Pfsense behind ASA Firewall setup



  • Hello!
    I would like to deploy a pfSense firewall just to use the captive portal on a school network.

    Right now my set up is as follows:

    ISP–-ASA Firewall---Switch---Wireless APs---PCs

    Desired set up:

    ISP---ASA Firewall---pfSense---Switch--Wireless APs---PCs

    Now..The catch is that I would like to use two vlans. Vlan1 for local hosts and Vlan2 for guests. I set up two SSIDs one for local users on vlan1 and one for guests on vlan2. I set this up already and works great. Now I need to add the pfSense in the picture so that I can use the captive portal feature. I need to only route the vlan2 traffic through pfSense.

    The ASA is now configure with DHCP for both vlans. And the default gateway for vlan2 is on the interface 5 of the ASA which is plugged into switchport of vlan2.
    The AP is connected on trunkport on the switch.

    How should this be set up to route vlan2 traffic trough the pfSense and out to the internet?



  • Hi There

    How many NICs does pfsense have?  Are guests and normal users connecting to the same physical AP?



  • Hi,

    pfsense have two nics. And yes guests and normal users are using the same ap.
    What we did is, we created a second vlan for the guests. Vlan 1 for normal users and Vlan 10 for guests. Then I pointed all vlan 10 traffic to the pfsense. So far vlan10 traffic goes out to the internet however the captive portal and the webcontent filter don't work.

    This is the current layout:

    / –--Access port to pfSense---pfsense WAN Vlan1
    Internet-----Cisco ASA Firewall--<                                                    /  ----Access port to pfSense---pfsense LAN Vlan10
                                                      Vlan 1  } -----Cisco 3550 Switch <                                             
                                                      Vlan 10 }/                                    \                                                  SSID-Private-Vlan1
                                                                                                            ----Trunking port to AP -----AP<
                                                                                                                                                            SSID-Public-Vlan10

    Thanks for your thoughts and input.



  • @sdm12:

    Then I pointed all vlan 10 traffic to the pfsense.

    What is the mechanism you used to do that?

    Since your Cisco firewall is on the same VLAN as the guests it will probably be fairly easy for a knowledgeable user to work out how to bypass pfSense.


Locked