    I was playing with my new DIY pfSense box (i3-8100T, 8GB RAM, Dell i350-T4 internally but to be honest I didn't try two different subnets - just direct connected to pfsense from Lan side. Today I finally wanted to place pfSense as main firewall in my network but I meet some problems.

    ISP Router ---> pfSense ---> MikroTik RB3011 --> clients/hosts

    pfSense is in DMZ and when I connect direct to pfSense with laptop or PC I have Internet and I can access WebGUI of pfSense but just when I connect to MikroTik where I receive different IP pool then I can't even access WebGUI of pfSense, not mention about Internet. On MikroTik NAT and firewall are OFF, routing on MikroTik is correct but I can't even ping pfSense. Does it related with routing on pfSense? Some white list with IP pools? Any tips?

    p.s. on google I found that internet access can be related with DNS resolver, in tabs I should mark all interfaces to respond - I didn't try it yet, first I want to get to WebGUI from behind MikroTik. Yes I know I can make MikroTik DHCP as client but I want to avoid it because behind RB3011 I have another router that keeps VM's for Public access so I have to get access to pfSense anyway.

    Two general questions:

    • What do you mean with "pfSense is in DMZ"?
    • Why do you run another Router behind pfSense (MikroTik)?

    Show us a map of your network and draw out the subnets and stuff.
    Post your Firewall Rules as screenshot.
    Anything in the pfSense Logs when you try to access the WebGUI behind the MikroTik?


  • I have fiber connection and FritzBox from my ISP as main router. Till now MikroTik RB3011 was connected behind it and all traffic with ports etc. was redirected from FritzBox to RB3011, on RB3011 I was using NAT, Firewall, QoS and DHCP for local LAN. Now I connected pfSense between FritzBox and RB3011, main reason to remove firewall and NAT from RB3011 and do it on pfSense. DHCP, QoS will still be on RB3011 where all hosts/clients will be connected.

    FritzBox------> pfSense 192.168.100.x ----> RB3011 192.168.10.x

    I guess this is totally enough because pfSense is on basic setup, I didn't changed anything yet. After connecting pfSense I disabled firewall and NAT on RB3011. Problem appears just behind MikroTik, like he can't access pfSense and anything behind him. When I connect on same port as RB3011 was connected I have access to WebGUI and Internet. It looks like pfSense don't like other local IP pool then the from pfSense it self.

    I can't check more today, to many services running that are need to have access to network at the moment. I will do make some more research with routing etc. but maybe some tips in configuration of pfSense? Just asking because of amount of possibilities - what is great!

    I also add small diagram

  • Like you see on diagram I already can't connect to WebGUI or Internet from 192.168.10.XXX, but if I connect laptop/pc direct to pfSense I have access to WebGUI and Internet. On Reddit I got advice to create static route to and on pfSense.

  • You should really ditch the 2 downstream Mikrotik routers. That is really complicating the network setup you've got there. Pfsense is a full-featured router/firewall solution, being able to support everything you're doing between your FritzBox and your internal machines (except the wifi part).

    Is there some reason you are running it this way - corporate setup, VLAN testing, lab setting, glutton for punishment :), etc.? Please explain your network layout a bit.


    Is there some reason you are running it this way - corporate setup, VLAN testing, lab setting, glutton for punishment :)

    Yes I have homelab and hard to explain all of it, diagram also shows main connections, there is also 4x3.5" NAS and 8x3.5" NAS + home center, streaming setup and bunch of VM's and containers. This maybe looks complex but it's necessary to create enviroment I need to family, work, joy and pleasure, I will not even mention about my torrent donkey who share Linux ISO's ;P

    I did diagram but problem already exist right behind RB3011, when I remove pfSense everything is working fine. On RB3011 like I mention before all services like firewall and NAT are OFF. I'm not even try to dig deeper because problem is already in that subnet . I can pass later services like DHCP etc to pfSense but step by step, first I want to use it as clean firewall later one network I want to move on second port on pfSense direct (below is my second step), but like I wrote problem is a way closer then my future vision

    and as for MikroTik itself, no worries their OS allows to create from router just a normal switch.

  • So, you're saying you do have the Mikrotiks set to just switches, or not? From your diagram above, there are different IP addresses on the downstream side of those boxes, so I would assume that you have router mode turned on, and not switch mode.

    This is how you should simplify your network:


    Pull out the 2 Mikrotik routers - the RB3011 and the RB750Gr. Use only 2 IP addresses on your 2 internal LAN networks - 192.168.2.X/24 and 192.168.10.X/24. This way, all you have to do is setup the routing and rules on the pfsense box for the 2 networks to talk to each other, and you're done.

    If you want to get funny with a guest wifi network, your 24-port Mikrotik switch needs to support VLANs, but I'm sure it does. Then all you would have to do is create a VLAN on pfsense using a subnet like 192.168.5.X/24, add a VLAN on the 24-port switch, and your wifi access point would have to also support VLANs, and you're done.


  • @akuma1x I didn't wrote that I have them in switch mode I wrote that there is possibility to do that. The way you showed I know I can do it like that but it's not as simple as you think, like I wrote those are just main connections so simplifying it to just remove MikroTik and connect to pfSense is delicate saying "lame". You not resolving network problem with workaround, changing network structure that was growing past 10years is not as easy as you think.

    Going back to topic and for future people with similar question answer is very simple, creating static route on
    pfSense resolve problem - 15sec of work and not whole week setting up entire new network.

