Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense between 1st network switch and gateway

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    11 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      what is the best way to configure pfsense if i want to install it between an existing router and the first network switch on the network?  meaning, all WAN/LAN traffic from the network has to pass the pfsense before it leaves through the main router.

      at first i assume it would be as easy as

      network devices–--->network switch------>pfsense LAN NIC-------->pfsense WAN NIC---------->gateway device LAN NIC

      however, the problem i see with that is a double NAT scenario.  is this the correct way to configure it (below)?

      network devices----->network switch------>pfsense LAN NIC1-------->pfsense LAN NIC2---------->gateway device LAN NIC

      i realize that i can avoid all of this by using the pfsense as the router, this is more for testing....

      thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You don't have to NAT through pfSense.  Turn it off in Firewall > NAT.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @Derelict:

          You don't have to NAT through pfSense.  Turn it off in Firewall > NAT.

          wow, completely forgot about that….

          can the WAN NIC and the LAN NIC of the pfsense box be on the same private class c subnet?

          existing router/firewall (non pfsense) is 192.168.1.1

          current pfsense box is only using the LAN NIC and is assigned 192.168.1.3 (so i can access on the LAN to view/modify settings) and the rest of the network is getting DHCP from the pfsense box...192.168.1.0/24 (dhcp is disabled on the primary, non pfsense, router/firewall).

          can i assign the WAN NIC of the pfsense box to 192.168.1.2, keep the LAN NIC at 192.168.1.3 and simply disable NAT on the pfsense box?  if that works, i will need to unplug the patch cable going from the existing router/firewall to my network because the pfsense will take over the traffic...

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @tomdlgns:

            wow, completely forgot about that….

            can the WAN NIC and the LAN NIC of the pfsense box be on the same private class c subnet?

            No.  Not while routing traffic.  What are you looking to do with it?

            existing router/firewall (non pfsense) is 192.168.1.1

            current pfsense box is only using the LAN NIC and is assigned 192.168.1.3 (so i can access on the LAN to view/modify settings) and the rest of the network is getting DHCP from the pfsense box…192.168.1.0/24 (dhcp is disabled on the primary, non pfsense, router/firewall).

            Surprised that's working for you at all.  Again, what are you trying to do?

            can i assign the WAN NIC of the pfsense box to 192.168.1.2, keep the LAN NIC at 192.168.1.3 and simply disable NAT on the pfsense box?  if that works, i will need to unplug the patch cable going from the existing router/firewall to my network because the pfsense will take over the traffic…

            That doesn't sound like something I'd try.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              No.  Not while routing traffic.  What are you looking to do with it?

              i am trying to setup the pfsense to properly sit between the main firewall/network to grab all the traffic to use pfsense security services.

              Surprised that's working for you at all.  Again, what are you trying to do?

              why are you surprised that it working?  i am not using the WAN NIC, this is the LAN NIC.  this isn't any different than having a dedicated DHCP server on the network.

              the network devices get an IP from the pfsense box at 192.168.1.3 and the pfsense dhcp server is handing out 192.168.1.1 as the gateway device.  all network computers/devices work fine.

              maybe i shouldn't have explained how i wanted to configure it, maybe all i should have asked was

              "how do i configure the pfsense box to sit between the main router/firewall and the first network switch?" and just left it at that.

              thanks.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I am surprised it's working because of the diagrams you provided.

                Yes, if you're only plugged into LAN you are fine.

                No, you cannot put the same subnet on LAN and WAN.  You need to decide whether it's easier to change LAN or WAN.  If you're testing to replace the existing router, I'd just leave it double NAT or you won't be testing what you're going to be putting in production.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by

                  @Derelict:

                  I am surprised it's working because of the diagrams you provided.

                  Yes, if you're only plugged into LAN you are fine.

                  No, you cannot put the same subnet on LAN and WAN.  You need to decide whether it's easier to change LAN or WAN.  If you're testing to replace the existing router, I'd just leave it double NAT or you won't be testing what you're going to be putting in production.

                  the diagrams i posted were just ideas of how it should be setup.  that isn't how it is setup now.

                  i should have been more clear, i am not testing to see if pfsense will work, i meant this was just a test setup to see if it could work, i wasn't planning on keeping it this way, but i could see someone wanting to set it up this way.

                  maybe someone else can chime in and tell me if this is doable, again, i have to imagine that it is.

                  thanks.

                  1 Reply Last reply Reply Quote 0
                  • E
                    Escorpiom
                    last edited by

                    What you want is a transparent bridge.
                    You can't route in the scenario you described. You would have to configure two different subnets.

                    If PfSense can work as a transparent bridge, then you may be able to use some of the functions it offers.

                    Cheers.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      It was my understanding that OP wanted to replace the existing gateway with pfSense when it was verified working.

                      If not, then yes, you want a transparent bridge.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        @Derelict:

                        It was my understanding that OP wanted to replace the existing gateway with pfSense when it was verified working.

                        If not, then yes, you want a transparent bridge.

                        yeah, that wasn't what i wanted.  however, your feedback is/was appreciated, thanks.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User
                          last edited by

                          @Escorpiom:

                          What you want is a transparent bridge.
                          You can't route in the scenario you described. You would have to configure two different subnets.

                          If PfSense can work as a transparent bridge, then you may be able to use some of the functions it offers.

                          Cheers.

                          ok, that makes sense.  i just wanted to make sure there wasn't an easier way of doing it.  thanks for the reply.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.