• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfSense as Firewall only?

Firewalling
5
34
9.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gertjan
    last edited by Nov 28, 2019, 12:03 PM

    You are aware that the Wireless "Asus" guests won't use the pfSense firewall ?

    No "help me" PM's please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    U 1 Reply Last reply Nov 28, 2019, 12:04 PM Reply Quote 0
    • U
      uxm @Gertjan
      last edited by uxm Nov 28, 2019, 12:05 PM Nov 28, 2019, 12:04 PM

      @Gertjan Υes I do. The Asus router has its own firewall. So for this purpose I think its ok.

      1 Reply Last reply Reply Quote 0
      • N
        NogBadTheBad
        last edited by NogBadTheBad Nov 28, 2019, 12:16 PM Nov 28, 2019, 12:14 PM

        Do yourself a favour and get a modem, especially if your switch supports vlans, you could have your guest and normal wifi off the unifi ap.

        If you're in the UK there are loads of dirt cheap ones on the bay.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        U 1 Reply Last reply Nov 28, 2019, 12:20 PM Reply Quote 0
        • U
          uxm @NogBadTheBad
          last edited by Nov 28, 2019, 12:20 PM

          @NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies. 🤣

          N J 2 Replies Last reply Nov 28, 2019, 1:07 PM Reply Quote 0
          • N
            NogBadTheBad @uxm
            last edited by NogBadTheBad Nov 28, 2019, 1:09 PM Nov 28, 2019, 1:07 PM

            @uxm said in pfSense as Firewall only?:

            @NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies. 🤣

            pfSense is way better, just putting that out there 🤣

            Can you not put it into modem mode ?

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            U 1 Reply Last reply Nov 28, 2019, 1:09 PM Reply Quote 0
            • U
              uxm @NogBadTheBad
              last edited by uxm Nov 28, 2019, 1:58 PM Nov 28, 2019, 1:09 PM

              @NogBadTheBad Im sure about that. I think I will go to pfsense slowly slowly. :) You feel me. Its psychological. 😃

              So.. for pfsense to work as a firewall only, what I have to do? The youtube video above is ok for me to follow its guide?

              Thanks guys.

              1 Reply Last reply Reply Quote 0
              • J
                JKnott @uxm
                last edited by Nov 28, 2019, 2:14 PM

                @uxm said in pfSense as Firewall only?:

                @JKnott I dont have a dedicated VDSL modem. So Asus works as the modem/router. Besides that, I want to have it work as an AP for the wireless Guests. As the post title says, I want to use pfsense as a Firewall only.

                You also have another access point, which could be configured with a 2nd SSID and VLAN for the guests. That's the proper way to do that.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • J
                  JKnott @uxm
                  last edited by Nov 28, 2019, 2:15 PM

                  @uxm said in pfSense as Firewall only?:

                  till it dies

                  That can be arranged. 😉

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  U 1 Reply Last reply Nov 28, 2019, 2:16 PM Reply Quote 1
                  • U
                    uxm @JKnott
                    last edited by Nov 28, 2019, 2:16 PM

                    @JKnott ☺ ☺ ☺

                    1 Reply Last reply Reply Quote 0
                    • U
                      uxm
                      last edited by Nov 29, 2019, 10:17 PM

                      One question guys. For pfsense to work only as a firewall, do i have to disable NAT? I think yes, right?

                      N 1 Reply Last reply Nov 30, 2019, 8:13 AM Reply Quote 0
                      • N
                        NogBadTheBad @uxm
                        last edited by NogBadTheBad Dec 1, 2019, 9:10 AM Nov 30, 2019, 8:13 AM

                        @uxm

                        Yes disable outbound NAT.

                        Disable NAT

                        To completely disable NAT to have a routing-only firewall, do the following:

                        Navigate to Firewall > NAT on the Outbound tab
                        Select Disable Outbound NAT rule generation (No Outbound NAT rules)
                        Click Save
                        Apply changes
                        NAT may be performed on some interfaces and not others by configuring Outbound NAT rules accordingly.

                        Details may be found in the pfSense Book.

                        https://docs.netgate.com/pfsense/en/latest/book/

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        U 2 Replies Last reply Nov 30, 2019, 6:22 PM Reply Quote 0
                        • U
                          uxm @NogBadTheBad
                          last edited by Nov 30, 2019, 6:22 PM

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • U
                            uxm @NogBadTheBad
                            last edited by Dec 5, 2019, 10:56 AM

                            Thank you very much for your response @NogBadTheBad . One thing. I disabled NAT as you said and then I cant browse the internet (from any PC in the network). Is this the right behavior?

                            1 Reply Last reply Reply Quote 0
                            • N
                              NogBadTheBad
                              last edited by Dec 5, 2019, 11:00 AM

                              Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

                              Andy

                              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                              U 2 Replies Last reply Dec 5, 2019, 11:19 AM Reply Quote 0
                              • U
                                uxm @NogBadTheBad
                                last edited by Dec 5, 2019, 11:19 AM

                                @NogBadTheBad uh... no. ☹ I have to add the subnet routes to my Asus router. Got that. I will add them and come back.

                                Thank you a bunch.

                                1 Reply Last reply Reply Quote 0
                                • U
                                  uxm
                                  last edited by Dec 8, 2019, 11:33 AM

                                  Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

                                  Now I want to use Remote Desktop to one of my Servers (my Domain Controller actually) on port 4000. How am I gonna do that? I created a Firewall rule on my pfsense firewall for 4000 to allow traffic from outside. But I cant remote desktop to my server.. I created also a rule on the server's firewall to allow traffic on port 4000 and used regedit to change the listening port.

                                  My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port? Please help me understand that a little bit. I get confused with this scenario (Internet > Asus Router with Firewall enabled > pfsense Firewall with NAT disabled > Internal Network)

                                  tHanks!

                                  N 1 Reply Last reply Dec 8, 2019, 12:15 PM Reply Quote 0
                                  • N
                                    NogBadTheBad @uxm
                                    last edited by NogBadTheBad Dec 8, 2019, 12:17 PM Dec 8, 2019, 12:15 PM

                                    @uxm said in pfSense as Firewall only?:

                                    Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

                                    My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port?

                                    Yes you need 2 nat statements one on your Asus router and one on your pfSense router.

                                    This is why I suggested getting a modem or putting the Asus into modem mode.

                                    Your looking for trouble if you open up RDP to the internet, use a VPN.

                                    Google BlueKeep.

                                    Andy

                                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                    U 1 Reply Last reply Dec 8, 2019, 12:34 PM Reply Quote 0
                                    • U
                                      uxm @NogBadTheBad
                                      last edited by uxm Dec 9, 2019, 8:17 AM Dec 8, 2019, 12:34 PM

                                      @NogBadTheBad thank you so much for the help ! I will see if I can use Asus as a modem only. I will check VPN too. Thanks!

                                      PS : Just googled Bluekeep. Oh God.... I will check for VPN soon! Thanks!

                                      1 Reply Last reply Reply Quote 0
                                      • U
                                        uxm @NogBadTheBad
                                        last edited by Dec 9, 2019, 6:59 PM

                                        @NogBadTheBad said in pfSense as Firewall only?:

                                        Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

                                        I added this route on the Asus router :

                                        login-to-view

                                        Asus router : 172.16.117.1
                                        pfsense WAN : 172.16.117.106 (DHCP from Asus Router)
                                        pfSense LAN : 192.168.2.10
                                        my PC : 192.168.2.110 (from DHCP)

                                        I cant ping my PC from the Asus Router.. :(

                                        login-to-view

                                        my pfsense Firewall rule is this :

                                        login-to-view

                                        Do I miss something? I am sure.

                                        G 1 Reply Last reply Dec 9, 2019, 8:44 PM Reply Quote 0
                                        • G
                                          Gertjan @uxm
                                          last edited by Gertjan Dec 9, 2019, 8:45 PM Dec 9, 2019, 8:44 PM

                                          Do I miss something? I am sure.

                                          Yes, as you said yourself : your WAN on pfSense is

                                          pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

                                          so why WAN is set to 172.16.17.1 ?

                                          login-to-view

                                          ?

                                          Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

                                          edit : btw : this firewall rule is part of a NAT rule, right ?

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          U 1 Reply Last reply Dec 10, 2019, 8:35 AM Reply Quote 0
                                          14 out of 34
                                          • First post
                                            14/34
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.