Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense separate and distinct from the main router

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      drexvil
      last edited by

      Hi all,

      I'd like to deploy pfsense in a home lab/live environment for my personal tinkering and use. My roommate works from home and internet is crucial, so I want to keep the current Linksys wireless router operational and separate from pfsense.

      I plan to virtualize pfsense in a VM box (with other VMs, Windows Server domain controller, file server, etc). If there's an internet issue while I'm away, I want my roommate to be able to restart the Linksys easily, no need to touch/reboot my VM box. I don't want to double NAT or have pfsense be affected by the wireless router at all.

      POSSIBLE SOLUTIONS:

      1. Put the VM box with pfsense behind the Linksys' DMZ. In this scenario would pfsense be 100% unaffected by the Linksys?

      2. Put the Linksys behind the pfsense using DMZ, but this may disrupt his connection upon my many reboots when tinkering pfsense.

      3. Separately connect both the VM box and Linksys directly to the cable modem via a switch. I may need to pay monthly for multiple public IPs, rather not pay $.

      Any suggestions or comments?

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        Why would playing with pfSense in a DMZ cause you to frequently reboot your main router?

        1 Reply Last reply Reply Quote 0
        • D Offline
          drexvil
          last edited by

          Are you referring to solution #2? Because I love to tinker, and may need to reboot pfsense a lot (or revert to a snapshot in the VM b/c I screwed up settings). If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?

          @KOM:

          Why would playing with pfSense in a DMZ cause you to frequently reboot your main router?

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            In order of preference I would go 3, 1, 2.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • KOMK Offline
              KOM
              last edited by

              If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?

              Sorry, I meant if you had settled on #1.

              1 Reply Last reply Reply Quote 0
              • D Offline
                drexvil
                last edited by

                Thanks, I'll look into putting pfsense on DMZ. Any downsides to this approach you can think of?

                @KOM:

                If pfsense is off or not functional then won't the Linksys connected to it (via DMZ) also not work?

                Sorry, I meant if you had settled on #1.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  drexvil
                  last edited by

                  Upon further reading, I don't think my ISP (Time Warner non-business account in NYC) would give static or multiple IPs. Oh well.

                  @Derelict:

                  In order of preference I would go 3, 1, 2.

                  1 Reply Last reply Reply Quote 0
                  • KOMK Offline
                    KOM
                    last edited by

                    Then I guess you're stuck with a double NAT.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      At least with a "DMZ" you shouldn't have to put port forwards in the upstream router.  Keep in mind that any port forwards on the upstream won't make it to pfSense.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        drexvil
                        last edited by

                        Since I'm reading that pfsense on a VM as the main firewall may be a security risk, I'm thinking just buy/build a cheap pfsense box so he can restart it to his heart's delight while I'm not home.

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          divsys
                          last edited by

                          I'm thinking just buy/build a cheap pfsense box so he can restart it to his heart's delight while I'm not home.

                          Probably the best solution suggested so far.
                          You might even find with a properly configured pfSense box as your main router, you're not restarting the router all the time to get your internet back.
                          At minimum you should be able to figure out why you need to restart ( and maybe solve it….)

                          -jfp

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.