Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suggestion: 6100 and a UDM-SE

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 995 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DefenderLLCD
      DefenderLLC
      last edited by DefenderLLC

      Hello,

      I am a fairly new pfSense user and have been testing it on a VM for a few weeks now on an isolated switch and access point. My new 6100 arrives tomorrow and my plan is to put it in front of my UDM-SE using the /29 from my ISP. I have not decided whether to just pass one of the public IPs down to the UDM-SE or just do double NAT as anything that needs to be reachable from the outside will not be on the UniFi network.

      Basic topology of the new network:
      Internet ---> pfSense ---> UDM-SE ---> UniFi Aggregation Switch ---> USW 48 Enterprise (4 port LAG) ---> (6) UniFi APs and (10) 5-port UniFi layer 2 switches

      Admittedly my network will be way over-engineered for most home users and know that I don't really need a UDM-SE to basically just use it as a controller for Network and Protect, but this is what I prefer due to the shortcomings of policy-based routing (I know it's in the newest beta firmware release, but it does not give me enough control). That's exactly why I bought the 6100.

      My questions is this: What is the best way to use the two together so I can use the 6100 for DNS with pfBlocker and use Suricata? Not sure how do this if I pass down on the public IPs to the UDM-SE without using a VPN between them. There has to be a simpler way unless I just stick with double-NAT.

      I have seen the videos from both LTS and Mactelecom, but those assume you're doing double NAT using a LAN and WAN connection to pfSense. Just curious to see how others are integrating pfSense with their UDMs.

      Thanks,
      David

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @DefenderLLC
        last edited by keyser

        @cloudified There is no simple way because what you are planning makes little/no sense in general networking.
        Its like insisting to bring your number two car with you on a trailer every time you drive in your primary car - just because you need to feel you are still using the second car (since you have purchased it).

        Get rid of/sell the pfSense or the UDM-SE and run your network as intended - while saving the power and trouble of the second unit.

        Love the no fuss of using the official appliances :-)

        DefenderLLCD 1 Reply Last reply Reply Quote 0
        • DefenderLLCD
          DefenderLLC @keyser
          last edited by

          @keyser It makes sense to me. It's pretty simple. I want to continue using the UDM for my network controller and internal network and want to use the pfSense upstream for policy-based routing for certain traffic go down a PIA tunnel interface.

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @DefenderLLC
            last edited by keyser

            @cloudified said in Suggestion: 6100 and a UDM-SE:

            @keyser It makes sense to me. It's pretty simple. I want to continue using the UDM for my network controller and internal network and want to use the pfSense upstream for policy-based routing for certain traffic go down a PIA tunnel interface.

            Yes, and that’s fine, but you have to accept the problems it will bring then.

            The easiest way would be to disable NAT in the UDM and have it act as a router only. Create a private “routing network” for routing between the pfSense and the UDM, and setup a route in pfSense for your internal private networks with the UDM as Gateway.
            Then have the needed private networks downlevel on the UDM and let pfSense handle NAT and policy routing.

            Fx:

            Public network
            Pfsense, 192.168.255.1/29
            UDM, 192.168.255.2/29

            • Internal private networks for your VLANs.

            Love the no fuss of using the official appliances :-)

            DefenderLLCD 1 Reply Last reply Reply Quote 0
            • DefenderLLCD
              DefenderLLC @keyser
              last edited by DefenderLLC

              @keyser The videos I have seen show connecting two pfSense interfaces to the UDM. One to the UDM's WAN port and one to a UDM LAN port to carry the trunked VLANs. It's an interesting concept, but you lose all the netflow data - at least on the UniFi network controller dashboard.

              Thanks for your suggestion. I'll experiment with it when the 6100 gets here today. I can always run them independently with their own public IPs assigned via DHCP from the AT&T gateway until I figure it out. I am mainly curious to see what others are doing with their UDMs. Thanks again.

              1 Reply Last reply Reply Quote 0
              • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.