I've been running a virtualized router using an old system called Smoothwall for seven years problem-free. I recently upgraded the whole thing to ProxMox, pfSense, and piHole and it has been fabulous. I've got in-house 2.5Gb over WiFi6 and a 12TB NAS. Even did a video on the server rebuild and install, just have to edit it all down - you and a few other channels were a great inspiration!!
@@HardwareHaven Really!? That's awesome! In OKC! I swear you were doing your build just as I was doing mine - saw the dates on one of your files was Dec 31. And I went through the same issue on installing the RealTek driver into ProxMox but only after I did the build but before I'd done any real perf testing. The parallels are kinda spooky LOL!!! Hope to get the video edited this week, but it won't be as polished as yours ! And I didn't even think about running piHole as a container. I may redeploy it. 😁
@DIY Dave I have not heard of smooth Wall and years back in the early 2000's on a dial-up modem for my network and they have not updated that piece of software and God only knows what software security issues it poses
When I was setting up my home lab/servers, I initially virtualized my router (also on Proxmox, on a "normal" x86 platform). Since I was still tinkering a fair amount with the whole (new) system, that meant that every time I did something physical, the internet went down as well. Having VLans and local routing as well means that even things that were still all on weren't reachable either. So I ended up swapping to a dedicated virtualized physical router similar to the one used in this build (Intel N5095 based, running network services only on a proxmox host dedicated to network), but quickly realized it was far more capable than what I needed. So I eventually swapped to a bare-metal, non-virtualized Zima Board (still x86, but more rapi-sized) for my router doing anything network related just via plugins. I'm now very happy with this very low power solution, and I can tinker with the main "lab" all I want without any service interruptions to stuff that isn't rebooted or shutdown. Note that pfSense and OPNsense can do WireGuard and piHole-like DNS services natively (via Unbound or many other options), and virtualization or containerization isn't really needed.
I learned how to burn food. It's not an easy task - with that sole lesson. I learned how to cook, including adjusting the burners and figuring out how to work with different ovens and different ranges, all on how it heats up. Is it fast, slow, when does it start to boil, where does it start to simmer, after it boils, how long until it lowers down to a simmer. Voila. I hope you all have a lesson that can help you learn to cook. Thanks for the video tutorial and infoset in pfSense. I like the PIs for a wide variety of ideas. But, I'm using HP z-Series on legacy Bios, to disable the backdoors. Also learned theirs bios passwords, to the bios backdoors. Might be wrong. Idk much.
I'd love to see a video on your full homelab. Setup, machines (truenas server, pf sense router, your and your wife's pcs) a full tour would be awesome! (Time to clean up that cable management lol). Also I just realized you composed your own theme. Very nicely done. Love it. Hope to see your music set up as well
I have a mini tour over on the patreon although it's a bit outdated. I keep telling myself I'm going to do a video like that once I tidy everything up, but somehow manage to never get around to the haha! Good idea and I'll definitely try to get to that sometime soon.
12:29 You being lame is actually really smart. I did the same when I switched from a "real" router to a pfsense box. I put the pfsense box behind the router and migrated things behind the pfsense box over time. Once everything was behind the pfsense box, it just needed a few WAN setting changes and then I pulled the "real" router from the front of the chain, switched the router to AP mode and put it behind the pfsense box for WiFi connectivity. Since I got my bearings and learned the pfsense settings while just a couple machines were behind the pfsense box, there was no real downtime ever involved.
I’m literally doing almost exactly this project right now, and have been really struggling to get my Realtek 8125B 2.5Gbe NICs working, I ended up getting them *kinda* working with PfSense 2.5.2 yesterday, but wasn’t super stoked on having to use older software. Luckily I’ve barely gotten through configuration before coming across this video, so I’m going to re-flash 2.6.0 and try out the package from the Reddit post you linked. Man, my RUclips recommendations are usually pretty good, but this? *Chef’s Kiss*.
Hello, I am a network administrator and we use pfsense for some customers as a VM on VMware, and it is super stable and reliable. Honestly, it is more reliable than some of our SonicWall appliances. One customer has high uptime requirements, and the primary wan firewall has been up for about a year and no issues. (I know it needs a reboot. Again, high up time customer. Very specific case lol) but I highly recommend turning an old PC into a router if you want a fun project or your router shows inconsistencies or issues. You just need two ethernet ports, and add-in cards can be cheap. I do recommend Intel NICs if you are doing bare metal port forwarding. Non Intel cards can have issues on pfsense
Cool idea, but pfsense has all of this without the need for other VMs. Pi-hole - pfblocker package PiVPN - openvpn or wireguard experimental packages Reverse proxy - ha proxy package Ddns - native Ddns function
For sure, and I honestly didn’t know all of those were available. But I think there’s merit in the flexibility that VMs and containers offer. Appreciate the comment!
Experimental packages on your home router? No thanks. And the pfblocker package is... Let's say too basic compared to piHole. It doesn't do any logging, nor statistics, nor tables and graphs. Sure, if you don't need all that go ahead, but for most people I think piHole is the way to go.
@@zeendaniels5809 I've been using the Wireguard package for a while now and it's been rock solid for me. Or if you prefer the OpenVPN package is not experimental. Agree 100% about Pihole vs. pfBlockerNG, although I still use pfBlockerNG for IP blocking.
I've been running a Netgear Cable Modem / Router combo since 2015. It's performed okay but I think this video finally gave me the inspiration to go PFSense.
Currently I'm using a traditional (albeit quite high-end) router but I'm using it mostly for its incredible wireless performance and as the network gateway. I've actually offloaded most of its functions onto a Raspberry Pi with the 64-bit Lite OS installed, such as DHCP, DNS, and PiHole and it has been working very well for me thus far. I would love to do this all in one complete solution one day though.
Not sure if it's been mentioned below, but what if you connect the LXC containers to a virtual switch and an extra interface for pfsense to route the LXC traffic without passing through a physical switch. This would force traffic directed to the LXC containers through PFSense (like PiHole) but ultimately would eliminate PFsense from routing from one physical interface to another physical interface to virtual interface in the container
watching your videos and getting into nas and more technical of the technical stuff has me feeling the same way i have felt when i was just getting into pc's at first i didnt know how it all worked or what the terminology all was but now a pc is the same as legos to me. now i hope to learn everything about nas and whatnot and make my own nas with a pc someday with the help of your videos
Every new video u make gets better and better and I know it means nothing but I'm so proud of you, and I'm so happy I got to see ur channel grow from the start
When setting up containers, i find it is good practice to always set up individual software on one container. Its easy for maintenance but its also easier to manage in general because you are not forgetting which container is what.
All I would offer as a critique is that pfSense can run OpenVPN so there's no need to separately run piVPN. Having said that, I LOVE piVPN for it's ease of set up, and use of WireGuard for a client. Great system. pfSense and piHole are awesome, love them. Thanks for the video :)
and pfBlockerNG does the same thing as piHole anyhow, so you can run them all on the gateway (I do..) Only thing I use a pi for is GPS based stratum 0 NTP server
14:58 "I'd also like to have the time to brush up on my pfsense and networking skills before I make the SWITCH." Don't know if you missed the pun or were so smooth with the delivery you were trying to make it imperceptible that it was a pun. Either way, it was great. Loved the video and I make go down this path for my switch (😉) over from my Linksys off the shelf basic router/broadcast setup to a dedicated router with my Linksys as a wifi access point (at least that's how I think it should work, no real idea, I'll figure it out when I finally get there). If there's something else you (or anyone) would suggest over that potential setup let me know! I'm really only targeting 2.5GbE I think.
One thing you could do, although it’d be a bit more dependent on your router, but you could create a virtual bridge and attach it to proxmox and your pfsense VM, so proxmox would connect via pfsense, and all physical NICs would go to pfsense. Not necessarily a good idea, but an idea none the less
For sure! And that would give the benefit of virtio between PFSense vm and host/containers, but I lke the idea of PFSense having direct access to the hardware
@@HardwareHaven you're the first bare metal firewall person I've come across. I like how you did this virtual and snapshotted for baremetal. Can this same technique be done for usb booting? Did you not have any hardware issues beyond the NIC drivers? I am reading about all these compatibility considerations with freebsd. Thank you and great video!
This comment section is definitely full of alternatives but if you want a few more, a useful alternative to pihole is adguard home. Does basicslly the same thing but it supports service based and regex based blocking. Additionally you can use unbound, either built into pfsense or installed in a vm or container. It allows for recursive dns lookups so you dont need a middle man like cloudflare and it offers great caching and speed.
ive personally tried opnsense first, then pfsense i had some issues with opnsense (specifically the freeradius package was broken) but pfsense tends to work better. however pfsense is a bit less opensource than it claims to be
I have several Seeed Odyssey's. Surprised both onboard NICs work with the M.2 NIC card plugged in, the Odyssey X86's have a hardware bug that kills one on-board NIC when some PCIE devices are plugged into the M.2 port. That said I also have alot of Odroid H2/H3 boards as well. The Odroid's are similar to the Seeed Odyssey but have 2 2.5gb NICs onboard and Odroid makes a "net-card" that adds 4 more 2.5gb NICs for a total of 6. I've been using one as my router for about 2 years now without a hitch. They also have cases that don't require mods for the net-card
I was running similar setup, but it was too much hassle to tinker with it and even my current Mikrotik AX3 is way easier to maintain while running Pihole and Unboud in the container direactly on it. I haven't noticed any performance diffrenece. Another advantage is decent wifi coverage which AX3 has. Power consumtion is also way lower.
Love this. I have been running same Seeed Odyssey for my router, but only for PFSense. This would be a fun modification... You got me thinking, but I already have an ESXi cluster in the house.
This feels like a BUNCH of work that just isn't needed. Pickup a Lenovo Tiny M720q, which has an optional PCIe slot where you can drop in a 2nd NIC (I have a 4x1Gb in mine) Run the onboard NIC for the Hypervisor and pass through the entire PCIe NIC into the pfSense VM. You ARE limited to 1 x NVMe M.2 drive for storage with this design however. You can do a M720x instead which has Dual NVMe M.2 if you really want a dedicated pfSense drive. If you do this, look into the 32GB Intel Optane M.2 drive. pfSense doesn't need much storage and these are wicked fast. Anyway, no soldering, no weird adapters from Ali Express, and you can get up to 6 cores if you get the 8600/9600 or higher CPUs.
this is all so much for me but I can't wait to learn all this, I have a bunch of old laptops that I know they still have life in them just not as a traditional laptop! Maybe more so as a storage server, security camera service, and router!
Cool project box but you better have a backup one for when the main goes down. For quite less that price, you can get a fully enclosed device with same cpu and 4 Ethernet ports, ready to go.
For just local DNS resolution you don’t need pihole. Pfsense has that built in. And it may actually be counterproductive not to use the pfsense one since you loose the automatic registration of dhcp client names in the dns namespace.
Pretty neat router you got there! I recently just added a 2nd Wireguard VPN on my Pi5 as a backup for those public wi-fi areas that doesn't allow you to connect using the default 51820 port. I have it running on a docker container and everything is running great after a few tweaks. My main router is a Firewalla Gold Plus that is also a hardware firewall and has tons of features. It also has a built-in Wireguard/OPVN and ads & telemetry blocking features. I'm still curious to run Pi-Hole with Wireguard on my Pi5 though and I'm having a little trouble with that on my network. I was able to successfully run Pi-Hole on another docker container and even have it running on https complete with SSL certs using NGINX proxy manager but when I use it as my DNS on my Wireguard on my Pi5, there is no Internet. I see the traffic being blocked though by Pi-Hole and all the stats in the Dashboard are running. I think I need to forward the traffic correctly but time is limited and I'll try to troubleshoot that on another time. 😮💨
I just built my firewall out of an old recycled Lenovo system with an i7 4770, threw in 16gb of ram, a 128gn boot SSD and a 10gb SFP+ card. I shoved it all in a 2u chassis and it's pretty solid for the age of it.
What's the power usage? I suspect buying a more modern power efficient device would actually save money in the long run. It's definitely something you need to consider when determining what devices to use.
Would help to say the expected price point to build such system. What about using OPNsense instead as I heard that pfsense does not receive updates often? I still have an old Apple AirPort Extreme router, which I haven’t use for years. Any chance I can hack into it by installing third party software replacing Apple’s software? Or better to build new hardware?
As far as price, I’m not really sure. I probably wouldn’t recommend the exact route I went as there are pretty affordable dual/quad NIC mini PCs on the market that would probably be a wiser choice. As far as hacking the AirPort Extreme, you’re on the wrong channel😂 Seems like a super cool idea, I’m just not smart enough to give any advice
2 года назад+1
Always nice to have more control over router and clans ect. But setting up iptv from the ISP can be a pain to setup properly. I noticed myself doing so. IGMP needs to be enabled or other protocols, depending on how your ISP handles iptv. And you don't want to piss off others in the household. 😋 Going fiber is also a different challenge depending on compatible hardware.
4:55 interesting use for pi-hole, PFSense (or at least OPNSense) actually comes with Unbound DNS which I use personally that supports what you mean, it is under DNS Overrides tab and you can do exactly what you described.
Good that i can learn from you and the people from the comments that tell about more eficient/alternative ways to do these things. Also have to wait for family to go out to tinker with the network lol
I recently switched back to pfSense on bare metal because it is quite complicated to configure VLANs on a linux network bridge if you cant passthrough two dedicated nics.
thank you. i would like to follow in your footsteps to create a similar setup. i have been using cloudflare tunnels instead of setting up wireguard... but i totally used to run pi hole and pivpn on bare metal raspberry pis and it worked great. i would like to setup those services again as part of my proxmox
I prefer OPNSense, it is updated MUCH more often, and natively supports zenarmor, plus it works with MANY more nics types than PFsense, I have both, but prefer OPNSense Either way, Love that you have it setup on PROXMOX and I too have mine setup the same way, pihole, and pivpn on a separate debian install in my PROXMOX box Great howto, great build! Keep em coming!!!!
I've never run a server. I think getting one could be a step up for my computing projects. Do you have any principles/recommendations for when to use a separate hardware? What 'deserves' it's own OS in a Proxmox setup, when should I just run stuff bare metal, and what can be rune in the same virtual environment? I'm thinking of getting a pi-hole, creating my own file server for access and storage (linked to some form of backup), run some other self hosted services, and to tinker - without knowing exactly what I mean by that yet.
For some reason I can never seem to wrap my head around running a router in a vm whether it is in proxmox, vmware, or any other kind of hypervisor. something about the routing seems to break my brain.
I have seen those dual 2.5g nics on Aliexpress before, as you know a 2.5g nic can operate at 5gb in full duplex mode if transferring files from machine to machine over the lan. With 2, that's 10gbs worth of bandwidth. Can the PCIE interface support that much speed?
Hey haven. Could you tell me how you assigned the NICs and what you connected to each NIC during testing? Use the frame in 8:04 for reference. Oh, and what you connected to each NIC at the final setup please.
Same camp with the swap lol. Still running the old Unifi USG-3P even after I've started getting a pfsense box ready and have been doing some testing. It's currently been good and I have other Unifi gear, dynamic DNS and OpenVpn access server but I've considered switching to wireguard.
Awesome video! I quite liked the idea of being able to boot from the passthrough drive in case something happens to Proxmox. In fact, I was trying to replicate it, moving my currently virtualized OPNSense to a spare drive, and realised something... If the EFI Disk lives in the LVM/ZFS Proxmox pool, would one still be able to boot from the OPNSense drive, bypassing Proxmox?
I only understand the surface-level of the features that you discussed here, but I would love to build a router like this with a built-in VPN and PiHole. Would you recommend a beginner just stick to PFSense for those features if they don't feel the need to separate it onto a VM?
It's possible to do it all on one nic using a managed switch (I have the unifi 5 port), you just have to use vlans. It's how I have my network setup right now, proxmox with OPNsense.
What connecters are you using on your bottom NIC. That thing lights up the whole LAN connector likes it is a Christmas tree, or is they just the angle of the camera?
That's basically what I did but that's because my router only has one port on it, it works great but a lot of people either just don't have the space for a managed switch (since the easiest way to get these things is business surplus, I know small managed switches exist) or they simply don't want to deal with managed switches.
Maybe I missed it, but it seems that you set it all only on VMBR0. Didn't you set up another virtual switch, say, VMBR1, to make all the virtual devices running on it behind the pfSense's LAN subnet. Then, You even can attach the second physical NIC to it, and have them all on subnet 192.168.10/24. Thanks
Can I request that you can provide links to get the adapter, the computer case component, and the NIC? It helps to buy the exact thing since you've done a proven proof-of-concept. Also, I want to thank you for showing us this awesome build.
This is cool. I used XCP-ng when I virtualized my router because you don't need to passthrough the nics you just assign the lan and the wan ports to the vm xen routes the traffic from the physical to the virtual
You actually dont need more then 2 NIC's for Proxmox and pfsense. Just allow pfsense to reach out to wan through one, and LAN through the other, which also allows proxmox to use the LAN port as well :)
@@HardwareHaven That makes sense. Ive been running pfsense on proxmox for over a year now and its been super solid (as long as im not making dumb changes to see what happens)
I might argue 3 is the perfect minimum number of [passed thru] NICs for PVE+pfS, as you get 1 in, 1 out, and 1 for managing locally without getting in the way of the network
I was wondering how to do you access your proxmox web interface from? Did you connect the proxmox lan bridge to the pfsense lan physically or virtually? Or are you accessing your proxmox web ui from your other router and on a different network?
Can we do it like this? 1. In windows, Install promox as VM, (on a separate disk) 2. and inside promox, install all other fancy OSes 3. when you don't want to use window, boot from proxmox drive?
Why would you need anything but pfSense? Just use pfBlockerNG and you make Pihole obsolete, and pfSense can do things like Wireguard or other VPNs innately. But I guess it's a fun project. Personally, I still prefer a small separate appliance for my router. It can just do one thing and that is handle the Internet connection and the security from the outside in. Then I can do whatever with the stuff I want on the inside.
Believe it or not, I rarely get time to mess around with new things outside of doing it for a video at this point haha It seems to definitely be worth checking out though
I didnt watch the previous Video about the Hardware, but for People that dont want to build such a Device themselves their is a (not so cheap) Alternative. You can buy a (china-made) passively cooled Mini-PC with a N5105 Intel CPU and 4x 2.5 Gbit Intel LAN Ports barebone for around $200 (without Sodimm DDR4 RAM and an SSD)
The fact that it’s a router (with 2 LANs one of which is 2.5Gb), VPN server, and Pi-hole server all in one nifty little box. Obviously there are more impressive routers, hence ultimate being in “”s
To be clear, the 2.5gb is essentially useless at the moment, which is why I didn’t really talk about it. I mostly just wanted a dual mic to M.2. But if I ever upgrade to >1Gb Ethernet, I can switch ports around and take advantage of it without needing to upgrade.
I've been running a virtualized router using an old system called Smoothwall for seven years problem-free. I recently upgraded the whole thing to ProxMox, pfSense, and piHole and it has been fabulous. I've got in-house 2.5Gb over WiFi6 and a 12TB NAS. Even did a video on the server rebuild and install, just have to edit it all down - you and a few other channels were a great inspiration!!
Nice! I’ll try to check it out
Edit: just realized you said you were editing haha. Let me know when it’s up
Also, what’s up my fellow Oklahoman haha!
@@HardwareHaven Really!? That's awesome! In OKC! I swear you were doing your build just as I was doing mine - saw the dates on one of your files was Dec 31. And I went through the same issue on installing the RealTek driver into ProxMox but only after I did the build but before I'd done any real perf testing. The parallels are kinda spooky LOL!!! Hope to get the video edited this week, but it won't be as polished as yours ! And I didn't even think about running piHole as a container. I may redeploy it. 😁
@@HardwareHaven good video 👍
@DIY Dave I have not heard of smooth Wall and years back in the early 2000's on a dial-up modem for my network and they have not updated that piece of software and God only knows what software security issues it poses
When I was setting up my home lab/servers, I initially virtualized my router (also on Proxmox, on a "normal" x86 platform). Since I was still tinkering a fair amount with the whole (new) system, that meant that every time I did something physical, the internet went down as well. Having VLans and local routing as well means that even things that were still all on weren't reachable either. So I ended up swapping to a dedicated virtualized physical router similar to the one used in this build (Intel N5095 based, running network services only on a proxmox host dedicated to network), but quickly realized it was far more capable than what I needed. So I eventually swapped to a bare-metal, non-virtualized Zima Board (still x86, but more rapi-sized) for my router doing anything network related just via plugins. I'm now very happy with this very low power solution, and I can tinker with the main "lab" all I want without any service interruptions to stuff that isn't rebooted or shutdown.
Note that pfSense and OPNsense can do WireGuard and piHole-like DNS services natively (via Unbound or many other options), and virtualization or containerization isn't really needed.
I learned how to burn food. It's not an easy task - with that sole lesson. I learned how to cook, including adjusting the burners and figuring out how to work with different ovens and different ranges, all on how it heats up. Is it fast, slow, when does it start to boil, where does it start to simmer, after it boils, how long until it lowers down to a simmer. Voila. I hope you all have a lesson that can help you learn to cook.
Thanks for the video tutorial and infoset in pfSense. I like the PIs for a wide variety of ideas. But, I'm using HP z-Series on legacy Bios, to disable the backdoors. Also learned theirs bios passwords, to the bios backdoors. Might be wrong. Idk much.
Did you ever make that video?... It sounds like what you did is exactly what in want to do.
I really appreciate your honesty during commentary. Great vid!
Thanks man!
He lied to us about Hello Fresh being good though :-(
I'd love to see a video on your full homelab. Setup, machines (truenas server, pf sense router, your and your wife's pcs) a full tour would be awesome! (Time to clean up that cable management lol). Also I just realized you composed your own theme. Very nicely done. Love it. Hope to see your music set up as well
I have a mini tour over on the patreon although it's a bit outdated. I keep telling myself I'm going to do a video like that once I tidy everything up, but somehow manage to never get around to the haha! Good idea and I'll definitely try to get to that sometime soon.
12:29 You being lame is actually really smart. I did the same when I switched from a "real" router to a pfsense box.
I put the pfsense box behind the router and migrated things behind the pfsense box over time. Once everything was behind the pfsense box, it just needed a few WAN setting changes and then I pulled the "real" router from the front of the chain, switched the router to AP mode and put it behind the pfsense box for WiFi connectivity. Since I got my bearings and learned the pfsense settings while just a couple machines were behind the pfsense box, there was no real downtime ever involved.
I’m literally doing almost exactly this project right now, and have been really struggling to get my Realtek 8125B 2.5Gbe NICs working, I ended up getting them *kinda* working with PfSense 2.5.2 yesterday, but wasn’t super stoked on having to use older software. Luckily I’ve barely gotten through configuration before coming across this video, so I’m going to re-flash 2.6.0 and try out the package from the Reddit post you linked. Man, my RUclips recommendations are usually pretty good, but this? *Chef’s Kiss*.
You'd have better luck with Realtek drivers on OpenWrt since it's Linux.
Hello, I am a network administrator and we use pfsense for some customers as a VM on VMware, and it is super stable and reliable. Honestly, it is more reliable than some of our SonicWall appliances. One customer has high uptime requirements, and the primary wan firewall has been up for about a year and no issues. (I know it needs a reboot. Again, high up time customer. Very specific case lol) but I highly recommend turning an old PC into a router if you want a fun project or your router shows inconsistencies or issues. You just need two ethernet ports, and add-in cards can be cheap. I do recommend Intel NICs if you are doing bare metal port forwarding. Non Intel cards can have issues on pfsense
Cool idea, but pfsense has all of this without the need for other VMs.
Pi-hole - pfblocker package
PiVPN - openvpn or wireguard experimental packages
Reverse proxy - ha proxy package
Ddns - native Ddns function
For sure, and I honestly didn’t know all of those were available. But I think there’s merit in the flexibility that VMs and containers offer. Appreciate the comment!
Experimental packages on your home router? No thanks.
And the pfblocker package is... Let's say too basic compared to piHole. It doesn't do any logging, nor statistics, nor tables and graphs. Sure, if you don't need all that go ahead, but for most people I think piHole is the way to go.
@@zeendaniels5809 I've been using the Wireguard package for a while now and it's been rock solid for me. Or if you prefer the OpenVPN package is not experimental. Agree 100% about Pihole vs. pfBlockerNG, although I still use pfBlockerNG for IP blocking.
I've been running a Netgear Cable Modem / Router combo since 2015. It's performed okay but I think this video finally gave me the inspiration to go PFSense.
Currently I'm using a traditional (albeit quite high-end) router but I'm using it mostly for its incredible wireless performance and as the network gateway. I've actually offloaded most of its functions onto a Raspberry Pi with the 64-bit Lite OS installed, such as DHCP, DNS, and PiHole and it has been working very well for me thus far. I would love to do this all in one complete solution one day though.
Not sure if it's been mentioned below, but what if you connect the LXC containers to a virtual switch and an extra interface for pfsense to route the LXC traffic without passing through a physical switch. This would force traffic directed to the LXC containers through PFSense (like PiHole) but ultimately would eliminate PFsense from routing from one physical interface to another physical interface to virtual interface in the container
That's the sysadmin way of thinking. Much faster to have containerized, virtual switches when translating network traffic from VM to VM
watching your videos and getting into nas and more technical of the technical stuff has me feeling the same way i have felt when i was just getting into pc's
at first i didnt know how it all worked or what the terminology all was but now a pc is the same as legos to me.
now i hope to learn everything about nas and whatnot and make my own nas with a pc someday with the help of your videos
Every new video u make gets better and better and I know it means nothing but I'm so proud of you, and I'm so happy I got to see ur channel grow from the start
Thank you! That actually means a ton. 🙂
When setting up containers, i find it is good practice to always set up individual software on one container. Its easy for maintenance but its also easier to manage in general because you are not forgetting which container is what.
All I would offer as a critique is that pfSense can run OpenVPN so there's no need to separately run piVPN. Having said that, I LOVE piVPN for it's ease of set up, and use of WireGuard for a client. Great system. pfSense and piHole are awesome, love them. Thanks for the video :)
Yeah I mention that in the FAQ in description, but thanks for the constructive input and kind words!
and pfBlockerNG does the same thing as piHole anyhow, so you can run them all on the gateway (I do..) Only thing I use a pi for is GPS based stratum 0 NTP server
14:58 "I'd also like to have the time to brush up on my pfsense and networking skills before I make the SWITCH."
Don't know if you missed the pun or were so smooth with the delivery you were trying to make it imperceptible that it was a pun.
Either way, it was great.
Loved the video and I make go down this path for my switch (😉) over from my Linksys off the shelf basic router/broadcast setup to a dedicated router with my Linksys as a wifi access point (at least that's how I think it should work, no real idea, I'll figure it out when I finally get there).
If there's something else you (or anyone) would suggest over that potential setup let me know! I'm really only targeting 2.5GbE I think.
I love these builds. Super cool video and you get to turn a small pc into something incredibly useful for home use.
One thing you could do, although it’d be a bit more dependent on your router, but you could create a virtual bridge and attach it to proxmox and your pfsense VM, so proxmox would connect via pfsense, and all physical NICs would go to pfsense. Not necessarily a good idea, but an idea none the less
For sure! And that would give the benefit of virtio between PFSense vm and host/containers, but I lke the idea of PFSense having direct access to the hardware
@@HardwareHaven you're the first bare metal firewall person I've come across. I like how you did this virtual and snapshotted for baremetal. Can this same technique be done for usb booting? Did you not have any hardware issues beyond the NIC drivers? I am reading about all these compatibility considerations with freebsd. Thank you and great video!
Nice job. For services like pihole and httpd I switched to Docker containers a while ago, it makes management and backups nice and easy.
Yeah, I like docker outside of proxmox
I love that you say curl rather than c-URL. I thought I was the only one
This comment section is definitely full of alternatives but if you want a few more, a useful alternative to pihole is adguard home. Does basicslly the same thing but it supports service based and regex based blocking. Additionally you can use unbound, either built into pfsense or installed in a vm or container. It allows for recursive dns lookups so you dont need a middle man like cloudflare and it offers great caching and speed.
Yeah, I should've at least talked about unbound. I think I cut too much to try and keep the video from being too long. Thanks for the input!
ive personally tried opnsense first, then pfsense
i had some issues with opnsense (specifically the freeradius package was broken) but pfsense tends to work better. however pfsense is a bit less opensource than it claims to be
I have several Seeed Odyssey's. Surprised both onboard NICs work with the M.2 NIC card plugged in, the Odyssey X86's have a hardware bug that kills one on-board NIC when some PCIE devices are plugged into the M.2 port. That said I also have alot of Odroid H2/H3 boards as well. The Odroid's are similar to the Seeed Odyssey but have 2 2.5gb NICs onboard and Odroid makes a "net-card" that adds 4 more 2.5gb NICs for a total of 6. I've been using one as my router for about 2 years now without a hitch. They also have cases that don't require mods for the net-card
I was running similar setup, but it was too much hassle to tinker with it and even my current Mikrotik AX3 is way easier to maintain while running Pihole and Unboud in the container direactly on it. I haven't noticed any performance diffrenece. Another advantage is decent wifi coverage which AX3 has. Power consumtion is also way lower.
Love this. I have been running same Seeed Odyssey for my router, but only for PFSense. This would be a fun modification... You got me thinking, but I already have an ESXi cluster in the house.
hahaha I raised my eyebrow real hard when the QR for your wireguard access token popped up on the screen... very clever!
Hahaha I’m a bit surprised at the lack of comments I’ve seen on that. Hope you got a chuckle
thank you, watching hardware stuff always feel so interesting!
Love that video. I will be building my ultimate pfsense router soon
Nice! I definitely wouldn’t go this exact route as there’s probably much better options for hardware haha. Best of luck!
@@HardwareHaven I know, I'm not going to do proxmox. I like to run dedicated machines in terms of routers and pi hole stuff.
This feels like a BUNCH of work that just isn't needed.
Pickup a Lenovo Tiny M720q, which has an optional PCIe slot where you can drop in a 2nd NIC (I have a 4x1Gb in mine)
Run the onboard NIC for the Hypervisor and pass through the entire PCIe NIC into the pfSense VM.
You ARE limited to 1 x NVMe M.2 drive for storage with this design however.
You can do a M720x instead which has Dual NVMe M.2 if you really want a dedicated pfSense drive.
If you do this, look into the 32GB Intel Optane M.2 drive. pfSense doesn't need much storage and these are wicked fast.
Anyway, no soldering, no weird adapters from Ali Express, and you can get up to 6 cores if you get the 8600/9600 or higher CPUs.
That is a pretty nice router you got there,
Thanks for the good video!
this is all so much for me but I can't wait to learn all this, I have a bunch of old laptops that I know they still have life in them just not as a traditional laptop! Maybe more so as a storage server, security camera service, and router!
Cool project box but you better have a backup one for when the main goes down.
For quite less that price, you can get a fully enclosed device with same cpu and 4 Ethernet ports, ready to go.
For just local DNS resolution you don’t need pihole. Pfsense has that built in. And it may actually be counterproductive not to use the pfsense one since you loose the automatic registration of dhcp client names in the dns namespace.
Pretty neat router you got there! I recently just added a 2nd Wireguard VPN on my Pi5 as a backup for those public wi-fi areas that doesn't allow you to connect using the default 51820 port. I have it running on a docker container and everything is running great after a few tweaks. My main router is a Firewalla Gold Plus that is also a hardware firewall and has tons of features. It also has a built-in Wireguard/OPVN and ads & telemetry blocking features. I'm still curious to run Pi-Hole with Wireguard on my Pi5 though and I'm having a little trouble with that on my network. I was able to successfully run Pi-Hole on another docker container and even have it running on https complete with SSL certs using NGINX proxy manager but when I use it as my DNS on my Wireguard on my Pi5, there is no Internet. I see the traffic being blocked though by Pi-Hole and all the stats in the Dashboard are running. I think I need to forward the traffic correctly but time is limited and I'll try to troubleshoot that on another time. 😮💨
I bought a refurbished OptiPlex 7040 with an i7-6700 and a 2x 10 GB NICs for like $200 and have OpenWrt. Best router ever.
I just built my firewall out of an old recycled Lenovo system with an i7 4770, threw in 16gb of ram, a 128gn boot SSD and a 10gb SFP+ card. I shoved it all in a 2u chassis and it's pretty solid for the age of it.
Sweet!
What's the power usage? I suspect buying a more modern power efficient device would actually save money in the long run. It's definitely something you need to consider when determining what devices to use.
That looks interesting. I would love to try a similar build myself at some point. I think I would use Bind instead of PiHole for my DNS though 😄
PFsense has a blind service and a wire guard service so separate containers wouldn't be needed
Already in pfsense no reason for separate
Never thought I'd get excited over a router
Subscribed lol
Would help to say the expected price point to build such system. What about using OPNsense instead as I heard that pfsense does not receive updates often?
I still have an old Apple AirPort Extreme router, which I haven’t use for years. Any chance I can hack into it by installing third party software replacing Apple’s software? Or better to build new hardware?
As far as price, I’m not really sure. I probably wouldn’t recommend the exact route I went as there are pretty affordable dual/quad NIC mini PCs on the market that would probably be a wiser choice.
As far as hacking the AirPort Extreme, you’re on the wrong channel😂 Seems like a super cool idea, I’m just not smart enough to give any advice
Always nice to have more control over router and clans ect.
But setting up iptv from the ISP can be a pain to setup properly.
I noticed myself doing so. IGMP needs to be enabled or other protocols, depending on how your ISP handles iptv.
And you don't want to piss off others in the household. 😋
Going fiber is also a different challenge depending on compatible hardware.
4:55 interesting use for pi-hole, PFSense (or at least OPNSense) actually comes with Unbound DNS which I use personally that supports what you mean, it is under DNS Overrides tab and you can do exactly what you described.
Bro, wdym goofy? It's a work of art I love it!
Good that i can learn from you and the people from the comments that tell about more eficient/alternative ways to do these things. Also have to wait for family to go out to tinker with the network lol
I recently switched back to pfSense on bare metal because it is quite complicated to configure VLANs on a linux network bridge if you cant passthrough two dedicated nics.
Yeah, as cool as VLANs can be... I have a painful history with them lol
Have any recommendations for how that hardware and base os design looks with pfsense on bare metal?
thank you. i would like to follow in your footsteps to create a similar setup. i have been using cloudflare tunnels instead of setting up wireguard... but i totally used to run pi hole and pivpn on bare metal raspberry pis and it worked great. i would like to setup those services again as part of my proxmox
I prefer OPNSense, it is updated MUCH more often, and natively supports zenarmor, plus it works with MANY more nics types than PFsense, I have both, but prefer OPNSense
Either way, Love that you have it setup on PROXMOX and I too have mine setup the same way, pihole, and pivpn on a separate debian install in my PROXMOX box
Great howto, great build!
Keep em coming!!!!
Thanks! And opnSense is definitely on my “try it out” list.
Thats is some clean hardware!
I've never run a server. I think getting one could be a step up for my computing projects.
Do you have any principles/recommendations for when to use a separate hardware? What 'deserves' it's own OS in a Proxmox setup, when should I just run stuff bare metal, and what can be rune in the same virtual environment?
I'm thinking of getting a pi-hole, creating my own file server for access and storage (linked to some form of backup), run some other self hosted services, and to tinker - without knowing exactly what I mean by that yet.
For some reason I can never seem to wrap my head around running a router in a vm whether it is in proxmox, vmware, or any other kind of hypervisor. something about the routing seems to break my brain.
I have seen those dual 2.5g nics on Aliexpress before, as you know a 2.5g nic can operate at 5gb in full duplex mode if transferring files from machine to machine over the lan. With 2, that's 10gbs worth of bandwidth. Can the PCIE interface support that much speed?
I just heard about using Pfsense & Pi hole recently and I want to emulate this project!!
I think I may go this route, proxmox, pfsense, pi-hole, VPN, home assistant, NAS.
Sick of my current router dropping out
how did this entire project cost?
Is this better than a gaming router?
gaming routers are routers with access points, this doesn't have a standalone access point, but otherwise faster than those "gaming" routers.
@@arhamzarif6313Shud build another set as ultimate accesspoint
Yes absolutely
Sooooo Yes in a nutshell ?@@arhamzarif6313
You can't even compare them. DIY router may not have fancy RGB, but it offers a ton of other features and can be optimized to get great performance
Hey haven. Could you tell me how you assigned the NICs and what you connected to each NIC during testing? Use the frame in 8:04 for reference.
Oh, and what you connected to each NIC at the final setup please.
Same camp with the swap lol. Still running the old Unifi USG-3P even after I've started getting a pfsense box ready and have been doing some testing. It's currently been good and I have other Unifi gear, dynamic DNS and OpenVpn access server but I've considered switching to wireguard.
Oh nice! Good luck!
As a graphic designer, this all makes my mind melt..... but I love your content anyway
Because of the complexity of the topic or because of the terrible graphic design? Haha
@@HardwareHaven complexity
Haha gotcha. Both would’ve made sense 😂
Your link to the Shure SMB7 is wrong in the description, takes people to their orders ;)
Great vid! I've been watching a few of your videos and really enjoying your music as well(Town Groove is a bop!). Any plans on releasing any of these?
Awesome video!
I quite liked the idea of being able to boot from the passthrough drive in case something happens to Proxmox. In fact, I was trying to replicate it, moving my currently virtualized OPNSense to a spare drive, and realised something...
If the EFI Disk lives in the LVM/ZFS Proxmox pool, would one still be able to boot from the OPNSense drive, bypassing Proxmox?
Hmm.. not sure
I only understand the surface-level of the features that you discussed here, but I would love to build a router like this with a built-in VPN and PiHole. Would you recommend a beginner just stick to PFSense for those features if they don't feel the need to separate it onto a VM?
Nice! Been looking to build a box like this!
It's possible to do it all on one nic using a managed switch (I have the unifi 5 port), you just have to use vlans. It's how I have my network setup right now, proxmox with OPNsense.
Yep, but I don't want to do that if I don't have to.
you can save more resources by using pfblocker on pfsense itself instead of pihole. Its the same with more features.
You should of cut the extra screw length popping out of the diy shield, just in case it doesn’t make ground somehow
What connecters are you using on your bottom NIC. That thing lights up the whole LAN connector likes it is a Christmas tree, or is they just the angle of the camera?
I love this channel. Thank u shareing your experince and Knowledge with us❤❤
Why not using VLANs? You can transport all the different networks via one cable and let your switch sort them out.
That's basically what I did but that's because my router only has one port on it, it works great but a lot of people either just don't have the space for a managed switch (since the easiest way to get these things is business surplus, I know small managed switches exist) or they simply don't want to deal with managed switches.
Now this is what RUclips should be about, intelligent people presenting interesting and positive video content. Thanks.
deepdive for me already at a supesonic pace! I am looking for something much simpler by means of VLANs.
Maybe I missed it, but it seems that you set it all only on VMBR0. Didn't you set up another virtual switch, say, VMBR1, to make all the virtual devices running on it behind the pfSense's LAN subnet. Then, You even can attach the second physical NIC to it, and have them all on subnet 192.168.10/24. Thanks
PFS is only running physical NICs, so the VMBR0 for everything else is just connected to the LAN1 subnet via the physical switch
@@HardwareHaven The WAN ethernet port was already attached to your ISP modem's LAN?
Great video! Total cost?
Why not using the wireguard that pfsense already have?
Can I request that you can provide links to get the adapter, the computer case component, and the NIC? It helps to buy the exact thing since you've done a proven proof-of-concept. Also, I want to thank you for showing us this awesome build.
the dedicated ssd for pfsense is a great idea
Is there a link for the dual M.2 NIC?
This is cool. I used XCP-ng when I virtualized my router because you don't need to passthrough the nics you just assign the lan and the wan ports to the vm xen routes the traffic from the physical to the virtual
Curious what the virtual drivers the hypervisor emulates though? Generally those can give very poor performance given the BSD based of pfsense.
I have a single question for a more personal preference...can this be done with OpenWRT?
A top LCD for moitoring and pretty display would have been the cherry on top. Wouldn''t even need a monitor to see what's the deal inside.
Yeah that would be pretty sweet… I bet something could be rigged together especially with the GPIO
Love your videos sir!!
Thanks Javier!
You should look into Ansible in case you haven't used it before :)
If you are useing PiHole just for DNS and not adblock etc just use the one thats built into PFsense its really solid
I do plan to use some as blocking, but I just need to dial in some white listing to not break streaming devices and such lol
starts @6:00
Instant disliked the video as soon as I saw this comment. Fuck these youtubers
You actually dont need more then 2 NIC's for Proxmox and pfsense. Just allow pfsense to reach out to wan through one, and LAN through the other, which also allows proxmox to use the LAN port as well :)
Yeah but I like PFSense having direct access to the NICs vs virtualized ones. Makes it much easier to boot bare metal if needed
@@HardwareHaven That makes sense. Ive been running pfsense on proxmox for over a year now and its been super solid (as long as im not making dumb changes to see what happens)
I might argue 3 is the perfect minimum number of [passed thru] NICs for PVE+pfS, as you get 1 in, 1 out, and 1 for managing locally without getting in the way of the network
@@Maleko48 I absolutely agree, im just a cheapscate who doesnt want to buy more NICs
Nice touch with the QR code.
Not sure why you didn't just setup wireguard directly on pfsense. But nice project regardless :)
I was wondering how to do you access your proxmox web interface from? Did you connect the proxmox lan bridge to the pfsense lan physically or virtually? Or are you accessing your proxmox web ui from your other router and on a different network?
I like it, i would like to make one my own too, and thank you for telling us about this, love your project.
Can we do it like this?
1. In windows, Install promox as VM, (on a separate disk)
2. and inside promox, install all other fancy OSes
3. when you don't want to use window, boot from proxmox drive?
Why would you need anything but pfSense? Just use pfBlockerNG and you make Pihole obsolete, and pfSense can do things like Wireguard or other VPNs innately. But I guess it's a fun project. Personally, I still prefer a small separate appliance for my router. It can just do one thing and that is handle the Internet connection and the security from the outside in. Then I can do whatever with the stuff I want on the inside.
Checkout the FAQ in the description as I talk a bit more on that there. But you’re definitely not wrong haha, and thanks for the comment!
im new to all this but turning your pc into a router sounds amazing, and with you changing your router entirely, what do isp say about doing that?
I still use the modem provided by my ISP, it’s just that the router is now behind it
It seems that all the services you need to "add" can also be found in pfsense like haproxy, pfblockerng, vpn server, dans resolver, etc
Check the FAQ in description or pinned comment 👍🏻
You’re correct but I still have some reasons why I chose what I did
maybe try adguard home instead of pi-hole. much better UI and more flexibility
Tried both and i prefer adguard home too.
Believe it or not, I rarely get time to mess around with new things outside of doing it for a video at this point haha
It seems to definitely be worth checking out though
Great videos Colten!! what about using tailscale on an lxc as an exit node for tailscale and also allowing LAN??
I'll be waiting for the followup
do you need to have that specific seeed board with the RP2040 raspberry pi chip for this, or can you use older seeed model 4105 = ATSAMD21 chip?
Oh man, this looks cool, but I would try to use something else than that SSD just to keep that top view open.
Yeah... that was a bit of a bummer lol
I didnt watch the previous Video about the Hardware, but for People that dont want to build such a Device themselves their is a (not so cheap) Alternative. You can buy a (china-made) passively cooled Mini-PC with a N5105 Intel CPU and 4x 2.5 Gbit Intel LAN Ports barebone for around $200 (without Sodimm DDR4 RAM and an SSD)
For sure! I probably should’ve been clear that this is NOT the best route hardware-wise. However it was more fun lol
@@HardwareHaven Yes of course. I just noticed the similarity to these Devices.
@@HardwareHaven So what makes it ultimate? The software?
The fact that it’s a router (with 2 LANs one of which is 2.5Gb), VPN server, and Pi-hole server all in one nifty little box. Obviously there are more impressive routers, hence ultimate being in “”s
To be clear, the 2.5gb is essentially useless at the moment, which is why I didn’t really talk about it. I mostly just wanted a dual mic to M.2. But if I ever upgrade to >1Gb Ethernet, I can switch ports around and take advantage of it without needing to upgrade.
The blackhole router. Cool shit broski!
Why pihole instead of pfBlockerNG?