How to replace shorewall with pfSense with 3 NICs?

  • I am so far using shorewall with 3 NICs  (net or WAN, loc or LAN, and dmz or OPT1) in two locations. I am thinking of migrate to pfsense with site-to-site vpn tunnel with advanced threat detection for the services behind pfsense. I found some tutorials on pfsense site-to-site openVPN and IPSec tunneling with WAN and LAN but not with the third OPT1 or say dmz that connects to web-services.

    my scheme is:

    Public IPs provided by ISP in two locations –> WAN
    Private IPs --> LAN and OPT1 (behind NAT)

    LAN and OPT1 passes through WAN interface behind NAT while site-to-site tunneling betweeen two WANs so that the services appears to be in the same subnet.

    So far I checked the following official documentations:,_2.0)

    Appreciate if experts here can share their advice the best practices for a three interface pfsense with openvpn/IPsec. I tend to be a bit exhausted with the webguis rather than command lines, so please share the screenshots if possible. Thanks in advance!

    My current shorewall rules-configuration looks like as follows:



    Accept DNS connections from the firewall to the Internet

    DNS(ACCEPT) $FW net

    Accept SSH connections from the local network to the firewall and DMZ

    SSH(ACCEPT)     loc             $FW
    SSH(ACCEPT)     loc             dmz

    DMZ DNS access to the Internet

    DNS(ACCEPT) dmz net
    DNS(ACCEPT) all dmz

    Drop Ping from the "bad" net zone.

    Ping(DROP)   net             $FW

    Make ping work bi-directionally between the dmz, net, Firewall and local zone

    (assumes that the loc-> net policy is ACCEPT).

    Ping(ACCEPT)    loc             $FW
    Ping(ACCEPT)    dmz             $FW
    Ping(ACCEPT)    loc             dmz
    Ping(ACCEPT)    dmz             loc
    Ping(ACCEPT)    dmz             net

    ACCEPT $FW net icmp
    ACCEPT $FW loc icmp
    ACCEPT $FW dmz icmp

    #ACCEPT net $FW udp 3478,4569,5060:5088,10001:20000
    ACCEPT net $FW tcp 10000
    ACCEPT loc dmz udp 4569

    Uncomment this if using Proxy ARP and static NAT and you want to allow ping from

    the net zone to the dmz and loc

    #Ping(ACCEPT)    net             dmz
    #Ping(ACCEPT)    net             loc

    #Accept ssh connection to the firewall machine from outside the network
    #i.e from internet

    SSH/ACCEPT net $FW
    #SSH/ACCEPT $FW dmz

    #Accept the connection from the net to the trixbox voip server
    DNAT net dmz: udp 5000:5100
    DNAT net dmz: udp 10001:20000
    #DNAT net dmz: udp 1720
    DNAT net dmz: udp 3478
    #DNAT net dmz: udp 3478:3479
    DNAT net dmz: udp 4569
    DNAT net dmz: tcp 25
    DNAT net dmz: tcp 110
    DNAT            net     dmz:  tcp     7000
    #Following ports are DNATted to allow the http/s conenctions to dmz machines
    DNAT net dmz: tcp 8080
    DNAT net dmz: tcp 8081
    DNAT            net     dmz:   tcp     8443
    DNAT net dmz: tcp 33022
    DNAT loc dmz: udp 4569

Log in to reply