PFSense in the middle of a working network

david03350

I have this setup now:

Router ------> Switch (with fixed IP and two VLANs)

Is it possible to place a PFSense (or two?) between the router and the switch without none of them noticing it?

I need to keep the switch's IP and VLANs as they are now, and in general make no changes to the router or switch configuration and hopefully add some PFSense capabilities.

I guess if I just place one PFSense it will create its own network, with different IPs so I would have to change the switch configuration. But what if I put another one behind, to get my original network IPs back. Something like this:

Router ----------- PF1 ----------- PF2 --------> Switch
...............NetworkA .......NetworkB ..........NetworkA

Would that be possible? If so, what should I take into account to configure them?

viragomann

You can put a pfSense between the router and switch with bridged interfaces (transparent mode): https://docs.netgate.com/pfsense/en/latest/bridges/index.html

If VLANs have to pass pfSense you have also configure these VLANs on the box, assign interfaces to it on both sides and then bridge them.

@david03350 said in PFSense in the middle of a working network:

I guess if I just place one PFSense it will create its own network, with different IPs so I would have to change the switch configuration. But what if I put another one behind, to get my original network IPs back. Something like this:
Router ----------- PF1 ----------- PF2 --------> Switch
...............NetworkA .......NetworkB ..........NetworkA

That won't work (without bridging). Without changing the network settings on the router or switch, you will have the same subnet on both sides of the pfSense boxes. So there is no chance to route the traffic between these nodes.

david03350

OK thanks! Is it possible to add an extra WAN in that pfSense box in transparent mode so I can route some traffic from the switch through it (like social media and news pages) and ease the burden on the router?

viragomann

@david03350
For specific internal networks that are not bridged, it is.

stephenw10

Are the VLANs tagged to the existing router? That would mean multiple bridges for each VLAN in pfSense which is not recommended at best!

Steve

david03350

Yes they are. And yes, according to the previous answer, i think that is the plan. Is that wrong? Do I have another option? Thanks!

stephenw10

Replacing the existing router with pfSense would be a much better plan unless there is a very good reason not to.
Bridging can work OK but it's also easy to get wrong. Bridging VLAN interfaces even more so.

Steve