Configuring pfSense for Google Fiber
UPDATE (September 08, 2018): According to a post by an anonymous writer in the Google Fiber sub-reddit, VLAN and QoS will no longer needed to be configured for Internet-only customers beginning sometime in October 2018. This should mean any router can be plugged in and it should work (though I assume you’ll still need some sort of PoE for the Fiber Jack). Anyway, the instructions in my original post below should still work for now, but if this information is correct it could mean none of this is necessary starting in the near future.
As I mentioned in a previous post, I’m fortunate enough to have Google Fiber service at home. We’ve had the service for a little over a year now and I’ve found it to be fast and reliable. However, I have also found the Google Fiber Network Box to be… lacking. My first dislike for the Network Box came immediately upon realizing that it’s configured via the cloud. In practice this often means waiting for settings you’ve changed to be picked up by the Network Box. My second issue with the Network Box is a general lack of features for those of us who desire a little more control over our home networks. Having been spoiled by pfSense in the past, I found that I couldn’t expect much beyond basic DHCP reservations. After some use a third issue arose when I realized that large numbers of connections seemed to make the Network Box unstable.
None of those things mattered much, however, because Google says you’re stuck with the Network Box. There’s no bridge mode and other home routers won’t work if you attempt to use them.
Thankfully Fiber pioneers came along before me to figure out why that was. After searching through several posts from years past with various options for making other routers work, I eventually found a post in the pfSense forums that explained how to configure pfSense directly to work with Google Fiber. However, since deep searching was required, I thought it might be best if I posted something more straightforward here for others to find.
A couple of important notes before we begin: First: The Google Fiber Network Box is just one of the required pieces of hardware to connect to the Google Fiber service. If you’re a Google Fiber customer you also have the Fiber Jack somewhere in your home. The Fiber Jack can be powered directly by a USB power supply but it is typically powered via POE from the Network Box. If your Fiber Jack is powered by POE and you intend to use pfSense, you’ll want to get a POE injector to put between your WAN interface and the Fiber Jack. This is the one I’m using and it’s been great so far. Second: This is for Google Fiber customers who only have Internet service. If you also have the TV service please know that this information will not be enough to get the Fiber TV service up and running. I’m not a Fiber TV customer so I can’t be much help there.
Enough chatter. Let’s configure pfSense for Google Fiber.
1. With the WAN interface at it’s default settings (using a DHCP address), let’s start by logging into pfSense and opening the Interfaces -> Assignments menu.
2. Next, let’s add a VLAN assignment to the WAN interface. Click on the VLAN tab and then click the “Add” button.
3. Now select your WAN interface as your “Parent Interface”. Enter 2 in the VLAN Tag field and 3 in the VLAN Priority field. Now click the “Save” button.
4. Verify that VLAN settings are correct and then click the “Interface Assignments” tab on the left.
5. From the WAN interface drop-down menu, select your WAN interface with the VLAN assignment we just created. Now click “Save”.
6. Reboot pfSense for good measure and you should be all set.
This has worked reliably for me for the past year. With the appropriate hardware behind it, bandwidth tests indicate that I’m getting the full gigabit speed of my Google Fiber connect. For me pfSense + Google Fiber has been ideal.
Many thanks to the posts (1, 2) at the Flyover Country blog which (as best I can figure) originally posted the information required to get third-party routers working with Google Fiber. I’d also like thank King Viper at the pfSense forums for pointing out that this could all be configured directly in pfSense without the need for managed switches.
19 thoughts on “Configuring pfSense for Google Fiber”
Wow, I went through the whole managed switch method from Flyover Country blog years ago when I got Google Fiber. At the time it appeared there was no hope for doing the vlan tagging on pfsense in a way that worked with GF. Wonder if that was because I was (and still am) on pfsense 2.1. I see from your tutorial you are on a newer version.
Same. I believe this only became a viable option as of pfSense 2.3. Works great now!
I completely rebuilt my firewall tonight so I thought I’d share the very latest as of 11/27/18 and pfSense 2.4.4. I’m now unable to even get an IP on the wan without the VLAN and 802.1pQ tags on the WAN. The last time I built from scratch with early 2.3.x and back then you could get an IP but speed was only 50-100mbit. So, they definitely didn’t remove that requirement a month or two ago. If anything, they tightened it up. I got 932.21/932.29 in peak hours this evening in a VM on ESX 6.5.
Side note, I used pfSense 2.1 successfully with Google Fiber back in the day. The trick was running it in a VM and letting ESXi tag the packets since pfSense didn’t do it correctly.
First, thank you Nick you made my switch from the GFNB to my shiny new pfSense SG-4680 a seamless transition. However, I noted that when my lease renewed from GF my speedtests have dropped by half. I noted from the arp table that my IP has been assigned from *.slc.googlefiber.net instead of kcmo. I think this may be the problem. I tried to spoof the MAC of the old NB … after the fact 🙁 … but no luck. Any idea how I could release/renew and force a kc address?
Brian: That’s interesting. I haven’t had any similar trouble. The only bandwidth issue I was previously aware of was for people who hadn’t configured the QoS setting mentioned in my post. Wish I could be of more help, but do please come back and post here if you figure it out!
Brian, curious if you discovered a solution or cause to this? I am also in KC and was about to pull the trigger on a similar setup.
Hi Nick,
Can you speak to the physical connections you’ve made? Fiber jack -> POE -> pfSense WAN port, do I understand this correctly? What’s on your LAN port, a switch, a wireless AP? What is the GFNB connected to?
I have pfsense 2.4.3 with a shiny intel 4-port gigabit card installed, and am ready to configure it, but need some pointers plugging in the cables :).
Sure thing! A reminder up front: I’m not using Google Fiber TV services. Only Internet.
I also have a 4-port gig NIC for pfSense. It’s currently wired up like this:
— NIC port 1 -> POE injector -> Google Fiber Jack
— NIC port 2 -> gigabit switch -> LAN devices/WAP
Configure NIC 1 as your WAN interface in pfSense and NIC 2 as your LAN interface. That should be all you need. The Google Fiber Network Box is plugged into nothing and is currently stored in my garage. 🙂
Is that helpful?
> Is that helpful?
Very! As soon as everyone gets off TV for the night, I’m going to move cables around and try this out.
At the risk of One new question:
I regularly have to test consumer mesh wifi router equipment that works best on a traditional modem setup where the mesh router gets the public IP assigned to its WAN. Is there a pfSense setting that can bridge or IP passthrough the public IP to the first downstream LAN device? (I know, I know, off topic for the GFNB discussion. Sorry. 🙂 )
OK, new (and hopefully, last) question:
It works!
But it’s slow. 84Mb down, 2 up. What are the QOS settings that need to be changed to get the 900 that I get wired, or the 400ish that I get on wifi when using the GFNB?
Nevermind! It works.
Wired to pfsense box, 930/930.
Wireless: 84/2. (Amplifi router in bridge mode, acting as just a wap on LAN port of pfsense.)
Wireless with synology rt2600ac, LAN port of pfsense: 349/810. Wired to synology: 900/900)
at most, I’m seeing 67% CPU usage on pfsense (AMD Athlon LE-1660 2.8ghz from 2010)
Interestingly, this is 2.3.5 pfsense. Should I update to 2.4.1?
tips or advice welcome, and thank you for having posted this guide.
Glad you got it sorted!
I’m on 2.4.1 and haven’t had any issues, but your mileage may very. I know pfSense upgrades are a different experience for everyone. I doubt you’ll see any significant performance improvements from an upgrade, but it’s probably worth it for the security patches. Especially if you haven’t done any complex configuration yet.
My pfSense installation is actually virtualized running on a single core of an Intel Xeon E3-1245v3. I haven’t seen it go above 65% CPU usage so far, and I’m using features like DNSBL. I’ve been pretty impressed with the performance I’ve squeezed out of it.
Hi Nick. Thank you, this is a great post and I was able to setup a physical box easily by following your instructions. I’m now trying to get pfsense to work on a Hyper-V vm with Google fiber. I’ve tried all sorts of network card combinations and came down to only one config that works, but it gets a different IP than the physical box does. They each get the same IP each time, but they’re different. The physical box speeds are around 950/950 and the vm speeds are around 450/50, yes 50. Any idea why this would be happening? Thanks for any insight.
I’m having trouble getting the full speeds out of my pfsense box.
Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
Intel 1000/Pro 4 port Nic
Currently I have it set up as a Vlan 2 on the WAN. Before with my Edgerouter POE i was able to get the full 950/950.
The order I have things in are Fiber ONT>POE Injector>Pfsense box>LAN
Hi Bryan.
I’d double-check the QoS settings on your WAN link. That setting is what seems to enable maximization of a router’s bandwidth capabilities. What sorts of speeds are you currently seeing?
Thank you so much Nick!
Does this setup works with IPv6?
What POE Injector are you using?
Thanks.
Hi Rolando. You’re welcome!
I’ve never successfully configured IPv6 with Fiber on pfSense, but I also haven’t put much effort into it. It may be possible with additional configuration.
I’m using a TP-Link TL-PoE150S PoE Injector.
Hi Nick,
Thanks for the guide! I followed the steps it works great for download (930); however, upload is 10! Any ideas why this would happen?
Hi Alex. I’m not sure. Depending on the area you live in some of these settings may or may not be necessary.