Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as VPN tunnel only, not a FW

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 871 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NadJ
      last edited by NadJ

      Hi

      I am running pfSense as a VM on HyperV but do not wish to use it as a FW, only a means by which to establish a VPN tunnel back to HQ. The physical internet router is going to be the configured gateway for all clients and will also provide routing tables directing clients to the pfSense gateway as necessary. However, pfSense wants two interfaces, a WAN and a LAN. I'm in a pickle over concepts.

      Possible? Thanks

      JKnottJ V 2 Replies Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @NadJ
        last edited by

        @nadj

        If you only want a VPN, why do you even need pfsense? You can run a VPN on any computer. However, running the VPN on the router makes using the VPN easier, as it's on the default route.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        N 1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann @NadJ
          last edited by

          @nadj said in pfSense as VPN tunnel only, not a FW:

          However, pfSense wants two interfaces, a WAN and a LAN.

          Why do you think so?
          If the machine provides only one NIC, pfSense will call it WAN and allow access to the web configurator on it by default.
          So you can login on the GUI and configure the VPN.

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            NadJ @viragomann
            last edited by

            @viragomann Interesting, I followed the guide for setting it up and didn't think. Thanks

            1 Reply Last reply Reply Quote 0
            • N Offline
              NadJ @JKnott
              last edited by

              @jknott - The ideas was that in the future it would become a full FW/VPN gateway

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @NadJ
                last edited by

                @nadj

                The problem with not using it as the gateway now is you have to route the traffic to the VPN when it's not on the default route. I don't know that you can do that with DHCP clients. If it was the default route then pfsense would sort out where the packets are supposed to go.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Yup you can just use one interface.

                  Yes, having two routers in one subnet is a recipe for asymmetry.
                  https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html#troubleshooting-asymmetric-routing

                  If you disable pf entirely in pfSense it won't care but your other should should if it's a proper stateful firewall. The correct way to do that is use a separate transport subnet between pfSense and the other firewall that doesn't have any clients in it.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.