Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Before installing I have a few basic questions.

    General pfSense Questions
    5
    13
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ASnet0007
      last edited by

      Hello,

      I will be installing on 2008r2 in a hyper-v role.
      I only want pfsense for its vpn as I already have a decent firewall etc.

      Q1. Do I need to set it up with more that one nic? or can i get away with just a WAN facing nic.

      Q2. Any advice about hyper-v settings.

      Cheers

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well if you only want to vpn to the pfsense box, then a wan interface would be enough.  But if you wan the vpn to allow you access to your lan, pfsense would need a lan interface to provide that access.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I'm not sure about that. Since 2.0 pfSense can run with a single NIC and in that situation will allow traffic to and from that NIC by default. I suspect it depends which VPN type you using, you may run into routing problems if your client, pfSense box and local LAN are all on the same subnet.

          Steve

          1 Reply Last reply Reply Quote 0
          • A
            ASnet0007
            last edited by

            OK so a bit confused about ip's.

            Setting this up to replace adito vpn in a very small primary school.

            To get to the router from the internet I can either type https://vpn.****.net or type an ip lets say 50.50.50.1.
            This then gets forwarded to a server at the school on an ip lets say 20.20.20.5 subnet is 255.255.255.0.

            In pfsense what would I put as the WAN ip? would it be 20.20.20.5?
            What whould I put as the LAN ip? would it be a free internal ip lets say 20.20.20.6

            thanks

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I should preface this with: I've not tried this!  ;)

              Assuming 20.20.20.5 is your Windows 2008 server it depends how you have your virtual server setup. If you have the virtual NIC that is acting as the pfSense WAN interface bridged with the real NIC then it should pull another IP address (or have it statically assigned) say 20.20.20.6.

              If you are running pfSense with one NIC then this should be sufficient. If you running OpenVPN for example then remote clients will be on another subnet and pfSense should be able to route the traffic accordingly.

              Sorry if I only confused the issue.  ::) My post above was simply to point out that two interfaces may not be necessary, and in fact may introduce new problems. Though as I say, I haven't actually tried this!

              Steve

              1 Reply Last reply Reply Quote 0
              • L
                louis-m
                last edited by

                Setting this up to replace adito vpn in a very small primary school.

                not sure what you are trying to achieve here as both ipsec and adito are two different technologies.
                putting pfsense behind a router to become an ipsec endpoint would require either port forwarding/opening to allow ipsec through on the front facing router if you were going to use a private ip range.
                or you could use public ip's which would then need routing and optional dns records to access from the internet.

                1 Reply Last reply Reply Quote 0
                • A
                  ASnet0007
                  last edited by

                  not sure what you are trying to achieve here as both ipsec and adito are two different technologies.

                  Adito is not supported and not secure, so trying to set up some kind of replacement. As pfsense seems to come pre built with openvpn and has a nice gui I thought I would try this out.

                  I am still confused how to set it up in hyper-v from a IP/NIC point of view.

                  I have managed to enable a second NIC in my server so the 2008r2 server does have 2 physical NICs. But thought I could have one physical NIC as you can hang as many virtual NICS of that as you need.

                  I do have port 443 forwarded to an internal ip lets say 20.20.20.5. So which NIC do I actually give this address to. Is it the physical NIC on the server or the WAN NIC in pfsense or neither.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Did you try it with one NIC in pfSense?
                    As you say you should be able to have as many virtual NICs as you require. However they will be bridged to your physical NIC, as though both were attached to a switch. You would never normally setup both LAN and WAN attached to the same switch.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • A
                      ASnet0007
                      last edited by

                      So even if I do have 2 NICS the fact that the CAT5 cables from these NICS both plug in to the same switch is a big no no.

                      If that is correct then I am stuck. This is a small school, The council supply a LAN cable for our internet that plugs in on our main switch.

                      If that is the case how come Adito works and also my test version of OpenVPN AS server.

                      Also when pfsense asks for a WAN IP is that the ip of the forwarded firewall port or the ip that a user on the outside would use to connect to the firewall before being forwarded.

                      Bloody confused.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        I'm not really the right person to answer this but I seem to have been sucked in!  ;)

                        You are trying to create a VPN end point to replace Adito. This means you only need one NIC in your appliance (virtual or not).
                        pfSense has supported single NIC configurations since 2.0 was released. In that situation the one NIC is named WAN by default. The virtual NIC you assign as this interface should be bridged to the real NIC in your server. It should have an IP address in the same subnet as your server. Either static or DHCP assigned. This would be 20.20.20.6 in your example. You can then forward your incoming OpenVPN traffic to that IP.
                        In order for remote clients to connect to local resources the pfSense machine has to route between the VPN subnet and the local subnet. This is the part I've never tried. I can see that there might, potentially, be a problem routing in and out of the same NIC. Then again it may work fine. The only other thing I can think of is that you will probably have to add a route to your VPN subnet via the pfSense IP in your main router.

                        Hope that helps (a bit).

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • V
                          Vorkbaard
                          last edited by

                          Some notes about Hyper-V settings, better late than never. I wrestled with it for a while before I got it to work; here are the things I thought I should remember for next time: http://vorkbaard.nl/pfSenseOnHyperV.asp

                          This is about a two-nic setup but it may help.

                          Good luck!

                          1 Reply Last reply Reply Quote 0
                          • A
                            ASnet0007
                            last edited by

                            Thanks for the link to the hyper-v instructions.

                            One very basic question, does the cat5 cable from the WAN adapter actually need to be plugged in to a switch physically connected to the internet or can I connect it to an internal switch that is connected to other internal switches and then connected to the internet. The reason I ask is in another post someone said it needs to be connected to the WAN switch only but our WAN switch is in another building.

                            Not sure if I have made any sense, sorry.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              The pfSense WAN adapter?
                              No. The wan side of pfSense can be a private network.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.