LAN side, a VLAN for IP television must also be created, you can use any number for this. The steps are the same as for the WAN VLANS with the exception of the parent interface, which must be the LAN interface. In my setup I also used VLAN 640 internally.

After all interfaces have been created and enabled, create a Bridge:

interfaces>assignments>Bridges

bridges

Add both the WAN and the LAN interface with VLAN 640 and give the bridge a logical name:

bridgename

To only filter traffic on the bridge interface, and not create firewall rules per interface, 2 system settings must be adjusted in pfsense:

system>Advanced>System Tunables

Tuneables

add the created Bridge to the interfaces:

interfaces>assignments

via available network ports.

Enable the interface and give it a name, adjust the MTU to 1594.

MTU settings

Then go to the firewall rules:

firewall>rules

Bridge rules

Here select the Bridge interface and create a new rule, in my case I block all traffic from the IP television network to my LAN and allow all traffic on the IPTV network.

The following setting must be made in the firewall rule to allow multicast traffic over the bridge [Allow IP options]. This setting can be found in the rule under the advanced options:

Bridge rules adv

After these settings, PFsense must deliver your internet neatly to your WAN interface and IP television to your bridge and forward this internally to the VLAN of your choice. It is advisable to reboot the PFsense once so that all settings are actually active. Now just make sure that the LAN interface is on a TRUNK port on your switch with the VLAN for IP television tagged on it. If you then place a port of the switch in that VLAN, a T-Mobile media receiver can be connected.