Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense behind ASA Firewall setup

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sdm12
      last edited by

      Hello!
      I would like to deploy a pfSense firewall just to use the captive portal on a school network.

      Right now my set up is as follows:

      ISP–-ASA Firewall---Switch---Wireless APs---PCs

      Desired set up:

      ISP---ASA Firewall---pfSense---Switch--Wireless APs---PCs

      Now..The catch is that I would like to use two vlans. Vlan1 for local hosts and Vlan2 for guests. I set up two SSIDs one for local users on vlan1 and one for guests on vlan2. I set this up already and works great. Now I need to add the pfSense in the picture so that I can use the captive portal feature. I need to only route the vlan2 traffic through pfSense.

      The ASA is now configure with DHCP for both vlans. And the default gateway for vlan2 is on the interface 5 of the ASA which is plugged into switchport of vlan2.
      The AP is connected on trunkport on the switch.

      How should this be set up to route vlan2 traffic trough the pfSense and out to the internet?

      1 Reply Last reply Reply Quote 0
      • L
        loupalladino
        last edited by

        Hi There

        How many NICs does pfsense have?  Are guests and normal users connecting to the same physical AP?

        1 Reply Last reply Reply Quote 0
        • S
          sdm12
          last edited by

          Hi,

          pfsense have two nics. And yes guests and normal users are using the same ap.
          What we did is, we created a second vlan for the guests. Vlan 1 for normal users and Vlan 10 for guests. Then I pointed all vlan 10 traffic to the pfsense. So far vlan10 traffic goes out to the internet however the captive portal and the webcontent filter don't work.

          This is the current layout:

          / –--Access port to pfSense---pfsense WAN Vlan1
          Internet-----Cisco ASA Firewall--<                                                    /  ----Access port to pfSense---pfsense LAN Vlan10
                                                            Vlan 1  } -----Cisco 3550 Switch <                                             
                                                            Vlan 10 }/                                    \                                                  SSID-Private-Vlan1
                                                                                                                  ----Trunking port to AP -----AP<
                                                                                                                                                                  SSID-Public-Vlan10

          Thanks for your thoughts and input.

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @sdm12:

            Then I pointed all vlan 10 traffic to the pfsense.

            What is the mechanism you used to do that?

            Since your Cisco firewall is on the same VLAN as the guests it will probably be fairly easy for a knowledgeable user to work out how to bypass pfSense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.