pfSense in Appliance Mode, How to Add Interfaces and Maintain Appliance Mode?



  • Hi Folks,

    I can't seem to find an answer to this question, so if it has been answered already, sorry in advance...

    I have setup a VM with a single interface in a single VLAN (untagged at the appliance in a VMware port group), running pfSense as a VPN Appliance (specifically for OpenVPN). This sits behind the pfSense gateway/firewall device which hosts multiple VLANs, etc. It runs fine as is, however, I want to setup several VPN servers for different purposes with some being allowed access to various other internal VLANs. To avoid routing them all through the single VLAN and allowing that traffic out to the other VLANs through the gateway device I'd like to add an additional trunked interface but to stay in appliance mode. However, whenever I add an interface, the full firewall/nat mode is enable, which causes additional issues.

    Is there a way to maintain the Appliance Mode while adding additional interfaces?

    Just in case you're wondering, this is the description for "Appliance Mode":

    Appliance Mode

    In addition to the normal routing/firewall mode with multiple interfaces, a firewall may also run in Appliance Mode where it has only a single interface (WAN). The firewall places the GUI anti-lockout rule on the WAN interface so a client may access the firewall web interface from that network. The usual routing and NAT functions are not active in this mode since there is no internal interface or network. This type of configuration is useful for VPN appliances, DHCP servers, and other stand-alone roles.

    TIA,
    Superman


  • Netgate Administrator

    Disable outbound NAT, or set it to manual or hybrid mode and disable any rules you want, in Firewall > NAT > Outbound.

    Add firewall rules on the WAN to allow the traffic you need before you add the other interface. The only thing that happens when you do is that the default allow and anti-lockout rule move from WAN to LAN as soon as you add a second interface.

    Steve



  • That was quick! Thanks so much for the reply. I was wondering if it was something like that. I just don't have the time to do a lot of tinkering these days. Much appreciated!

    Thanks,
    Supe


Log in to reply