how to deploy pfsense in the current network?
I'm new to pfsense. I have look through this forum in search on how to deploy pfsense to our current topology. We are running a school with mostly with ubiquiti hardware such as USG pro4, switches, APs and cameras.
Our goal to have pfsense mainly to block websites and contents filtering. Our current ubiquiti USG could not do so.
Can pfsense deploy behind the USG according to our setup in this diagram?
If so, what should I do from there? If not, what is the best solution?
It depends how you're filtering. It won't be firewalling in that situation. It could run as a DNS server connected like that and then filter DNS queries using DNS Blacklist in pfBlocker-NG.
If you run Squid/Squidguard for web filtering via a proxy you could have the USG redirect all http/https traffic to it. It would be better to connect it directly to the USG on a separate interface to avoid asymmetric routing if proxying transparently like that.
If non-transparent you can have it connected as show and clients will just connect to it directly.
Thanks @stephenw10 for your reply. I am trying to digest what you said. Do you recommend that pfsense to connect directly to the USG and from the pfsense to the switch or USG LAN1 to the switch and LAN2 to the pfsense?
It's impossible to recommend how you connect it without knowing exactly what you are going to be doing with it.
If you want to filter general traffic using firewall rules then obviously it must go in-line with the traffic like in your second diagram. Though I would just replace the USG with pfSense in that case.
badgast last edited by
I would just remove the USG in your diagram 3, OR if you want to use the USG, switch places with the Pfsense. Make the Pfsense your 1st entry. Otherwise you have to make rules in Pfsense for the management interface of the USG,and maybe issues when the USG wants to communicate with the other Unifies underneath the Pfsense.
Another vote for replacing the USG with PFsense. I haven't seen anything in your diagrams that would warrant having two firewalls in your environment.