Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as Firewall only?

    Firewalling
    5
    34
    9.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan
      last edited by

      You are aware that the Wireless "Asus" guests won't use the pfSense firewall ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      uxmU 1 Reply Last reply Reply Quote 0
      • uxmU
        uxm @Gertjan
        last edited by uxm

        @Gertjan Υes I do. The Asus router has its own firewall. So for this purpose I think its ok.

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by NogBadTheBad

          Do yourself a favour and get a modem, especially if your switch supports vlans, you could have your guest and normal wifi off the unifi ap.

          If you're in the UK there are loads of dirt cheap ones on the bay.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          uxmU 1 Reply Last reply Reply Quote 0
          • uxmU
            uxm @NogBadTheBad
            last edited by

            @NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies. 🤣

            NogBadTheBadN JKnottJ 2 Replies Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @uxm
              last edited by NogBadTheBad

              @uxm said in pfSense as Firewall only?:

              @NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies. 🤣

              pfSense is way better, just putting that out there 🤣

              Can you not put it into modem mode ?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              uxmU 1 Reply Last reply Reply Quote 0
              • uxmU
                uxm @NogBadTheBad
                last edited by uxm

                @NogBadTheBad Im sure about that. I think I will go to pfsense slowly slowly. :) You feel me. Its psychological. 😃

                So.. for pfsense to work as a firewall only, what I have to do? The youtube video above is ok for me to follow its guide?

                Thanks guys.

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @uxm
                  last edited by

                  @uxm said in pfSense as Firewall only?:

                  @JKnott I dont have a dedicated VDSL modem. So Asus works as the modem/router. Besides that, I want to have it work as an AP for the wireless Guests. As the post title says, I want to use pfsense as a Firewall only.

                  You also have another access point, which could be configured with a 2nd SSID and VLAN for the guests. That's the proper way to do that.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @uxm
                    last edited by

                    @uxm said in pfSense as Firewall only?:

                    till it dies

                    That can be arranged. 😉

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    uxmU 1 Reply Last reply Reply Quote 1
                    • uxmU
                      uxm @JKnott
                      last edited by

                      @JKnott ☺ ☺ ☺

                      1 Reply Last reply Reply Quote 0
                      • uxmU
                        uxm
                        last edited by

                        One question guys. For pfsense to work only as a firewall, do i have to disable NAT? I think yes, right?

                        NogBadTheBadN 1 Reply Last reply Reply Quote 0
                        • NogBadTheBadN
                          NogBadTheBad @uxm
                          last edited by NogBadTheBad

                          @uxm

                          Yes disable outbound NAT.

                          Disable NAT

                          To completely disable NAT to have a routing-only firewall, do the following:

                          Navigate to Firewall > NAT on the Outbound tab
                          Select Disable Outbound NAT rule generation (No Outbound NAT rules)
                          Click Save
                          Apply changes
                          NAT may be performed on some interfaces and not others by configuring Outbound NAT rules accordingly.

                          Details may be found in the pfSense Book.

                          https://docs.netgate.com/pfsense/en/latest/book/

                          Andy

                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                          uxmU 2 Replies Last reply Reply Quote 0
                          • uxmU
                            uxm @NogBadTheBad
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • uxmU
                              uxm @NogBadTheBad
                              last edited by

                              Thank you very much for your response @NogBadTheBad . One thing. I disabled NAT as you said and then I cant browse the internet (from any PC in the network). Is this the right behavior?

                              1 Reply Last reply Reply Quote 0
                              • NogBadTheBadN
                                NogBadTheBad
                                last edited by

                                Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

                                Andy

                                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                uxmU 2 Replies Last reply Reply Quote 0
                                • uxmU
                                  uxm @NogBadTheBad
                                  last edited by

                                  @NogBadTheBad uh... no. ☹ I have to add the subnet routes to my Asus router. Got that. I will add them and come back.

                                  Thank you a bunch.

                                  1 Reply Last reply Reply Quote 0
                                  • uxmU
                                    uxm
                                    last edited by

                                    Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

                                    Now I want to use Remote Desktop to one of my Servers (my Domain Controller actually) on port 4000. How am I gonna do that? I created a Firewall rule on my pfsense firewall for 4000 to allow traffic from outside. But I cant remote desktop to my server.. I created also a rule on the server's firewall to allow traffic on port 4000 and used regedit to change the listening port.

                                    My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port? Please help me understand that a little bit. I get confused with this scenario (Internet > Asus Router with Firewall enabled > pfsense Firewall with NAT disabled > Internal Network)

                                    tHanks!

                                    NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad @uxm
                                      last edited by NogBadTheBad

                                      @uxm said in pfSense as Firewall only?:

                                      Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

                                      My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port?

                                      Yes you need 2 nat statements one on your Asus router and one on your pfSense router.

                                      This is why I suggested getting a modem or putting the Asus into modem mode.

                                      Your looking for trouble if you open up RDP to the internet, use a VPN.

                                      Google BlueKeep.

                                      Andy

                                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                      uxmU 1 Reply Last reply Reply Quote 0
                                      • uxmU
                                        uxm @NogBadTheBad
                                        last edited by uxm

                                        @NogBadTheBad thank you so much for the help ! I will see if I can use Asus as a modem only. I will check VPN too. Thanks!

                                        PS : Just googled Bluekeep. Oh God.... I will check for VPN soon! Thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • uxmU
                                          uxm @NogBadTheBad
                                          last edited by

                                          @NogBadTheBad said in pfSense as Firewall only?:

                                          Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

                                          I added this route on the Asus router :

                                          5e2c315d-bfe9-4143-9e8c-2117f8005956-image.png

                                          Asus router : 172.16.117.1
                                          pfsense WAN : 172.16.117.106 (DHCP from Asus Router)
                                          pfSense LAN : 192.168.2.10
                                          my PC : 192.168.2.110 (from DHCP)

                                          I cant ping my PC from the Asus Router.. :(

                                          c40a2c0f-d87d-4b45-b1bc-583524815540-image.png

                                          my pfsense Firewall rule is this :

                                          0a015da2-77ad-47f1-8191-814381895522-image.png

                                          Do I miss something? I am sure.

                                          GertjanG 1 Reply Last reply Reply Quote 0
                                          • GertjanG
                                            Gertjan @uxm
                                            last edited by Gertjan

                                            Do I miss something? I am sure.

                                            Yes, as you said yourself : your WAN on pfSense is

                                            pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

                                            so why WAN is set to 172.16.17.1 ?

                                            0a015da2-77ad-47f1-8191-814381895522-image.png

                                            ?

                                            Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

                                            edit : btw : this firewall rule is part of a NAT rule, right ?

                                            No "help me" PM's please. Use the forum, the community will thank you.
                                            Edit : and where are the logs ??

                                            uxmU 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.