How to Install Pfsense Firewall With an Existing Netgear MR60 Mesh Wifi With Two Access Points MS60s
I’ve always heard of pfsense as a great opensource firewall with a nice list of features. We have an MR60 with two APs (MS60) for a total of three access points and its a great piece of hardware providing good wireless through the two stories. I wanted to control internet access and MR60 has a module to do that but only for a yearly subscription. I thought this was a perfect time to setup pfsense so this blog is about installing pfsense where there’s an existing Netgear MR60 with two MS60s.
Table of Content
Required Hardware
First the hardware. I found this cool machine, all metal, no fan (QOTOM Q730G5 Barebone Mini PC - Intel Quad-core J4105, AES-NI, 5 Intel 2.5G LAN, 10Watts, Industrial Mini PC Firewall Gateway Router Q730G5 Barebone, No RAM, No SSD) - https://amzn.to/49CKUXZ). I could have used an old machine but I didn’t want to keep a machine on 24/7 that consumed upwards of 80 watts. The TDP for this machine is 10 watts, runs without any sound (I loved that part!) and is just perfect for something like a firewall.
Since this is a baremetal machine, I bought cheap 16GB laptop module (https://amzn.to/4aA0g0H).
I already had an SSD but it takes NVMEs are well. There’s no place to screw in the SSD but I just connected it (one SATA connector is available in the machine) and put it on the top of the board and screwed the whole thing back.
Software Installation
Get pfsense from https://www.pfsense.org/download/, 64 bit. I downloaded the ISO, unzipped it using WinRAR and saved it in Ventoy Flashdisk (https://www.ventoy.net).
Connect your keyboard, a monitor to the machine. It has HDMI for display and several USB 2 and 3 ports. Press F11 to choose to boot from USB.
Select all default options and reboot. If you need help, go through this. https://docs.netgate.com/pfsense/en/latest/install/download-installer-image.html
First configuration of pfsense
Upon reboot, you need to select the WAN port and at least one LAN port. Follow instructions in the prompts. Mine didn’t detect any ports in the device. So I did manual input and provided the names for WAN (igc0 for WAN) and LAN (igc1 for LAN). I used an ethernet port from my existing LAN to connect to the WAN port (Yes, you can do that!) to setup the WAN port.
Upon reboot, connect your LAN port to your computer and make sure you can access 192.168.1.1, the pfsense portal AND access the internet via that connection, provided you’ve connected the WAN port to your existing router. If both work out, you’re now ready for the next step.
I spent a long time to get this basic setup completed. Here’s what I’ve learned. If upon reboot, if you cannot access 192.168.1.1, there’s an issue with your setup. Use the ‘reset’ option in the pfsense menu to reset the setup and start again. This will just reset the configs and and you can reconfigure.
Connect pfsense hardware to your network
Unhook the pfsense from your lab, take it to where your home network switches/internet box is. Unhook the ethernet to MR60 (we’ll set this up later). Hook pfsense so that the WAN (igc0) port is connected to the data port in your ONT or your internet modem. The LAN(igc1) port should now be connected to your switch from where the whole of the house gets their internet.
Check all connected devices have internet.
Re-setup MR60
Bring the disconnected MR60 to your lab. Reset it. (Press the reset button until it starts blinking) After reset is complete, connect it to your lab’s switch that has internet connectivity. Yes, you’ll have to reset the MR60 so you can set it up again because you won’t be able to reconnect it to the network just like that. If you do, you’ll have weird connectivity issues.
Now setup the MR60 as a new setup using the Nighthawk app on your phone.
After setup, all your wifi devices will connected to the MR60. However, they’ll all have 10.x.x.x IPs since MR60 will run its own DHCP by default. If you’re cool with it, you can now stop and reconnect the MR60 to your main router. I wanted one DHCP server and all IPs to be 192.x.x.x so I did this one more step.
Use pfsense as the only DHCP server
Go to routerlogin.net on your browser, login. Go to “Advanced”–> Wireless AP –> Enable AP Mode –> Save. Let MR60 reboot. After reboot, all your wireless devices will be on the same network as your wired machines which is 192.x.x.x.
🔵