Unifi UDM Firewall behind a pFsense/Netgate?

jgq85 · Jul 20, 2021, 1:57 PM

We have currently ISP coming into pFsense (Netgate XG-7100) and the pfsense is used for WAN connection and networks/vlans and DHCP.
We only have a single connect coming from the ISP so it's going to the pfsense. However we want to have a separate network for a separate suite within the building that us using Unifi UDM firewall as its firewall with its own ISP IP address along with its unifi switches and APs.
What would we configure on the Netgate to simply be giving a handoff to the UDM firewall so it could have its own firewall settings and features and IPSec tunnels?

JKnott · Jul 20, 2021, 2:52 PM

@jgq85

Does your ISP provide more than 1 IPv4 address?¹ Most don't unless you pay extra. On IPv6, you could split off individual /64s from your prefix. For example, I get a /56, which I can split into 256 /64s. Some of those could easily be assigned to another router.

Mine provides 2, but they are completely separate connections, so I could connect 2 routers.

jgq85 · Jul 20, 2021, 3:44 PM

@jknott said in Unifi UDM Firewall behind a pFsense/Netgate?:

@jgq85

Does your ISP provide more than 1 IPv4 address?¹ Most don't unless you pay extra. On IPv6, you could split off individual /64s from your prefix. For example, I get a /56, which I can split into 256 /64s. Some of those could easily be assigned to another router.

Mine provides 2, but they are completely separate connections, so I could connect 2 routers.

@JKnott Hi Yes we have multiple static IP to use so I'm just not sure though if we can have UDM behind pfsense and if so is there a special config on the pFsense we'd have to configure for that

JKnott · Jul 20, 2021, 5:48 PM

@jgq85

Pfsense has no problem passing addresses to another router. I have a Cisco router here connected to it's own port on my pfsense firewall. It gets one of my /64s on IPv6 and a /24 on IPv4 that's within 172.16.0.0 /16.

jgq85 · Jul 20, 2021, 5:53 PM

@jknott said in Unifi UDM Firewall behind a pFsense/Netgate?:

@jgq85

Pfsense has no problem passing addresses to another router. I have a Cisco router here connected to it's own port on my pfsense firewall. It gets one of my /64s on IPv6 and a /24 on IPv4 that's within 172.16.0.0 /16.

Thanks so if you have an IPSec tunnel for the network you'd configure it on the Cisco in that scenario right? And it'd pass through the pfsense just fine? Do you need any firewall rules created on the pfsense for the Cisco router/network?

JKnott · Jul 20, 2021, 7:21 PM

@jgq85

No, I'd terminate it on pfsense, just as I do with OpenVPN. If a VPN terminates anywhere than your default route router, then you complicate routing through the VPN. You'd have to specify the route for the VPN, separate from the default gateway and I don't know that DHCP supports that. When you terminate a VPN on pfsense, it sorts it out, without having to do anything special on a client.

jgq85 · Jul 20, 2021, 8:06 PM

@jknott said in Unifi UDM Firewall behind a pFsense/Netgate?:

@jgq85

No, I'd terminate it on pfsense, just as I do with OpenVPN. If a VPN terminates anywhere than your default route router, then you complicate routing through the VPN. You'd have to specify the route for the VPN, separate from the default gateway and I don't know that DHCP supports that. When you terminate a VPN on pfsense, it sorts it out, without having to do anything special on a client.

Got it so that apply to site to site VPN right? so id have site to site from pfsense. then a port on pfsense that is a WAN that goes to UDM, and Id allow the UDM to ise that tinnel how — by tagging the port on a VLAN or creating a network that matches the UDM?

JKnott · Jul 21, 2021, 1:45 AM

@jgq85

It wouldn't be a WAN port. The WAN port connects to the Internet, though you could consider the port on the UDM as "WAN" as it's the one that's closest to the Internet. You can connect it to pfsense with either a separate LAN port on pfsense or VLAN.