Fork: 0
root / gnexus-book
Transfer to URL with SHA Find file
Newer
Older
gnexus-book / 10-systems / networks / pfsense-router.md
@Eugene Sukhodolskiy Eugene Sukhodolskiy 1 day ago 3 KB Document pfSense interfaces and router services
Raw Blame History

owner: gmikcon status: active last_reviewed: 2026-05-10 review_interval: 90d confidence: high

source_of_truth: owner-confirmed-and-ssh-pfsense

pfSense Router

Central router and firewall for the local network.

Access

  • Web UI: https://192.168.1.1/
  • SSH: ai_agent_ro@192.168.1.1:22, read-only access for documentation agents.
  • SSH authentication: owner-managed key.
  • Secret values are not stored in this repository.

Role

  • Local network edge.
  • Firewall and routing point for internal infrastructure.
  • DHCP server for home-lan and home-iot-lan.
  • Local DNS resolver through Unbound.
  • Local NTP endpoint.
  • Part of the path between local infrastructure and services reachable through trusted network paths.

Platform

  • Hostname: pfSense.home.arpa.
  • OS: pfSense CE 2.7.2.
  • Base system observed over SSH: FreeBSD 14.0-CURRENT, amd64.

Interfaces

Interface Description Role Address MAC Status
re0 LANTECH home-iot-lan 192.168.2.1/24 00:e0:4c:68:07:9f active, 1000baseT full-duplex
re1 none unused none 00:e0:4c:68:39:03 no carrier
re2 LANMAIN home-lan 192.168.1.1/24 00:e0:4c:68:35:ba active, 1000baseT full-duplex
re3 WAN WAN uplink 172.32.2.78/24 70:85:c2:24:ee:4b active, 1000baseT full-duplex

Routing

Observed routes:

  • Default route: 172.32.2.1 through re3.
  • 192.168.1.0/24 is directly connected through re2.
  • 192.168.2.0/24 is directly connected through re0.
  • Host routes for 8.8.8.8 and 2.2.2.2 are present through re3.

Local Services

Observed listening services:

  • SSH: *:22.
  • Web UI through nginx: *:80, *:443.
  • DHCPv4 through Kea: 192.168.1.1:67, 192.168.2.1:67.
  • DNS resolver through Unbound: *:53.
  • Unbound control: 127.0.0.1:953.
  • Syslog: UDP *:514.
  • NTP: UDP *:123, including bindings on 192.168.1.1, 192.168.2.1, 172.32.2.78, and 127.0.0.1.

Resolver configuration:

  • 127.0.0.1
  • 8.8.8.8
  • 2.2.2.2
  • Search domain: home.arpa

Local Network Topology

The home network currently consists of two local networks implemented through one custom router with multiple network interfaces.

Each local network goes from the router into a switch and then is distributed through the home. The access layer includes wired TVs, PCs, servers, and Wi-Fi access points.

Home LAN

  • Inventory id: home-lan.
  • CIDR: 192.168.1.0/24.
  • Gateway: 192.168.1.1.
  • Router interface: re2 / LANMAIN.
  • Main Wi-Fi SSID: home.
  • Wi-Fi mode: access points, not a separate routed Wi-Fi network.
  • Access points: 2 nodes.
  • Mesh mode: enabled for the main Wi-Fi nodes.

Home IoT LAN

  • Inventory id: home-iot-lan.
  • CIDR: 192.168.2.0/24.
  • Gateway: 192.168.2.1.
  • Router interface: re0 / LANTECH.
  • Purpose: service network for smart-home and IoT devices.
  • Wi-Fi mode: access points.
  • Mesh mode: intentionally disabled.
  • IoT Wi-Fi nodes:
    • home_iot_0
    • home_iot_1
    • home_iot_2

Current And Planned Policy

Current policy:

  • full access between home-lan and home-iot-lan;
  • IoT internet access is currently allowed.

Possible future policy:

  • isolate the two networks from each other;
  • cut off the IoT network from the internet.

Dual-Homed Smart Home Server

The smart-home server is present in both networks:

  • 192.168.1.101 on home-lan;
  • 192.168.2.101 on home-iot-lan.

Further details still need to be documented: firewall rules, port forwards, VPN routes, DHCP static mappings, and DNS host overrides.