Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New pfSense setup in existing UniFi Setup

    Scheduled Pinned Locked Moved DHCP and DNS
    unifidhcp
    5 Posts 3 Posters 864 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ankit
      last edited by

      Hi,
      I currently have Att Modem -> USG -> UniFi Switch -> (UniFi Switches and APs) -> (
      Wired and Wireless Devices and a self-hosted UniFi controller)

      This setup is without any VLANs. But only a few devices are on a static IP list. They are in IP ranges from 192.168.1.2 - 192.168.1.99 (including switches, APs, and self-hosted UniFi controller).

      All dynamic lease devices are on IP range 192.168.1.100 to 192.168.1.255.
      All devices have both IPv4 and IPv6 addresses. IPv6 using /64 prefix delegation.

      I am thinking of replacing USG with a pfSense 4100 box.
      Questions:

      • Where will my static IP config live? UniFi or pfSense?
      • Who is best to handle DHCP leases? UniFi or pfSense? (Assuming both is an option for the above question)
      • Which ports do I need to forward to the UniFi controller for it to work on internet?
      • I have a UniFi switch that can handle a 10G connection. I plan to connect it to the pfSense box directly via the LAN2 port. Can it follow the DHCP/Static IP configs in the same subnet as mentioned above?
      LaceL keyserK 2 Replies Last reply Reply Quote 1
      • LaceL
        Lace @ankit
        last edited by

        @ankit I hope someone answers this soon because I am considering a similar setup utilizing UniFi and pfSense and maybe just maybe one other if time permits for me all in either a Double NAT or LAN-to-LAN tunnel setup I just am not sure which route yet to trek on

        1 Reply Last reply Reply Quote 0
        • keyserK
          keyser Rebel Alliance @ankit
          last edited by

          @ankit It should be a simple matter to replace the USG with pfSense - pfSense can do much more than the USG in that setup. But to answer your questions:

          Just convert any services your USG are doing to have pfSense doing them instead. In a good designed network that would answer your questions as follows:

          • Your pfSense should do DHCP as it is the Gateway and DNS.
          • Since it’s doing DHCP all static IP configs (leases) will be made on pfSense
          • You do not need to forward ports for the Unifi Controller to be available in the Unifi Portal as far as I know). If it has internet access, it joins the portal and are controllable from there.
          • Yes, that 10G link from pfSense to Unifi switch is just a Layer 2 Ethernet link, all IP configuration is still done/handled in pfSense and in your Unifi Controller.

          Love the no fuss of using the official appliances :-)

          LaceL 1 Reply Last reply Reply Quote 1
          • LaceL
            Lace @keyser
            last edited by

            @keyser

            I would like BOTH running as a daisy chain in my network, incase the 1 has a Zero Day to bypass the firewall through oh say exploiting the RAM or chipset used on the hardware.

            I will have 2 different hardware manufacturers and setups, as well as 2 different firewalls on those two separate hardware device nodes

            I think the pfSense could serve as the Layer 3 firewall router, while the inner firewall router can sit on Layer 2. I am not sure yet but I hope the Layer 2 solution I will be using can perform firewall functions on BOTH outgoing and incoming traffic, so the outer Layer 3 pfSense can just focus on the incoming traffic (does pfSense do both outgoing and incoming? Most consumer firewall usually do only incoming not outgoing so why I ask as I never used pfSense or OPNSense before)

            keyserK 1 Reply Last reply Reply Quote 0
            • keyserK
              keyser Rebel Alliance @Lace
              last edited by

              @Lace pfSense will do incoming and outgoing in much more detail and with more advanced filtering options than USG will ever do ;-)
              If you use the assistance of pfBlockerNG, you can GEO block countries, lists of know offenders and what not in both inbound and outbound directions.

              But sure you can use both - allthough it is a compliccated setup with more failure options.

              Love the no fuss of using the official appliances :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.