HELP PLEASE!! Trying to install pfSense behind current router



  • Im trying to install pfSense behind my current router which is a UBNT Edge Router.  Im trying to run pfSense behind my router because I want to install Squid to run as a proxy.  I have a decent amount of of understanding when it comes to networking, but my no means an expert.  I have spent about a week trying to figure it out and have been unsuccessful.  If possible I need a detailed instructions on what I need to configure in both my Edge Router and in pfSense.

    Thanks guys!



  • i configured my edgerouter X with the last firmware update to be in switch mode.  and it now functions as  switch and POE for my 2nd UBNT AP.

    does your device have that option?    why would you want both?



  • Why not just run everything off pfSense? What hardware are you running pfSense on and what does the EdgeRouter do that your pfSense box can't?



  • @bcruze:

    i configured my edgerouter X with the last firmware update to be in switch mode.  and it now functions as  switch and POE for my 2nd UBNT AP.

    does your device have that option?    why would you want both?

    I want both because my whole network is built around UBNT and I love how everything works together.  I have a couple of extra servers laying around that I want to find a use for, and setting up a proxy sounded like something that would be fun to do.  I cant justify getting rid of my Edgerouter, but at the same time I love what pfSense has to offer and would like to incorporate it somehow.

    From a previous post I was told to take the WAN of pfSense and plug that into the LAN of the Edgerouter.  Then take the LAN of pfSense and plug that into my switch.  I also disabled NAT on pfSense, took off DHCP on pfSense since my Edgerouter handles all the DHCP, and I also set the the WAN on pfSense to static.  When I did all that I wasn't able to access my EdgeRouter, and had no internet connection.  My other question is what IP do I give my LAN on the pfSense side since my router already has the address of 192.168.1.1?  Also what do I set for my upstream gateway? Is it 192.168.1.1?



  • @belt9:

    Why not just run everything off pfSense? What hardware are you running pfSense on and what does the EdgeRouter do that your pfSense box can't?

    I don't want to run everything off pfSense because I like how everything in my network is built around UBNT.  pfSense can run everything that my EdgeRouter can do and a lot more.  Im running pfSense on a Dell PowerEdge 1950.  Yes I know I don't need that powerful of a server to run pfSense on but its what I have.



  • If your main (only?) purpose is to run Squid, it might be easier to do it via Linux vs. pfSense. I'm new to pfSense, but it doesn't seem like you really want any pfSense features. There are plenty of guides out there to get an Ubuntu Squid server configured on your network, so that may be the path of least resistance.


  • LAYER 8 Global Moderator

    With JTravers here.. If your not going to leverage any of the other features of pfsense and just want to use it as a proxy.. Then why not just run squid on your fav linux distro?

    "setting up a proxy sounded like something that would be fun to do"

    While sure it could be fun ;)  Its normally quite pointless in a home setup.. Other than a learning experience.. Unless you had some kids you were trying to filter or monitor their surfing habits, etc.  Teenage boys and p0rn come to mind, etc. ;)

    Do you want to run run the proxy as transparent or do you want to run it explicit?  Ie do you want all your web traffic to go through it with nothing to do on the client, or do you want to point the client specifically at the proxy.  Where if they don't point to it they still have internet or you could block them if they don't, etc. This can be done automatic via wpad, dhcp, etc.

    There are many ways to skin this cat.. depending on how you want to go about doing it.  But your controller adopts the unifi router via L2 does it not or are you doing it via L3 adoption?

    If your going to want to run pfsense as a downstream router/firewall then your unifi router would connect to pfsense via a transit network.. No devices would normally be on this transit network..  And then pfsense would be doing all the routing between your networks.. Do you only have 1 network?  Or do you have multiple currently?

    If your going to use pfsense as downstream to your unifi and turn off pfsense nat, then you would have to configure your unifi to nat those downstream network(s)

    internet - (wan) unifi router (lan .1)–- transit network 192.168.0/30 ---(wan .2) Pfsense (lan .1) --- lan 192.168.1/24

    On your unifi you would have to create route to 192.168.1/24 to point to the 192.168.0.2 address of pfsense.  Pfsense default gateway would be the unifi 192.168.0.1 address.  Clients on your lan would use pfsense 192.168.1.1 as their gateway.

    Your controller would sit on the network behind pfsense along with your APs, etc.  You can expand that to have as many networks as you want/need behind pfsense like 192.168.2/24 192.168.3/24 etc. via vlans or physical networks.

    In such a setup pfsense would be dhcp for network(s) behind it.. Or you could setup dhcp relay and have your unifi router do the dhcp for the downstream networks.



  • I have 1 box set up for a friend who loves having his TV set top boxes work easily with the modem/router provided by verizon.

    Same house has a stubborn borderline forest gump IQ girl also staying there who has an affinity for pressing the hard-reset button on the ISPs fios router.

    So, rather than deal with their silliness, I put the normal router off 192.168.1.1  something like 192.168.23.1.  just pick an IP.

    Then let pfsense's wan get a dynamic IP from the ISPs router.

    The made a static entry for that IP in ISPs router.

    Then put the pfsense in a DMZ

    Set pfsense LAN for some other odd IP like 10.20.30.1 just to avoid conflicts.

    Attached everything in the house to a switch attached to pfsense lan.

    Its not ideal because it introduces a unnecessary layer of nat.  Its not something I'd do for myself.

    However, everything attached to pfsense works.  VPNs on pfsense work.  You can proxy til your hearts content and it will work.  VOIP works.

    STBs and phones attached to ISP modem works.  Its ugly but easy and does what you want.



  • Define unsuccessful?

    Software didn't install?
    Errors?
    Network issues?
    Software tied your arms and can't type?

    If possible give detailed details on what you need to configure in both your Edge Router and in pfSense…

    @bcpark:

    Im trying to install pfSense behind my current router which is a UBNT Edge Router.  Im trying to run pfSense behind my router because I want to install Squid to run as a proxy.  I have a decent amount of of understanding when it comes to networking, but my no means an expert.  I have spent about a week trying to figure it out and have been unsuccessful.  If possible I need a detailed instructions on what I need to configure in both my Edge Router and in pfSense.

    Thanks guys!



  • I was able to use my pfSense box between my USG and cable modem without any issues. The only thing I had to do was create a rule within the Unifi Controller as shown in the attached pic. The workflow is Cable Modem -> pfSense WAN (DHCP) ->pfSense LAN (Static 10.35.2.20)->USG WAN (Static 10.35.2.21)->USG LAN (Static 192.168.1.20)->UniFi Switch 24 (Static 192.168.1.21). With this configuration I'm able to log in to the PfSense box and manage it from the Local LAN. Since I have a Windows Domain running I had to make some adjustments due to the fact that the clients need to point their DNS to a Domain Controller's DNS and DHCP. Both Wired and Wireless clients on the LAN can access both the internal network and the internet. With the Guest Wireless networks I set block LAN to WLAN Multicast and Broadcast Data then manually enter the MAC addresses for the DHCP/DNS server and the Controller. This prevents the Guest network from seeing the machines and shares on the LAN while still allowing them access to DNS and DHCP.

    I understand the USG and Edge are different but the end result should be the same.



Log in to reply