pfSense as Firewall only?

uxm

Hi,

I would like to have pfsense working as a Firewall only. How can I accomplish that? I must disable NAT and we are ok?

I want my Network to work as this :

Thanks!

Gertjan

Something like this https://www.youtube.com/watch?v=1EXgyvwJZ6k ? (was the first link Google popped up for me)

JKnott

@uxm

Why do you have an Asus router and pfSense?

uxm

@JKnott I dont have a dedicated VDSL modem. So Asus works as the modem/router. Besides that, I want to have it work as an AP for the wireless Guests. As the post title says, I want to use pfsense as a Firewall only.

Gertjan

You are aware that the Wireless "Asus" guests won't use the pfSense firewall ?

uxm

@Gertjan Υes I do. The Asus router has its own firewall. So for this purpose I think its ok.

NogBadTheBad

Do yourself a favour and get a modem, especially if your switch supports vlans, you could have your guest and normal wifi off the unifi ap.

If you're in the UK there are loads of dirt cheap ones on the bay.

uxm

@NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies.

NogBadTheBad

@uxm said in pfSense as Firewall only?:

@NogBadTheBad I live in Greece. I paid a lot of money for this Asus Modem/Router sooo... I want to have it working till it dies.

pfSense is way better, just putting that out there

Can you not put it into modem mode ?

uxm

@NogBadTheBad Im sure about that. I think I will go to pfsense slowly slowly. :) You feel me. Its psychological.

So.. for pfsense to work as a firewall only, what I have to do? The youtube video above is ok for me to follow its guide?

Thanks guys.

JKnott

@uxm said in pfSense as Firewall only?:

@JKnott I dont have a dedicated VDSL modem. So Asus works as the modem/router. Besides that, I want to have it work as an AP for the wireless Guests. As the post title says, I want to use pfsense as a Firewall only.

You also have another access point, which could be configured with a 2nd SSID and VLAN for the guests. That's the proper way to do that.

JKnott

@uxm said in pfSense as Firewall only?:

till it dies

That can be arranged.

uxm

@JKnott

uxm

One question guys. For pfsense to work only as a firewall, do i have to disable NAT? I think yes, right?

NogBadTheBad

@uxm

Yes disable outbound NAT.

Disable NAT

To completely disable NAT to have a routing-only firewall, do the following:

Navigate to Firewall > NAT on the Outbound tab
Select Disable Outbound NAT rule generation (No Outbound NAT rules)
Click Save
Apply changes
NAT may be performed on some interfaces and not others by configuring Outbound NAT rules accordingly.

Details may be found in the pfSense Book.

https://docs.netgate.com/pfsense/en/latest/book/

uxm

This post is deleted!

uxm

Thank you very much for your response @NogBadTheBad . One thing. I disabled NAT as you said and then I cant browse the internet (from any PC in the network). Is this the right behavior?

NogBadTheBad

Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

uxm

@NogBadTheBad uh... no. I have to add the subnet routes to my Asus router. Got that. I will add them and come back.

Thank you a bunch.

uxm

Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

Now I want to use Remote Desktop to one of my Servers (my Domain Controller actually) on port 4000. How am I gonna do that? I created a Firewall rule on my pfsense firewall for 4000 to allow traffic from outside. But I cant remote desktop to my server.. I created also a rule on the server's firewall to allow traffic on port 4000 and used regedit to change the listening port.

My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port? Please help me understand that a little bit. I get confused with this scenario (Internet > Asus Router with Firewall enabled > pfsense Firewall with NAT disabled > Internal Network)

tHanks!

NogBadTheBad

@uxm said in pfSense as Firewall only?:

Ok I added a route to my Asus router, for 192.168.2.0/24 (my router's IP network is 172.16.117.0/24) and disabled NAT on my pfsense Firewall.

My question is : Do I have to create a port forward on my Asus router also, everytime I want to allow traffic to one of my pfsense port?

Yes you need 2 nat statements one on your Asus router and one on your pfSense router.

This is why I suggested getting a modem or putting the Asus into modem mode.

Your looking for trouble if you open up RDP to the internet, use a VPN.

Google BlueKeep.

uxm

@NogBadTheBad thank you so much for the help ! I will see if I can use Asus as a modem only. I will check VPN too. Thanks!

PS : Just googled Bluekeep. Oh God.... I will check for VPN soon! Thanks!

uxm

@NogBadTheBad said in pfSense as Firewall only?:

Have you added routes on your Asus router pointing to pfSense for the subnets on your pfSense router ?

I added this route on the Asus router :

Asus router : 172.16.117.1
pfsense WAN : 172.16.117.106 (DHCP from Asus Router)
pfSense LAN : 192.168.2.10
my PC : 192.168.2.110 (from DHCP)

I cant ping my PC from the Asus Router.. :(

my pfsense Firewall rule is this :

Do I miss something? I am sure.

Gertjan

Do I miss something? I am sure.

Yes, as you said yourself : your WAN on pfSense is

pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

so why WAN is set to 172.16.17.1 ?

?

Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

edit : btw : this firewall rule is part of a NAT rule, right ?

uxm

@Gertjan said in pfSense as Firewall only?:

Do I miss something? I am sure.

Yes, as you said yourself : your WAN on pfSense is

pfsense WAN : 172.16.117.106 (DHCP from Asus Router)

so why WAN is set to 172.16.17.1 ?

?

Set it to 'any' or WANnet or 192.168.117.106 (and if you want to keep DHCP activated on WAN, make it a static mac lease)

edit : btw : this firewall rule is part of a NAT rule, right ?

NAT is disabled (on pfSense) as we said earlier on this thread. (Outbound NAT)

This is my network so far.

Some questions :

1. Asus Router Firewall features are enabled. Should I disable them?
2. Should I make the WAN IP of pfsense static? Is it better?
3. Should I add one route to Asus and one static route to pfsense to get this working right? How am I gonna od that on pfsense? On Firewall NAT settings?
4. As I said earlier, I want pfsense to act as a Firewall only. Which is the best NAT configuration for pfsense in this scenario?

I am a little confused.. sorry.

Gertjan

@uxm said in pfSense as Firewall only?:

NAT is disabled (on pfSense)...

Ah, my bad.

So this is what you want / use / need https://docs.netgate.com/pfsense/en/latest/book/bridging/index.html ?

uxm

@Gertjan I just want pfsense to inspect the traffic passing inside of it, to be the firewall of the network.

And something else. If I want to port forward to a single port from outside to one of my internal PCs, how Im gonna do that? I must create a port forward on Asus Router and then, one more on the pfsense Firewall rules?

Update : I disabled the Asus Router's Firewall feature and internet speed increased very much.

Gertjan

I don't have any experiences with pfSense being put in bridged mode.
Why do you need this mode ?

From what I make of it - which ain't much, you should introduce routes to your devices.

uxm

Hi! Here again! :)

My new ISP (Vodafone) gave me a new crappy modem/router that I cant change with one of my own. So.. I try (again) to make pfsense to act as a firewall only. My network topology is the same but for some reason, when I switch pfsense's NAT to "Disable Outbound NAT rule generation.(No Outbound NAT rules)" I cant get internet from inside the 192.168.2.0/24 network! I dont have internet.

I try to set a static route on my ISP router for 192.168.2.0/24 via gateway 192.168.2.10 (pfsense internal NIC) and I cant make it work. The strange thing is that I CAN google! When I type something on google, it works! When I try to get into another website, nothing, zero.

I am a little bit confused here. I would really appreciate your help.

Thanks!

PS : Oh! Routing Table of pfsense is this :

uxm

someone?

johnpoz

@uxm if you setup a route on your asus on how to get to 192.168.2 network, your assume it would allow this network to go outbound, and you assume it would nat this network to your public IP.

I try to set a static route on my ISP router for 192.168.2.0/24 via gateway 192.168.2.10 (pfsense internal NIC)

This would never work anyway, is 192.168.2 directly attached to asus - how would it talk to that IP?

The route on your asus for any network behind pfsense would be pfsense wan IP that attached to your asus network 172.16.117.106 in your drawing.

But there is no saying that would work, because is the asus going to nat 192.168.2.x to your public IP on its wan? I doubt it to be honest.

I would look to see if you can put this asus into bridge mode so that pfsense gets public IP on its wan, if can not do that then just do a double nat.. While double nat is not optimal - it works, triple nat or even quadruple nat can work just fine most of the time..

uxm

@johnpoz As I said earlier on this thread, I changed the ISP so now I don't have the Asus Router but a Sercomm H300s (from Vodafone).

When I had the Asus, with this static route and no Outbound NAT from the pfSense, I could go out to the Internet.

the static route was this :

Now, on the Sercomm, I cant create a Static Route like this. It says that it cannot use an "internal IP address". (what?)

:(

johnpoz

@uxm well your going to have to double nat then.. Or put their device into bridge mode.

uxm

@johnpoz ok. I will try to find a way to bridge it. I want to have pfsense in front of my network. As you said in another post. I think that this is the right way.

Thank you very much!