PFsense With Single NIC
-
Dear All
I have Following Scenario
Our Network Diagram is we have 4 Vlan Over Cisco Environment , i want to use PFsense As Proxy Server with Single NIC , i didnt want to make My PFsense As Default Gateway because we have Cisco ASA Firewall & My PFsense Server will be the Back End that will be to act as web filter to our Users then My pfsense Box Will Communicate with My Cisco ASA to respond to users requests ,Many thanks
-
Use VLANs and make each VLAN an interface.
-
Many Thanks
but Can you give more details , i will use VLANs , with no gateway , but still i must create 2 interfaces one for LAN & other For Wan ,
Can Pfsense work same as TMG with Single NIC Topology Like Attached Pic
-
Must have switch with VLAN capability, Nick's Hardware over @ Youtube has a video.
-
Many thanks
Can you support me with video link for this issue please ,I appreciate your help -
???
https://doc.pfsense.org/index.php/Installing_pfSense#Assign_Interfaces_on_the_Console
Only one interface (WAN) is required to setup pfSense
NOTE: If only one NIC is assigned (WAN), This is called Appliance Mode. In this mode, pfSense will move the GUI anti-lockout rule to the WAN interface so the firewall may be accessed from there. The usual routing functions would not be active since there is no "internal" interface. This type of configuration is useful for VPN appliances, DNS servers, etc.
-
It's very easy
With you switch, you'll have 3 ports.Port 1 will be untagged in vlan 100
Port 2 will be untagged in vlan 200
Port 3 will be tagged with vlans 100 and 200On your PfSense you have two VLAN interfaces, vlan 100 is your "WAN" interface and vlan 200 is your "LAN" interface.
You plug your WAN into Port 1, you plug your LAN into Port 2 and your plug your PfSense into Port 3.
If this is too complex/confusing then I would politely suggest some time spent studying the fundamentals of IP and Ethernet would be of great assistance to you that someone showing you a video that won't cover your exact use case requirements. The PfSense book is quite good for this and is only a Gold Subscription (or even cheaper for HTML access to it)
-
Thanks
I appreciate your recommendations -
Dear sir
By the way port 3 (untagged) will be management port
@muppet:It's very easy
With you switch, you'll have 3 ports.Port 1 will be untagged in vlan 100
Port 2 will be untagged in vlan 200
Port 3 will be tagged with vlans 100 and 200On your PfSense you have two VLAN interfaces, vlan 100 is your "WAN" interface and vlan 200 is your "LAN" interface.
You plug your WAN into Port 1, you plug your LAN into Port 2 and your plug your PfSense into Port 3.
If this is too complex/confusing then I would politely suggest some time spent studying the fundamentals of IP and Ethernet would be of great assistance to you that someone showing you a video that won't cover your exact use case requirements. The PfSense book is quite good for this and is only a Gold Subscription (or even cheaper for HTML access to it)
-
this Solution Can Handle Traffic For 5000 User , or prefers to use 2 NICs
Dear sir
By the way port 3 (untagged) will be management port
@muppet:It's very easy
With you switch, you'll have 3 ports.Port 1 will be untagged in vlan 100
Port 2 will be untagged in vlan 200
Port 3 will be tagged with vlans 100 and 200On your PfSense you have two VLAN interfaces, vlan 100 is your "WAN" interface and vlan 200 is your "LAN" interface.
You plug your WAN into Port 1, you plug your LAN into Port 2 and your plug your PfSense into Port 3.
If this is too complex/confusing then I would politely suggest some time spent studying the fundamentals of IP and Ethernet would be of great assistance to you that someone showing you a video that won't cover your exact use case requirements. The PfSense book is quite good for this and is only a Gold Subscription (or even cheaper for HTML access to it)
-
this Solution Can Handle Traffic For 5000 User , or prefers to use 2 NICs
This start to sound like an homework assignment.
One physical port has a fixed limited bandwidth, the more stuff, VLAN you throw at it, it has to share that fixed bandwidth between all its VLANs. There is no magic.
-
You don't need more than one interface and hence don't need VLANs to run pfSense purely as a proxy server with Squid.
Just configure the WAN only and install Squid. There will be an allow all rule on the WAN but you may want to restrict that.
Set your clients to use the pfSense as the proxy. Done.
Steve
-
i appreciate your recommendation , i try it, its Up & running , but i am little confused
My production scenario , that i have 9 Network subnet
172.40.1.0/24 with default gateway 172.40.1.1
.
.
172.40.9.0/24 with default gateway 172.40.9.1every subnet has its own DG as i mention above , all of them routed to my fortigate Box then Internet
i want to set My Pfsense Box just as Proxy server in front of my Fortigate
what should i do in my pfsense box configuration
should i set My default gateway in Pfsense to Fortigate IP or what ? & if you have any other recommendation i should do ,
i appreciate you recommendation
Many thanks
You don't need more than one interface and hence don't need VLANs to run pfSense purely as a proxy server with Squid.
Just configure the WAN only and install Squid. There will be an allow all rule on the WAN but you may want to restrict that.
Set your clients to use the pfSense as the proxy. Done.
Steve
-
The pfSense box will need upstream connectivity, so setting it's default gateway/route. That appears to be your Cisco gear from how I understand your network. A diagram would help here.
It will also need a route back to your other subnets to reply to clients so you will probably need to add static routes to via the Fortigate device.
Since pfSense it not in the clients route by default they will either need to be configured to use the proxy or something else will have to redirect traffic to it. pfSense usually does that itself if you run in 'transparent mode' but that is not possible with this setup.
Steve
-
The pfSense box will need upstream connectivity, so setting it's default gateway/route. That appears to be your Cisco gear from how I understand your network. A diagram would help here.
It will also need a route back to your other subnets to reply to clients so you will probably need to add static routes to via the Fortigate device.
Since pfSense it not in the clients route by default they will either need to be configured to use the proxy or something else will have to redirect traffic to it. pfSense usually does that itself if you run in 'transparent mode' but that is not possible with this setup.
Steve
Many Thanks Sir
-
First of all i want to say thank you to all especially stephenw10 SammyWoo muppet ptt
everything working good in my test lab (PFsense with Single NIC) but when i am implement to my production environment , i face
some problem
PFsense & Clients Have Same Default Gateway & DNS ( But Clients have PFsense IP as Proxy Server , same configuration that was
working in Test Lab)
1- what traffic exactly should i allow to PFsense IP in my fortigate cause PFsense give me error in package Manger
2- i will Integrate My PFsense with Active Directory ( is there anything should i worry about with integration )
i appreciate your help
-
It just needs internet access like any other client for updates and packages. So it will need DNS servers and a default gateway pointed at the fortigate. I am pretty sure all of its outbound connections are on TCP/443 for that so that plus DNS should be all that is necessary if you are filtering outbound.
You can use LDAP (or RADIUS) to query AD (AD/NPS). Lots of people do it.
-
It just needs internet access like any other client for updates and packages. So it will need DNS servers and a default gateway pointed at the fortigate. I am pretty sure all of its outbound connections are on TCP/443 for that so that plus DNS should be all that is necessary if you are filtering outbound.
You can use LDAP (or RADIUS) to query AD (AD/NPS). Lots of people do it.
Many Thanks :)
-
It just needs internet access like any other client for updates and packages. So it will need DNS servers and a default gateway pointed at the fortigate. I am pretty sure all of its outbound connections are on TCP/443 for that so that plus DNS should be all that is necessary if you are filtering outbound.
You can use LDAP (or RADIUS) to query AD (AD/NPS). Lots of people do it.
Dear Sir
Can you recommend me a good tutorial for use LDAP to query AD ?
i appreciate your help
-
If you have Gold membership or Book access then:
https://portal.pfsense.org/docs/book/usermanager/external-authentication-examples.html#active-directory-ldap-exampleOtherwise there's troubleshooting tips here: https://doc.pfsense.org/index.php/LDAP_Troubleshooting
Steve