Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to deploy pfsense in the current network?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 875 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      success127
      last edited by

      I'm new to pfsense. I have look through this forum in search on how to deploy pfsense to our current topology. We are running a school with mostly with ubiquiti hardware such as USG pro4, switches, APs and cameras.

      Our goal to have pfsense mainly to block websites and contents filtering. Our current ubiquiti USG could not do so.

      Can pfsense deploy behind the USG according to our setup in this diagram?

      unif pfsense.jpg

      If so, what should I do from there? If not, what is the best solution?

      Thanks

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        It depends how you're filtering. It won't be firewalling in that situation. It could run as a DNS server connected like that and then filter DNS queries using DNS Blacklist in pfBlocker-NG.
        If you run Squid/Squidguard for web filtering via a proxy you could have the USG redirect all http/https traffic to it. It would be better to connect it directly to the USG on a separate interface to avoid asymmetric routing if proxying transparently like that.
        If non-transparent you can have it connected as show and clients will just connect to it directly.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          success127
          last edited by

          Thanks @stephenw10 for your reply. I am trying to digest what you said. Do you recommend that pfsense to connect directly to the USG and from the pfsense to the switch or USG LAN1 to the switch and LAN2 to the pfsense?

          unif pfsense2.jpg

          or

          unif pfsense1.jpg

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It's impossible to recommend how you connect it without knowing exactly what you are going to be doing with it.

            If you want to filter general traffic using firewall rules then obviously it must go in-line with the traffic like in your second diagram. Though I would just replace the USG with pfSense in that case.

            Steve

            1 Reply Last reply Reply Quote 0
            • badgastB
              badgast
              last edited by

              I would just remove the USG in your diagram 3, OR if you want to use the USG, switch places with the Pfsense. Make the Pfsense your 1st entry. Otherwise you have to make rules in Pfsense for the management interface of the USG,and maybe issues when the USG wants to communicate with the other Unifies underneath the Pfsense.

              1 Reply Last reply Reply Quote 0
              • M
                marvosa
                last edited by

                Another vote for replacing the USG with PFsense. I haven't seen anything in your diagrams that would warrant having two firewalls in your environment.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.