New pfSense setup in existing UniFi Setup

ankit · Nov 26, 2023, 6:44 PM

Hi,
I currently have Att Modem -> USG -> UniFi Switch -> (UniFi Switches and APs) -> (
Wired and Wireless Devices and a self-hosted UniFi controller)

This setup is without any VLANs. But only a few devices are on a static IP list. They are in IP ranges from 192.168.1.2 - 192.168.1.99 (including switches, APs, and self-hosted UniFi controller).

All dynamic lease devices are on IP range 192.168.1.100 to 192.168.1.255.
All devices have both IPv4 and IPv6 addresses. IPv6 using /64 prefix delegation.

I am thinking of replacing USG with a pfSense 4100 box.
Questions:

Where will my static IP config live? UniFi or pfSense?
Who is best to handle DHCP leases? UniFi or pfSense? (Assuming both is an option for the above question)
Which ports do I need to forward to the UniFi controller for it to work on internet?
I have a UniFi switch that can handle a 10G connection. I plan to connect it to the pfSense box directly via the LAN2 port. Can it follow the DHCP/Static IP configs in the same subnet as mentioned above?

Lace · Feb 13, 2024, 3:27 AM

@ankit I hope someone answers this soon because I am considering a similar setup utilizing UniFi and pfSense and maybe just maybe one other if time permits for me all in either a Double NAT or LAN-to-LAN tunnel setup I just am not sure which route yet to trek on

keyser · Feb 13, 2024, 7:18 AM

@ankit It should be a simple matter to replace the USG with pfSense - pfSense can do much more than the USG in that setup. But to answer your questions:

Just convert any services your USG are doing to have pfSense doing them instead. In a good designed network that would answer your questions as follows:

Your pfSense should do DHCP as it is the Gateway and DNS.
Since it’s doing DHCP all static IP configs (leases) will be made on pfSense
You do not need to forward ports for the Unifi Controller to be available in the Unifi Portal as far as I know). If it has internet access, it joins the portal and are controllable from there.
Yes, that 10G link from pfSense to Unifi switch is just a Layer 2 Ethernet link, all IP configuration is still done/handled in pfSense and in your Unifi Controller.

Lace · Feb 14, 2024, 6:06 PM

@keyser

I would like BOTH running as a daisy chain in my network, incase the 1 has a Zero Day to bypass the firewall through oh say exploiting the RAM or chipset used on the hardware.

I will have 2 different hardware manufacturers and setups, as well as 2 different firewalls on those two separate hardware device nodes

I think the pfSense could serve as the Layer 3 firewall router, while the inner firewall router can sit on Layer 2. I am not sure yet but I hope the Layer 2 solution I will be using can perform firewall functions on BOTH outgoing and incoming traffic, so the outer Layer 3 pfSense can just focus on the incoming traffic (does pfSense do both outgoing and incoming? Most consumer firewall usually do only incoming not outgoing so why I ask as I never used pfSense or OPNSense before)

keyser · Feb 14, 2024, 8:13 PM

@Lace pfSense will do incoming and outgoing in much more detail and with more advanced filtering options than USG will ever do ;-)
If you use the assistance of pfBlockerNG, you can GEO block countries, lists of know offenders and what not in both inbound and outbound directions.

But sure you can use both - allthough it is a compliccated setup with more failure options.