pfSense as Firewall only?

Gertjan · Nov 28, 2019, 12:03 PM

You are aware that the Wireless "Asus" guests won't use the pfSense firewall ?

uxm · Nov 28, 2019, 12:05 PM

@Gertjan Υes I do. The Asus router has its own firewall. So for this purpose I think its ok.

NogBadTheBad · Nov 28, 2019, 12:16 PM

Do yourself a favour and get a modem, especially if your switch supports vlans, you could have your guest and normal wifi off the unifi ap.

If you're in the UK there are loads of dirt cheap ones on the bay.

uxm · Nov 28, 2019, 1:07 PM

@NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies.

NogBadTheBad · Nov 28, 2019, 1:09 PM

@uxm said in pfSense as Firewall only?:

@NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies.

pfSense is way better, just putting that out there

Can you not put it into modem mode ?

uxm · Nov 28, 2019, 1:58 PM

@NogBadTheBad Im sure about that. I think I will go to pfsense slowly slowly. :) You feel me. Its psychological.

So.. for pfsense to work as a firewall only, what I have to do? The youtube video above is ok for me to follow its guide?

Thanks guys.

JKnott · Nov 28, 2019, 2:14 PM

@uxm said in pfSense as Firewall only?:

@JKnott I dont have a dedicated VDSL modem. So Asus works as the modem/router. Besides that, I want to have it work as an AP for the wireless Guests. As the post title says, I want to use pfsense as a Firewall only.

You also have another access point, which could be configured with a 2nd SSID and VLAN for the guests. That's the proper way to do that.

JKnott · Nov 28, 2019, 2:15 PM

@uxm said in pfSense as Firewall only?:

till it dies

That can be arranged.

uxm · Nov 28, 2019, 2:16 PM

@JKnott

uxm · Nov 30, 2019, 8:13 AM

One question guys. For pfsense to work only as a firewall, do i have to disable NAT? I think yes, right?

NogBadTheBad · Dec 1, 2019, 9:10 AM

@uxm

Yes disable outbound NAT.

Disable NAT

To completely disable NAT to have a routing-only firewall, do the following:

Navigate to Firewall > NAT on the Outbound tab
Select Disable Outbound NAT rule generation (No Outbound NAT rules)
Click Save
Apply changes
NAT may be performed on some interfaces and not others by configuring Outbound NAT rules accordingly.

Details may be found in the pfSense Book.

https://docs.netgate.com/pfsense/en/latest/book/

uxm · Nov 30, 2019, 6:22 PM

This post is deleted!

uxm · Dec 5, 2019, 10:56 AM

Thank you very much for your response @NogBadTheBad . One thing. I disabled NAT as you said and then I cant browse the internet (from any PC in the network). Is this the right behavior?

NogBadTheBad · Dec 5, 2019, 11:00 AM

Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

uxm · Dec 5, 2019, 11:19 AM

@NogBadTheBad uh... no. I have to add the subnet routes to my Asus router. Got that. I will add them and come back.

Thank you a bunch.

uxm · Dec 8, 2019, 11:33 AM

Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

Now I want to use Remote Desktop to one of my Servers (my Domain Controller actually) on port 4000. How am I gonna do that? I created a Firewall rule on my pfsense firewall for 4000 to allow traffic from outside. But I cant remote desktop to my server.. I created also a rule on the server's firewall to allow traffic on port 4000 and used regedit to change the listening port.

My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port? Please help me understand that a little bit. I get confused with this scenario (Internet > Asus Router with Firewall enabled > pfsense Firewall with NAT disabled > Internal Network)

tHanks!

NogBadTheBad · Dec 8, 2019, 12:17 PM

@uxm said in pfSense as Firewall only?:

Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port?

Yes you need 2 nat statements one on your Asus router and one on your pfSense router.

This is why I suggested getting a modem or putting the Asus into modem mode.

Your looking for trouble if you open up RDP to the internet, use a VPN.

Google BlueKeep.

uxm · Dec 9, 2019, 8:17 AM

@NogBadTheBad thank you so much for the help ! I will see if I can use Asus as a modem only. I will check VPN too. Thanks!

PS : Just googled Bluekeep. Oh God.... I will check for VPN soon! Thanks!

uxm · Dec 9, 2019, 6:59 PM

@NogBadTheBad said in pfSense as Firewall only?:

Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

I added this route on the Asus router :

login-to-view

Asus router : 172.16.117.1
pfsense WAN : 172.16.117.106 (DHCP from Asus Router)
pfSense LAN : 192.168.2.10
my PC : 192.168.2.110 (from DHCP)

I cant ping my PC from the Asus Router.. :(

login-to-view

my pfsense Firewall rule is this :

login-to-view

Do I miss something? I am sure.

Gertjan · Dec 9, 2019, 8:45 PM

Do I miss something? I am sure.

Yes, as you said yourself : your WAN on pfSense is

pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

so why WAN is set to 172.16.17.1 ?

login-to-view

?

Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

edit : btw : this firewall rule is part of a NAT rule, right ?