Putting pfsense in LAN subnet instead of inbetween LAN/WAN



  • hi all,

    is it possible to put pfsense on any of the VLAN subnets instead of it being inbetween the WAN/LAN

    i have a netgear router atm as my gateway between my WAN/LAN and i want to be able to stop the firewall on that router (still use it to route traffic as thats were my WAN comes in) and make all the traffic go to my pfsense so i can set firewall rules up

    is this atall possible?

    thank you in advance

    rob



  • You will potentially have a double NAT situation, but it will work.



  • can you please explain how this would be possible in pfsense?



  • WAN has a local IP either static or dhcp from your router. This is usually a local IP. Make sure that if it is, that you turn off private net filtering on the WAN. Then Assign a "DIFFERENT" subnet to LAN. pfSense will NAT to router and router will NAT to the world.



  • my WAN is DHCP from ISP that goes to a modem and goes to my router downstairs and from there one of the LAN ports from router goes to my upstairs room via a powerline adapter, so i havnt got a WAN connection upstairs just LAN.

    so how do i connect my pfsense machine upstairs, do i use 2 NICS, are you saying use 2 LAN ports but 1 will be like a WAN?



  • WAN is a relative term. It just means the none protected side of a firewall. some just call it the red interface. where the internal is green. so wan on router goes to the internet. LAN on router goes to WAN on pfsense. Lan on pfsense goes into your network. Yes 2 NICs is the safest way to protect resources.



  • ok nice one thanks alot

    one last question i have got pcs connected to my netgear router downstairs, how do i go about getting them to pass through my pfsense firewall (which is located upstairs) as they will probably go straight out from that router to the WAN



  • Since the pfSense machine needs to go into the middle, you have to have a switch on the LAN side of pfsense. So it sounds like you need two long cables in addition to a switch/hub to make this happen. Is all you have the router?



  • no, i will explain my setup, downstairs i have a netgear router with 4 LAN ports, 2 of them have got media devices on and the other leads up to my room via a powerline adapter and from there goes into a VLAN switch and i have tagged all vlan networks (5 in total) to a VM Esxi server and i have created a VM pfsense machine

    before i had the vlan switch and vm esxi server downstairs (had no need for my router) and i created the vm pfsense machine with 2 virtual NICS one was the WAN and the other was the internal network and from the internal network i created a static route to route traffic to the other vlan networks but i decided to put everythin in my room which is why i have come across this complicated network



  • It is possible to make client devices on WAN operate similar to being on an "LAN2". They are sitting on the subnet between your internet facing router and pfSense WAN. It's not a usual config! I posted about this a while ago, the steps are something like:
    a) Disable DHCP on your internet facing router.
    b) Enable DHCP on pfSense WAN, it will give out pfSense WANaddress as the default gateway and DNS server - good.
    c) Add a firewall rule on pfSense WAN to allow source WANnet, destination any - this allows traffic originated from these unusual clients.
    d) Firewall->NAT, Outbound. Enable Manual Outbound NAT. Add a rule to NAT traffic from WANnet to WANaddress - packets from your unusual clients will be NATd to WANaddress, so your internet facing router will see all the traffic coming from pfSense WANaddress.
    Thus the internet facing router will pass the reply traffic back to pfSense. pfSense will see traffic in both directions and can track states and filter as needed.
    Now you can modify your WAN rule/s to block some traffic, whatever you want to do with filtering.
    I think that is all - try it.



  • when you say disable DHCP on internet facing router you mean disable the WAN DHCP, also i imagine disable the LAN DHCP aswell, also disable the routing aswell?

    so really that internet facing router will just be a transparent device and traffic will go through it to the pfsense device



  • @robina80:

    when you say disable DHCP on internet facing router you mean disable the WAN DHCP, also i imagine disable the LAN DHCP aswell, also disable the routing aswell?

    so really that internet facing router will just be a transparent device and traffic will go through it to the pfsense device

    Leave the internet facing route WAN settings the same. It still needs to connect out to the internet like it always has.
    I mean disable the internet facing router LAN DHCP server. You want clients on that LAN to always get their DHCP from the pfSense WAN.



  • ahh yeah now i understand what your getting at, nice one, i will try this tonight

    thanks again for your help much appreciated


Log in to reply