Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Installing pfSense behind an existing router

    Scheduled Pinned Locked Moved
    Problems Installing or Upgrading pfSense Software
    3
    4
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iskyfire
      last edited by

      Hello! I am looking to add a 5 Ghz Wifi Access Point along side my existing 2.4 Ghz one.
      Instead of purchasing a new router, I have re-purposed an old machine by installing both pfSense and a PCI-E wifi card.
      I would like to know if it is possible to have the pfSense machine behind my existing router.
      I would like the 5 Ghz network to be separate from the 2.4 Ghz network.
      I have included a diagram at the bottom.

      If it is possible, I'm wondering a few things:

      • What should my Upstream Gateway on the pfSense machine be?

      • Is the WAN interface type DHCP or Static?

      • Do I need to bridge anything together (LAN/WAN/WIFI)?

      • Will the 5 Ghz network see the 2.4 Ghz network? What setups would enable or prevent communication between the two networks?

      1 Reply Last reply Reply Quote 0
      • R
        robertfranz
        last edited by

        Can? Sure - and sometimes there are compelling reasons to do so - like working around a network device you can't change.

        But generally speaking, I would try to avoid it.

        Routing just starts to get too convoluted.

        I have two pf instances sitting behind a router I am going to retire soon.

        To add to that, the pfsense boxes are dual wan, whereas the upstream router is single wan.

        Site to site pki vpn is on the loopback on the pfsense boxes for most sites, with a couple sites still going through the old vpn on the upstream router.

        When two sites have on different vpns have routing issues, it's a real pita to sort out.

        Routers should always have static addresses if at all possible.

        If you want network separation, you can vlan if you have a capable switch, or just create a second subnet.

        Second subnet gets natted behind the same gateway ip the first router uses.

        Second router gets a static in the same subnet as existing network for wan ip - whatever you select for the lan ip.

        Not necessary to nat the nodes behind the second router through the second router's wan ip - straight routing is sufficient and avoids double nat.

        I recommend ensuring you have the routing correct for the two subnets to communicate, then separate them with a rule if you don't want them connected.

        That way if your use case changes, you can just toggle the rule.

        1 Reply Last reply Reply Quote 0
        • I
          iskyfire
          last edited by

          Hello robertfranz!

          Thank you for the advice! I'll see if I can get it separated with a second subnet. But, as per your suggestion, if it refuses to cooperate I might be able to utilize the multiple vlan capability of pfSense because my current router does not have that functionality.

          1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad
            last edited by

            Just to add to Roberts reply.

            If you have wifi at 5Ghz on the pfSense router it will only be 802.11n, currently there is no support for 802.11ac with freebsd / pfsense.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.