Correct GW for bridged pfSense box



  • I am having trouble determining the correct GW for a bridged pfSense box.

    Goal: Place pfSense on my home network in order to add a layer of protection and hopefully get an idea of what my internet traffic looks like.

    Current setup:

    ISP provided router (bridged mode) --> Mikrotik router

    The Mikrotik is a wireless access point running an additional virtual access point each with it's own subnet, lets say 192.168.88.xx and 192.168.99.xx respectively assigned via DHCP based on the which AP the device is connected to. One of the subnets is tunneled to a VPN provider so that I can easily connect wireless devices to a VPN, even without a native client installed on the device.

    Proposed setup:

    My internet research shows that in order to install PfSense on my network and to avoid having a double NAT situation, I would need to use PfSense as a bridged or transparent firewall and continue to have all routing done by the Mikrotik router/AP so my network would look like:

    ISP provided router (bridged mode) --> PfSense box (bridged mode) --> Mikrotik router

    correct? In this mode, what do I configure the PfSense box gatweay to be? Should it be the Mikrotik (192.168.88.1) or the Gateway associated with the public IP address I get from the ISP?

    Thanks in advance....


  • LAYER 8 Global Moderator

    @krak3n said in Correct GW for bridged pfSense box:

    get an idea of what my internet traffic looks like.

    And your Mikrotik is not showing you what traffic is to and from the internet?

    Pfsense would replace the Mikrotik - not sure what you think putting pfsense as a bridge between internet and nat router is going to get you?

    All the traffic your see is just going to be from your public IP to internet - you will have no idea which client behind your current router is doing the traffic, etc.



  • Well put, that is why I put my goals in the post, do get input on other/better ways to do things.

    • And your Mikrotik is not showing you what traffic is to and from the internet?

    Not with the granularity that I was looking for, but it could be that I haven't fully utilized its feature set.

    • Pfsense would replace the Mikrotik - not sure what you think putting pfsense as a bridge between internet and nat router is going to get you?

    So the Mikrotik offers quite a few features (maybe only found on higher end routers) but with the increased feature set, likely comes increased attack surface. I "trust" Pfsense more than Mikrotik. With that being said, I have a wireless setup that I like with the Mikrotik which is why I was trying to keep it.


  • LAYER 8 Global Moderator

    Why can you not just leverage the Mik as AP? Then use pfsense as your edge firewall/router and for routing all your internal segments. This will give you insight and control over your internal network and to and from the internet. Just leverage the Mik as wireless.

    What specific model do you have?


Log in to reply