Is it possible to configure pfSense to work AFTER a router?

  • I've been trying to get this working between my router and WAN (which is where I think it was designed to be), but it isn't working out. My house is full of tech (and not mostly phones and computers). Every time I fixed one issue, two other things broke.

    I really only need it to protect ONE link–my computers and phones can protect themselves to a level that I am comfortable with.

    So... don't laugh, please... I'm wondering if anyone uses it as a firewall/VPN server for a single networked device that sits on a larger network. In that sense, it should not do any routing at all. In other words, it should just be repeating and directing all traffic to a VPN.

    If anyone else is doing this, are there any adjustments I need to make?
    Or can I just drop it into that position in the network and expect that it will "just work"? (Though I fear I already know the answer to that... haha)

  • Is it possible to configure pfSense to work AFTER a router

    Yes it is but I'm not sure why you would want to. If you're having issues installing and configuring pfSense then post up your specific issues so others can help.

  • I've done that in the appropriate forums, but I just don't have the expertise to get it working properly. People direct me to a thread that helped them with a specific issue, but I have no idea how to apply that to my situation. What happens is one issue gets fixed (or nearly so) it breaks something else. For example, even with assistance, I couldn't get pfBlockerNG and OpenVPN to work together. While trying to get that working I broke my Sonos' ability to play music and Echo dot's ability to control the lights. I've never had problems with those before, and when I pulled the pfSense box off of the main ethernet connection to WAN, everything worked again, so I know that was the problem. After that, I started thinking about my thermostats and door locks and cameras, etc… which I need to be able to control from Asia when I'm working there and I realized that this has the potential to knock everything offline.

    I finally decided that I can just run local VPN and Adguard on my computers and I'm fine with that.

    But I can't run VPN on my video hardware--it overtaxes the processors which weren't meant for that. If this thing is just on that one connection, it can't mess up everything else.

  • Would I need to set the router to DMZ to that IP?

    Anything else?

  • @Tom7755:

    Would I need to set the router to DMZ to that IP?


    But (as there is always a but) : do you have a "web server" (teamspeak, mail, VPN, ftp, what ever) behind your pfSense ?
    In that case you "NATP" your first router - identical ports to the LAN-IP of pfSense.
    On another, same rule NATP in pfSense for this incoming connection to the server in question.
    This is valid for IPv4.

    IPv6 (connections) should make live a little more easy (on paper).


    Anything else?

    I've been using a "smoke signals to TCP packets converter" for years (a basic modem device: "ADSL" analog phone line signals to TCP).
    The big advantage was : pfSense had a 'real' WAN IP on its WAN interface. This was cool.
    But, as always, my ISP doesn't support these modems anymore, they are "3-play" devices now (they handle Internet, phone, tv etc) so I didn't have any choice anymore : my ISP's device stays a router, so I had to "NAT" in this box my incoming VPN connection to the pfSense IP).
    No big deal actually. A real "set it and forget it" installation. You loose a couple of ms on the road, that's it.

  • That's great to know, thanks so much for replying Gertjan!

    My plan is to do the most basic configuration possible with OpenVPN on.

    No webserver or VPN behind it. I will run openVPN on the PFsense box. It will be for video (TV's built in apps, Apple TV and FireStick on a dumb hub) because running a VPN directly on those boxes or the router is too slow.

    So if I run the pfSense box on default settings and turn on OpenVPN with my VPN info using the killswitch method described here:


    1. I don't need to do anything else to configure the router or PF sense? (The router is currently set up to give an IP to the boxes on that hub by DHCP.)

    2. Do I need to be concerned with having a double NAT situation going on, or does that matter?

    3. Do I need to worry about DNS leaks from the router because it is ahead/upstream from the VPN running on the pfSense box?

    1. The router in front of pfSense has to have a NAT rule to pass along the incoming VPN connection.

    2. If you use the VPN server from pfSEnse, no.

    3. Can't tell. I do not have a clear view your network. But, as always, a VPN - and surround firewall - with a good setup doesn't "leak".

    Let's Begin!

    1.) Start by downloading one of these certificates to your computer:

    This is a joke or what ?

Log in to reply