DEV Community

Cover image for Setup pfSense with TM Unifi [Malaysia ISP]
Ahmad Afiq Azmi
Ahmad Afiq Azmi

Posted on • Edited on

Setup pfSense with TM Unifi [Malaysia ISP]

Since I learn from my mistake why I was unable to connect my WAN connection to TM Unifi ISP because of 1 tick settings. Here I want to share by default to setup pfSense with TM Unifi.

Pre-requisite

  1. PfSense installed in any hardware. If you do not installed yet, you can check out this documentation from Netgate.

  2. Already go through pfSense wizard initial setup.

Configure WAN using PPPoE

Since mostly consumers using TM Unifi will be provided with PPPoE credentials to use connect to Internet. This is configure mostly by their technical staff when we're first installed home fiber at out home.

Now this is are mostly current architecture for home network.

Network architecture for home

As you can see above diagram, we want to use pfSense as our main router and firewall and another TM Unifi Router we can use as Access Point.

Network architecture using pfSense

Step 1:
So the first thing you need to do, go to pfSense WebGUI and login.

Step 2:
Go to Interfaces -> Assignments -> VLANs Tab

Add new VLAN Tag 500,

Note: TM Unifi using VLAN 500 for connectivity to Internet and for HyppTV is VLAN 600.



Parent Interface: <your_WAN_interface>
VLAN tag: 500
VLAN Priority: Blank
Description: TM UNIFI


Enter fullscreen mode Exit fullscreen mode

and then click Save.

Step 3:
Go to Interface Assignments Tab, on 'WAN' interface, edit Network port



VLAN 500 on <parent interface> (TM UNIFI)
# <parent_interface> that you configure on VLAN section.


Enter fullscreen mode Exit fullscreen mode

and then click Save.

Step 4:
Click on 'WAN' Interface



# General Configuration

Enable: Yes # Enable interface
Description: WAN_TMUNIFI
IPv4 Configuration Type: PPPoE
IPv6 Configuration Type: None
MTU: 1480
MSS: Blank

# PPPoE Configuration

## contact TM Support Center for these details
Username: # Your PPPoE username
Password: # Your PPPoE Password
Service name: Blank
Host-Uniq; Blank
Dial on demand: Yes # Enable Dial-On-Demand mode
Idle timeout: 0
Periodic reset: Disabled

## Yeah the settings I miss is Dial on demand. We need to enable that for PPPoE connection to work.

# Reserved Networks

Block private networks and loopback addresses: Yes
Block bogon networks: Yes


Enter fullscreen mode Exit fullscreen mode

and click Save and Apply Changes.

Step 5:
Verify your PPPoE connections. Go to Status -> Interfaces

Note: If you see your static or dynamic public IP address is correct and status and PPPoE is up then you're good. If you're not, ensure VLAN and PPPoE credentials is configure properly.

Now your PfSense is connected into Internet. Hooray.

Configure LAN using VLAN

Since, we're now using default TM Unifi Router as Access Points, let's create VLAN for our home network. For this example, we're using VLAN 30.

Step 1:
Go to Interfaces -> Assignments -> VLANs Tab

Add new VLAN Tag 30,



Parent Interface: <your_LAN_interface>
VLAN tag: 30
VLAN Priority: Blank
Description: Home Network.


Enter fullscreen mode Exit fullscreen mode

and then click Save.

Step 2:
Go back to Interface Assignments Tab, click + Add new Network Port into Interface Assignments.
Choose our VLAN 30 that we've created before. Then click Save.

Step 3:
Go to 'OPT1' or any OPT(ID) that has VLAN 30, configure the interface



# General Configuration

Enable: Yes # Enable interface
Description: VLAN30
IPv4 Configuration Type: Static IPv4
IPv6 Configuration Type: None
MAC Address: Default
MTU: Blank
MSS: Blank
Speed and Duplex: Default

# Static IPv4 Configuration

IPv4 Address: 192.168.30.1/24
IPv4 Upstream gateway: None
# Note: None - since its on LAN it will use what's on WAN interface gateway.

# Reserved Networks:

Block private networks and loopback addresses: No
Block bogon networks: No


Enter fullscreen mode Exit fullscreen mode

and click Save and Apply Changes.

Good, now you have setup VLAN 30 for your home network and let's create DHCP Server for VLAN 30 for Access Points to distribute automatically IP addresses.

Setup DHCP Server for VLAN 30

An automatic distribution and assignment of IP addresses, default gateways, and other network characteristics to client devices is performed by a DHCP server, a type of network server.

Step 1:
Go to Services -> DHCP Server. Then go to VLAN30 DHCP Server

Step 2:
Under VLAN30 DHCP Server settings, configure



# General Options

Enable: Yes # Enable DHCP server on VLAN30 interface
BOOTP: No
Deny unknow clients: Allow all clients
Ignored denied clients: No
Ignore client identifiers: No
Subnet: 192.168.30.0
Subnet mask: 255.255.255.0
Available Range: 192.168.30.1 - 192.168.30.254
Range: 192.168.30.11 - 192.168.30.254
# Note: Reserved first 10 IP address in the subnet for backup purposes. This IP addresses can be used for static IP for our Access Points or Management Devices.

# Additional Pools
# - Leave it is as default

# Servers

WINS servers: Default
DNS servers: 
8.8.8.8
1.1.1.1

# OMAPI
# - Leave it is as default

# Other Options

Gateway: 192.168.30.1 # IP VLAN 30 on LAN interface
Domain name: Blank
Domain search list: Blank
Domain lease time: Blank
Maximum lease time: Blank
Failover peer IP: Blank
Static ARP: No
Time format change: No
Statistics graphs: No
Ping check: No

# - Leave it is as default for:
Dynamic DNS
MAC address control
NTP
TFTP
LDAP
Network Booting
Additional BOOTP/DHCP Options


Enter fullscreen mode Exit fullscreen mode

Click Save.

Step 3:
Set Firewall Rule for VLAN 30 to able to connect to Internet.

Go to Firewall -> Rules and choose VLAN 30. Click 'Up Arrow Add' and edit firewall rule



Action: Pass
Disabled: No
Interface VLAN30
Address Family: IPv4
Protocol: Any

Source: Any
Destination: Any

Description: Allow INTERNET access


Enter fullscreen mode Exit fullscreen mode

Note: Rules based on line-by-line configuration. By default, at the end of line, it will be "Deny any any all the rules". This basically block everything.

Step 4:
Setup our Access Points with complete SSID and password. This depends on which router model you're using. Go to their model documentation how to set or change your router to access points mode.

Note: Ensure that the Access Points is set Static IP Address. Recommended to use Security WPA/WPA2-Personal

Step 5:
Test your Internet connection. Connect to your Wi-Fi and ensure you able to ping all of those.



ping 192.168.30.1 # Your PfSense Router
ping 1.1.1.1
ping 8.8.8.8
ping google.com
ping cloudflare.com

Enter fullscreen mode Exit fullscreen mode




Conclusion

Congrats, now you've setup basic home network using PfSense. I would love to recommend to check out this Youtube Guy Lawrence Systems for more in depth PfSense configuration and settings.

Top comments (6)

Collapse
 
kelvinsim profile image
kelvin-sim

May I know if anyone has any issues with this setup for WAN?
I kept getting
[wan_link0] Link: reconnection attempt 3 in 2 seconds
[wan_link0] LCP: Down event
[wan_link0] Link: DOWN event
[wan_link0] PPPoE connection timeout after 9 seconds
[wan_link2] PPPoE: Connecting to ''
[wan_link2] Link: reconnection attempt 2
[wan_link3] PPPoE: Connecting to ''
[wan_link3] Link: reconnection attempt 2
[wan_link1] PPPoE: Connecting to ''
[wan_link2] Link: reconnection attempt 2 in 3 seconds

Collapse
 
mooglestiltzkin profile image
mooglestiltzkin

i see your ipv6 is set as none. did u managed to configure that to work for tmnut?

me and another user experience tmnut ipv6 will get frozen and unable to reconnect. so basically no internet because something related to ipv6 using pfsense to tmnut causes this issue that drops the internet at some point, and refuses to allow you to reconnect, so essentially no internet without possibility to reconnect, unless u call up tmnut and ask them to do a reset of the port or some such for it to work again. but that doesn't solve the issue of the thing dropping yet again after a while.

did u try setting up ipv6 on pfsense yet for tmnut :} ?

Collapse
 
froxity profile image
Ahmad Afiq Azmi

Sorry for late reply, for ipv6, I'm not very familiar how to set it and never have done it before. For now because I subscribing to ipv4 static ip, thats why I put default ipv6 none and mainly use ipv4 traffic. Maybe in the future I will try but cannot promise to test it soon. Thank you for reading.

Collapse
 
mooglestiltzkin profile image
mooglestiltzkin

i can confirm their setting work using the current pfsense version :}

but i see some users comment that ipv6 routing is not the best.... so some users opt to disable ipv6, and simply just use ipv4 only, at least for now.

Collapse
 
mooglestiltzkin profile image
mooglestiltzkin

Someone updated their pfsense guide.
https://forum.lowyat.net/index.php?showtopic=2978208&st=1340&p=105720655&#entry105720655

they are using unifi business, so the part that unifi home users need to change is the prefix delegation number to /64

Collapse
 
01moynul profile image
Moynulislam Munna

Thanks a lot, it's working perfectly. First I use pppoe set up to Wan directly which didn't work out then I almost pulling my hair out but thought to check online and saw your post, with vlan it work perfectly. My question is why it didn't work with pppoe to Wan direct set up or why is needed the vlan? If any wise man with bleeding heart have the answer please let the novice like me to know it. That will be appreciated. Although thanks for this post.