I need to add a PFSense Box to my current network for setup & Testing



  • Hi Everyone,

    I tried deploying my PFSense System a few months ago, and it was a complete flop, as I shutdown my network and tried to shotgun my deployment and make adjustments on the fly.  For a NOOB like me, this was clearly a "No-Go".

    Thus, I am trying to figure out the best way to deploy this system without shutting down everything else, by adding it to my current network.  Before proceeding, I will send a pic of what I am attempting and what failed to work before, so that there is a clearer understanding.

    Thank You all for your support.

    ![2 Routers on 1 network.jpg](/public/imported_attachments/1/2 Routers on 1 network.jpg)
    ![2 Routers on 1 network.jpg_thumb](/public/imported_attachments/1/2 Routers on 1 network.jpg_thumb)


  • Netgate Administrator

    That should be no problem. Just make sure the pfSense LAN interface is using a different IP address scheme to your main router. By default pfSense uses 192.168.1.X/24 which is commonly use by other devices.

    Steve



  • So, wait…

    My Arris gives an address set of 10.0.0.x, so you're saying that since they have different IP addresses, that they will not conflict with one another, in regards to giving out DHCP addresses?


  • Netgate Administrator

    Yep, 10.0.0.X is no problem. Just insert the pfSense box and you should be good. You will end up double NATing clients behind the pfSense box which can cause issue for some services but almost everything will run fine.

    Steve



  • This is going to probably be a ridiculous question… but deep down inside, I'm feeling that I want to set up VLans... if I select yes, will it segment each PFSense system Ethernet port into its own LAN, that I can set rules upon?

    Or, is this something to do with all of the postings that people post about setting up LANs from their Virtual-Machines within their OS?

    Thanks for patiently guiding this Padawan Noob.  :-D



  • you also want to put the PfSense box in the DMZ of your Arris (Dorey) Gateway Router. This will send all unsolicited traffic to your PfSense Firewall. You also have to make sure that your WAN Interface is not blocking Private IP address. Normally you wouldn't see a private IP address coming in on your want interface but in your case your wan interface has a private IP address.

    A Vlan will not separate each physical interface as they are already separated. What a vlan will allow you to do is make one physical Interface act like it were separate physical interfaces. You will need a switch that is capable of doing vlans.



  • you also want to put the PfSense box in the DMZ of your Arris (Dorey) Gateway Router.

    I hope that this isn't getting taxing… but, I thought that the DMZ was an open area for ports to be placed... How do I set it up to allow PFSense to receive all traffic from the Arris DMZ?  Sorry, never used a DMZ before. (Long overdue)

    You also have to make sure that your WAN Interface is not blocking Private IP address

    Please elaborate, how would the WAN Interface (Arris Gateway or WAN port on PFsense) block "Private IP address" (What is that?)

    I'M GONNA LEARN THIS *#)$ DAMMIT!!!  :-D


  • Netgate Administrator

    @sekrit_skworl:

    I'm feeling that I want to set up VLans… if I select yes, will it segment each PFSense system Ethernet port into its own LAN, that I can set rules upon?

    You almost certainly don't want to set up VLANs! pfSense will separate its ethernet ports into different subnets anyway.

    By default pfSense will block traffic from private IP addresses on it's WAN interface by adding a firewall rule to do so. Since your WAN interface is behind another router, and therefore in a private subnet, it's not appropriate here. You can disable that by going to Interfaces: WAN: in the webgui and unchecking 'block private networks'. It should be noted though that not doing that won't prevent the pfSense box or clients behind it accessing he internet.

    Using the DMZ facility of your modem/router is a good idea if you can't use a bridge mode but you don't need to do that and you can try it later once your more familiar with pfSense and have it up and running.

    Steve



  • Thanks so much guys… I've got some work to do. :-D