Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense in Appliance Mode, How to Add Interfaces and Maintain Appliance Mode?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 376 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Superman
      last edited by Superman

      Hi Folks,

      I can't seem to find an answer to this question, so if it has been answered already, sorry in advance...

      I have setup a VM with a single interface in a single VLAN (untagged at the appliance in a VMware port group), running pfSense as a VPN Appliance (specifically for OpenVPN). This sits behind the pfSense gateway/firewall device which hosts multiple VLANs, etc. It runs fine as is, however, I want to setup several VPN servers for different purposes with some being allowed access to various other internal VLANs. To avoid routing them all through the single VLAN and allowing that traffic out to the other VLANs through the gateway device I'd like to add an additional trunked interface but to stay in appliance mode. However, whenever I add an interface, the full firewall/nat mode is enable, which causes additional issues.

      Is there a way to maintain the Appliance Mode while adding additional interfaces?

      Just in case you're wondering, this is the description for "Appliance Mode":

      Appliance Mode

      In addition to the normal routing/firewall mode with multiple interfaces, a firewall may also run in Appliance Mode where it has only a single interface (WAN). The firewall places the GUI anti-lockout rule on the WAN interface so a client may access the firewall web interface from that network. The usual routing and NAT functions are not active in this mode since there is no internal interface or network. This type of configuration is useful for VPN appliances, DHCP servers, and other stand-alone roles.

      TIA,
      Superman

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Disable outbound NAT, or set it to manual or hybrid mode and disable any rules you want, in Firewall > NAT > Outbound.

        Add firewall rules on the WAN to allow the traffic you need before you add the other interface. The only thing that happens when you do is that the default allow and anti-lockout rule move from WAN to LAN as soon as you add a second interface.

        Steve

        1 Reply Last reply Reply Quote 1
        • S
          Superman
          last edited by

          That was quick! Thanks so much for the reply. I was wondering if it was something like that. I just don't have the time to do a lot of tinkering these days. Much appreciated!

          Thanks,
          Supe

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.