Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    set up ZTNA using pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 6 Posters 4.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rudra_raw
      last edited by rudra_raw

      hello,

      this is my first post, so if I don't respect some rules, please tell me

      here's some background:
      I work for a digital services company that wants to introduce ZTNA to its customers.
      the idea is to master ZTNA on several platforms so that we can push it into certain customers' environments.

      we chose 3 ways of doing it: cloud based (Cloudflare, Zscaler), forticlient and i pushed pfsense to have an opensource solution.
      but despite a lot of research, i couldn't find the information needed to implement ZTNA using pfsense.

      so i'm wondering if it's possible to implement ZTNA using pfsense, and if it is i'd like to know how to do it? even if it's not in detail, having an outline roadmap would help a lot.

      I'd also like to point out that I'm by no means an expert in ZTNA. I've only been interested in this technology for a short time and I know I still have a lot to learn.
      thank you in advance for your answers and comments.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Online
        stephenw10 Netgate Administrator
        last edited by

        It depends how you define ZTNA to a large extent.

        johnpozJ R 2 Replies Last reply Reply Quote 2
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @stephenw10
          last edited by johnpoz

          @stephenw10 exactly.. You could setup a ZTNA with just normal vpn to be honest. Where you allow specific client only access to specific ports and IPs in the firewall rules you put on the vpn.. You don't have to allow a vpn client to everything.

          If I limit a client to only the specific IPs and ports it needs, then that would be a zero trust setup.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          R 1 Reply Last reply Reply Quote 1
          • R Offline
            rudra_raw @stephenw10
            last edited by

            Hello @stephenw10 and @johnpoz,

            Thank you for your reply. Actually, what we'd like to do is have an on-premise solution for those who prefer not to use a cloud-based solution (SASE).

            For example, consider a customer with applications on an on-premise server and SAAS applications. Currently, they utilize a VPN connection for secure access to on-premise applications, while SAAS applications are accessed only via login credentials (and possibly MFA).

            Our goal is to implement the principles of ZTNA primarily using pfSense (and possibly other hardware or software if necessary) to secure connections to applications through tunnels. We would, of course, check the predefined rules beforehand. According to ZTNA principles, these tunnels must be monitored and cut off as soon as a change is detected or if the predefined security rules are no longer adhered to.

            As I'm new to ZTNA, I apologize for any approximations I may have made. If I've left something out, please let me know, and I'll provide additional information.

            1 Reply Last reply Reply Quote 0
            • R Offline
              rudra_raw @johnpoz
              last edited by

              @johnpoz In principle, I agree with what you say.

              But is it enough to compensate for the VPN's limitations?

              Especially when it comes to hardware verification and connection monitoring?

              1 Reply Last reply Reply Quote 0
              • E Offline
                Elemer82
                last edited by

                I think there are various meaning of Zero Trust Network Architecture.
                From what I seen on some FortiGate courses, Zero Trust means that we don't even trust devices on the LAN.
                Every device would need to report to the firewall about their OS version, patch status, logged in user(s) etc., and based on that the firewall would decide what level of access to give the specific device, like if it's not patched , it could allow enough access to get the patches and be up to date, but no connection to any intranet servers to avoid security concerns, and so on.
                In some cases for this to work properly it is advisable to have not just the firewall but the switches as well from the same vendor.

                But yeah, I would like to know as well if anything like the above is achievable with pfsense/opensense.

                And if it is, would you have to but some additional licenses?

                stephenw10S 1 Reply Last reply Reply Quote 0
                • stephenw10S Online
                  stephenw10 Netgate Administrator @Elemer82
                  last edited by

                  @Elemer82 said in set up ZTNA using pfsense:

                  Every device would need to report to the firewall about their OS version, patch status, logged in user(s) etc.

                  To achieve that you would need some client side application running. That's not, yet, available.

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    michmoor LAYER 8 Rebel Alliance @stephenw10
                    last edited by michmoor

                    @stephenw10 To be quite honest (and i posted about this in the non-support channel), Tailscale is quite wonderful for this. They do posture checking which you can make part of your tailnet policy. Integrating with an iDP of your choice along with ACL tags, makes using tailscale scalable and robust.

                    I have labbed up Tailscale over the last few months and happy to say rolled it out in a particular setting. Truthfully one of the best products i have used in a very long time. pfSense does have support for TS with additional feature sets such as being an exit-node or subnet routing (specific term within the tailscale env).

                    Would urge you to explore.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    planedropP 1 Reply Last reply Reply Quote 1
                    • planedropP Offline
                      planedrop @michmoor
                      last edited by

                      Tailscale is a great option as @michmoor mentioned.

                      It also depends on your organizations goals and whether or not you are just going to do ZTNA or go with full SASE (which incorporates ZTNA but is far more expensive). The later is arguably better, but it's a lot more work and money and still has some limitations.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.