Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense as Edge firewall/router, Sophos SG UTM as internal firewall/router

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 3 Posters 982 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      destrekor
      last edited by

      My situation specifically involves VMware vSphere (cluster with VCSA). But I may simply need understanding of the high-level concept, not sure yet where the issue lies. My basic routing is rather rusty, I'm probably forgetting something obvious.

      The situation: Sophos SG UTM is already the "edge", and only the internal LAN is hanging off it, with everything on the same network. I'd like to promote pfSense to edge status and keep Sophos as the internal gateway.

      I tried this last night and I had to revert back to how it was before, so I missed something.

      I disabled NAT on Sophos, and tried both with and without any static routes trying to point all traffic to WAN interface. I also tried with and without a policy route instead of static.
      I assigned 192.168.13.2/30 to the Sophos WAN interface, and 192.168.13.1/30 as the pfSense LAN interface. Both had the other IP set as gateway IP on that network.

      Now, I could never get to the pfSense webconfig page at 13.1, but from the console I could ping 13.2 once I enabled ping response on Sophos. Likely pfSense has ping disabled by default as well so ping testing was going to fail in that direction I suspect.

      For VMware specific concerns in case that is the only place I failed: I had pfSense LAN and Sophos WAN on the same VDSwitch, with an uplink from each host. I suspect this part was fine because from the pfSense console I could ping Sophos.

      Sophos LAN interface is 192.168.14.1, and I unfortunately completely forgot to try pinging that IP from pfSense.

      Would the failure be in a lack of a static route to the 14.0 network through the 13.0 network?

      Or some firewall configuration I missed that needs to be made on the Sophos?

      1 Reply Last reply Reply Quote 0
      • C
        cplmayo
        last edited by

        What is your use case here? Are you wanting pfSense to just act as the firewall and Sophos do all other network tasks?

        I've run pfSense on VMware several times and never had any major issues.

        From the LAN you should always be able to ping pfSense's Lan interface, only will block IMCP to WAN by default.

        I would l to help but need more information.

        1 Reply Last reply Reply Quote 0
        • K
          Koent
          last edited by

          Configure Sophos in bridge mode ? It is weird at start, but it grows on you.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.