Configure pfSense as a firewall behind an edge mikrotik router



  • Can i configure pfsense as a firewall behind a mikrotik router? Attached is the proposed network diagram.

    I wouldn't want to configure it as a transparent firewall since that will not support transparent squid, so i have learnt from this forum. If it is possible to configure pfsense as a firewall behind an edge router, i need to be guided on interface ip settings, NAT settings, etc.

    Just to mention that i have already setup pfsense as a transparent firewall and users on the LAN can access the internet but unfortunately squid cannot run in transparent mode.

    Any help will be appreciated



  • You can simple set pfSense's WAN interface to DHCP and everything should be fine. Unless you need port forwarding or want to setup pfSense as a VPN server.

    Or throuw out the Mikrotek router; pfSense works pretty well as a router on it's own ;)



  • @Klaws:

    You can simple set pfSense's WAN interface to DHCP and everything should be fine. Unless you need port forwarding or want to setup pfSense as a VPN server.

    Or throw out the Mikrotik router; pfSense works pretty well as a router on it's own ;)

    Thanks for the response.

    The DHCP is NOT configured on the mikrotik router. If i configure the WAN as DHCP client (i guess), how does it get ip address? If i'm to configure it manually which i will prefer, in what subnet will the ip address of the WAN and LAN of the pfSense box be considering my present interface configuration:

    MODEM - DHCP Server

    Mikrotik router - WAN: DHCP Client
                          LAN: 192.168.20.1

    Sorry, i wouldn't want to discard the mikrotik router.

    Thank you.



  • Sorry, i was assuming the "usual configuration", in which DHCP is enabled. You're right, static address assignment is preferable in your case.

    The WAN side of pfSense will be in the 192.168.20.2/24 subnet. The LAN side will be in some other private subnet, like 192.168.21.1/24.



  • @Klaws:

    Sorry, i was assuming the "usual configuration", in which DHCP is enabled. You're right, static address assignment is preferable in your case.

    The WAN side of pfSense will be in the 192.168.20.2/24 subnet. The LAN side will be in some other private subnet, like 192.168.21.1/24.

    Thanks once again. It means then that computers on the LAN will have IP address of the pfsense LAN as the default gateway? Again, how do i avoid double NATing or is it not an issue? i.e. the mikrotik does outbound NAT.

    I really appreciate



  • Double NAT is an issue if you need port forwarding or a VPN server (and probably if you want to use UPnP…), since you need to configure the forwards in both pfSense and the Mikrotik.

    I do not know if you can avoid double NAT while still maintaining the required Squid functionality. i mean, unless throwing out the Mikrotik router. ;)

    Why do you need to keep the Mikrotik router? Do you use it to set up a DMZ? In that case, it might be an option to add an additional NIC to your pfSense box - if the hardware supports it.



  • Thanks Klaws.

    I will go ahead to try and set it up. If things get messy, i MAY consider ditching mikrotik (it has really served though and i have developed capacity in it). Whatever happens, i will get back to this forum as it progresses.



  • Preliminary update:

    I have successfully configured the pfsense behind the edge mikrotik router. However, in order not to cut users off the internet, i connected the pfsense WAN to the switch where the mikrotik is connected too. So i have:

    internet–------mikrotik-------switch--------WAN pfsense LAN------switch------PC
                                                |
                                                Production LAN
    Mikrotik: WAN - DHCP
                LAN - 192.168.20.2

    pfsense: WAN - 192.168.20.1
                LAN -  192.168.21.1

    PC:        LAN - 192.168.21.2

    Prod LAN - 192.168.20.x

    My production LAN traffic FOR NOW goes straight to the mikrotik and uses the default gateway of 192.168.20.2 while i'm using the PC (only computer connected through the pfsense)  to configure and test the connectivity. The PC has default gateway of 192.168.21.1.

    The pfsense and Mikrotik are doing double NATing. I can access the internet from PC. The pfsense can resolve domain names and download packages. Everything seem to be going on well. When i disable NAT on the pfsense, the PC lost access to the internet, which is understandle know that the PC and LAN of the Mikrotik are in different subnets.

    My next step is to install some packages especially squid and see how it works, play around with some configurations and i promise to keep you posted.

    Lastly, i will remove the switch before the mikrotik router and wire the pfsense WAN straight to the ROUTER LAN and force every user to pass through the pfsense.

    I'm excited and will post all the stages here, it might just help someone


Log in to reply