Pfsense between 1st network switch and gateway



  • what is the best way to configure pfsense if i want to install it between an existing router and the first network switch on the network?  meaning, all WAN/LAN traffic from the network has to pass the pfsense before it leaves through the main router.

    at first i assume it would be as easy as

    network devices–--->network switch------>pfsense LAN NIC-------->pfsense WAN NIC---------->gateway device LAN NIC

    however, the problem i see with that is a double NAT scenario.  is this the correct way to configure it (below)?

    network devices----->network switch------>pfsense LAN NIC1-------->pfsense LAN NIC2---------->gateway device LAN NIC

    i realize that i can avoid all of this by using the pfsense as the router, this is more for testing....

    thanks.


  • LAYER 8 Netgate

    You don't have to NAT through pfSense.  Turn it off in Firewall > NAT.



  • @Derelict:

    You don't have to NAT through pfSense.  Turn it off in Firewall > NAT.

    wow, completely forgot about that….

    can the WAN NIC and the LAN NIC of the pfsense box be on the same private class c subnet?

    existing router/firewall (non pfsense) is 192.168.1.1

    current pfsense box is only using the LAN NIC and is assigned 192.168.1.3 (so i can access on the LAN to view/modify settings) and the rest of the network is getting DHCP from the pfsense box...192.168.1.0/24 (dhcp is disabled on the primary, non pfsense, router/firewall).

    can i assign the WAN NIC of the pfsense box to 192.168.1.2, keep the LAN NIC at 192.168.1.3 and simply disable NAT on the pfsense box?  if that works, i will need to unplug the patch cable going from the existing router/firewall to my network because the pfsense will take over the traffic...


  • LAYER 8 Netgate

    @tomdlgns:

    wow, completely forgot about that….

    can the WAN NIC and the LAN NIC of the pfsense box be on the same private class c subnet?

    No.  Not while routing traffic.  What are you looking to do with it?

    existing router/firewall (non pfsense) is 192.168.1.1

    current pfsense box is only using the LAN NIC and is assigned 192.168.1.3 (so i can access on the LAN to view/modify settings) and the rest of the network is getting DHCP from the pfsense box…192.168.1.0/24 (dhcp is disabled on the primary, non pfsense, router/firewall).

    Surprised that's working for you at all.  Again, what are you trying to do?

    can i assign the WAN NIC of the pfsense box to 192.168.1.2, keep the LAN NIC at 192.168.1.3 and simply disable NAT on the pfsense box?  if that works, i will need to unplug the patch cable going from the existing router/firewall to my network because the pfsense will take over the traffic…

    That doesn't sound like something I'd try.



  • No.  Not while routing traffic.  What are you looking to do with it?

    i am trying to setup the pfsense to properly sit between the main firewall/network to grab all the traffic to use pfsense security services.

    Surprised that's working for you at all.  Again, what are you trying to do?

    why are you surprised that it working?  i am not using the WAN NIC, this is the LAN NIC.  this isn't any different than having a dedicated DHCP server on the network.

    the network devices get an IP from the pfsense box at 192.168.1.3 and the pfsense dhcp server is handing out 192.168.1.1 as the gateway device.  all network computers/devices work fine.

    maybe i shouldn't have explained how i wanted to configure it, maybe all i should have asked was

    "how do i configure the pfsense box to sit between the main router/firewall and the first network switch?" and just left it at that.

    thanks.


  • LAYER 8 Netgate

    I am surprised it's working because of the diagrams you provided.

    Yes, if you're only plugged into LAN you are fine.

    No, you cannot put the same subnet on LAN and WAN.  You need to decide whether it's easier to change LAN or WAN.  If you're testing to replace the existing router, I'd just leave it double NAT or you won't be testing what you're going to be putting in production.



  • @Derelict:

    I am surprised it's working because of the diagrams you provided.

    Yes, if you're only plugged into LAN you are fine.

    No, you cannot put the same subnet on LAN and WAN.  You need to decide whether it's easier to change LAN or WAN.  If you're testing to replace the existing router, I'd just leave it double NAT or you won't be testing what you're going to be putting in production.

    the diagrams i posted were just ideas of how it should be setup.  that isn't how it is setup now.

    i should have been more clear, i am not testing to see if pfsense will work, i meant this was just a test setup to see if it could work, i wasn't planning on keeping it this way, but i could see someone wanting to set it up this way.

    maybe someone else can chime in and tell me if this is doable, again, i have to imagine that it is.

    thanks.



  • What you want is a transparent bridge.
    You can't route in the scenario you described. You would have to configure two different subnets.

    If PfSense can work as a transparent bridge, then you may be able to use some of the functions it offers.

    Cheers.


  • LAYER 8 Netgate

    It was my understanding that OP wanted to replace the existing gateway with pfSense when it was verified working.

    If not, then yes, you want a transparent bridge.



  • @Derelict:

    It was my understanding that OP wanted to replace the existing gateway with pfSense when it was verified working.

    If not, then yes, you want a transparent bridge.

    yeah, that wasn't what i wanted.  however, your feedback is/was appreciated, thanks.



  • @Escorpiom:

    What you want is a transparent bridge.
    You can't route in the scenario you described. You would have to configure two different subnets.

    If PfSense can work as a transparent bridge, then you may be able to use some of the functions it offers.

    Cheers.

    ok, that makes sense.  i just wanted to make sure there wasn't an easier way of doing it.  thanks for the reply.


Log in to reply