At the start of 2018 (Shevat 5778), I moved with my parents from our lifelong home to a newer, larger, somewhat temporary house. When we moved in, we had no real idea of how long we would be here, or what we would bring with us. I was approaching the end of my university studies and starting my freelancing business. They were preparing to sell the house for something smaller after my eventual leaving of the nest. Because of this, we gave no care to our network configuration. As we’ve continued to expand our tech inventory and faced new challenges, however, this has needed to change. At the end of 2019, I set out on a quest to configure my parents’ home network from scratch to address the issues we were now facing.
What Was Going Wrong
The first major issue that we were facing was that our WAN connection kept dropping. Our ISP at the time, Virgin Media, were suffering from various load-bearing problems and maintenance hiccoughs at the time. This resulted in several instances of downtime lasting over 12 hours. We even had two full days of downtime at one point! As someone working and studying from home, this was completely unacceptable. Credits from our ISP would not be enough to make up for the loss in connectivity.
The second recurrent problem also came from our ISP but in a different way. The modem-router combo they provided, known as the Super Hub 3, is anything but super for the power user. The management interface is slow and unintuitive. It likes to forget static IP assignments, frequently clearing its own static mappings table. Connecting more than just a handful of devices at once brings it to a crawl. Worst of all, whilst a single computer could happily see 200 Mbps Fast speeds, LAN connections rarely received such treatment.
The third inconvenience was, whilst frustrating, admittedly self-imposed. I frequently make use of VPNs for work. When I’m on-site or travelling abroad, I need to be able to access services and files on my LAN. Sometimes, I need to be able to connect to a client’s LAN without being on-site. When I have control of the setup, I can temporarily run an OpenVPN server. I don’t always have this privilege, however, so I need to be able to connect to my VPNs in a manner that isn’t device-specific.
There were other issues accompanying the three I’ve mentioned here, but these were the major ones that drove the network reconfiguration. Below is a network diagram of the configuration before we started to fix any of these problems.
Adding a secondary WAN connection
To overcome the first issue, we added a second Internet connection, provided by Vodafone UK’s business services. Whilst Vodafone’s connection is far slower, it isn’t in use all of the time. Its primary purpose is to make sure we still have a connection when Virgin experiences downtime. Where Virgin provide a DOCSIS cable connection, Vodafone uses BT Openreach FTTC. This means that both of our WAN connections run over separate infrastructure, improving the redundancy.
After two Openreach engineers re-established our connection to the local BT cabinet and installed the necessary sockets in our house, our Vodafone WAN was ready to go. Vodafone had shipped us a Vox3 modem-router combo, which is about as useless as Virgin’s, ready for manual installation. Getting it started was as easy as connecting to the ADSL socket, but getting it configured nicely is a completely different story.
Unfortunately, and unlike the Super Hub 3, the Vox3 does not have a built-in modem mode. For most users, this won’t be an issue. The primary use case for ISP-provided routers will always be using it as the only WAN-connected router on a network. This, however, is a major downside for us. It’s also indicative of a general lack of control over the router in general. Many options that even the Super Hub 3 presents to us, such as fine-grained channel control, are simply absent from the Vox3.
Because of this, we have to rely on some fudged configuration to get the Vox3 to function as if it were a modem. We had to manually disable many of the features of the router, such as Wi-Fi connectivity. Some other functionality, such as DHCP, cannot be disabled. Because of this, we have to live with our second WAN interface being double NAT. This shouldn’t present too many issues, but only time will tell.
With both of our ISP-supplied modems configured, we needed a new router. Being familiar with FreeBSD, I decided that the Netgate SG-3100, a pfSense-powered gateway appliance, would be ideal.
Introducing the Netgate SG-3100
The SG-3100 had everything we needed. Two WAN ports would allow our Internet connection to be load-balanced and swapped without manual intervention. Multiple LAN ports provided enough ports to connect all of our local systems and switches. An enterprise-quality administration panel, meaning no corners were cut and all features were available to us.
As it runs pfSense, it has more features than I could possibly ever need in a home environment. We had the option of building our own low powered pfSense router, but after factoring in the costs such as the price of performant NICs, it made more sense to buy one from a vendor. The lively, Netgate-backed pfSense community, and the reassurance provided by vendor warranties, made it an easy choice.
If you are interested in exploring pfSense for your own uses, you can watch this great video by Lawrence Systems. Alternatively, you can install it in a virtual machine or on bare metal and try it out for yourself, as it’s free software.
Dual-WAN and load balancing
Configuring two WAN interfaces was a breeze. After connecting our Virgin modem to the WAN port and the Vodafone modem to the OPT1 port, setting up the dual-WAN was as easy as reading through the Routing and Multi-WAN section of the pfSense documentation.
Once I had configured our gateways and their groups, we now have load balancing between our WANs, so whilst both our WAN connections are live, traffic will be split between them. This is weighted, so more traffic will pass through to our faster ISP than our slower one.
Our Virgin connection has suffered a handful of outages and some maintenance downtime since the new setup was completed, and the SG-3100 has successfully routed all of our traffic through the secondary WAN. It has also managed to detect when our primary WAN was live again, returning to its previous load-balancing state.
Below is the network diagram as it was once the network was rearranged. It has since changed to incorporate more devices in more rooms, but this is outside of the scope of this post.
Concluding Configuring My Parents’ Home Network
After all is said and done, the home network is finally starting to take shape. The Netgate SG-3100 has been performing exceptionally well for a few months now, and we’ve experienced no issues with it so far. pfSense can be a little complicated when it comes to fiddling with the settings, but Netgate’s detailed documentation makes up for that and then some.
In the coming weeks, I will be blogging about some additional changes, including my latest piece of kit: a HP ProLiant DL360p Gen8 1U server running FreeBSD on ZFS!
As always, drop a comment below or join my Discord server if you have any comments or questions.