Are two firewalls ok or can it cause a conflict?

hpspar05 · April 16, 2019, 8:26pm

Here’s the configuration:

Xfinity Internet → Firewall 1 Protectli → Firewall 2 USG → UniFi Switch → UniFi AP

paolo · April 16, 2019, 9:19pm

I’d say that it is a pretty broad question, so the answer is equally as broad: This setup can absolutely cause trouble, but it doesn’t necessarily have to.

Maybe elaborate a bit on what it is you are trying to achieve and why you would want to have 2 firewalls.

hpspar05 · April 17, 2019, 12:09am

You didn’t elaborate on what issues or problems will come from a setup with those two specific firewalls.

g-aitc · April 17, 2019, 9:29am

Have a similar setup sans the Unifi pf-sense on old desktop no wifi, subnet no problems. If you place the the USG as a subnet you shouldn’t have a problem. It all hinges on how you setup pf-sense.

mouseskowitz · April 17, 2019, 10:29am

There are specific things that generally break when double nat’d, the specific thing that comes to mind is IPSEC VPN. I’m sure there are other things that have issues as well.

brwainer · April 17, 2019, 1:41pm

UPnP from the consoles won’t succeed, they will be able to set up the QoS router but the UPnP packets won’t reach the modem/router unit. And if you want to port forward to the consoles you’ll have to do it on both routers (modem/router forwards to QoS Router, QoS Router forwards to console).

I would prefer to try to put the modem/router unit into bridge mode, which makes it act as just a modem, and use the QoS Router as my only NAT layer.

hpspar05 · April 17, 2019, 1:56pm

Thanks, I want to use the Netgate for all the heavy lifting of IDS/IPS Snort pfBlocker, and use the USG for VLAN’s etc.

brwainer · April 17, 2019, 2:21pm

Sorry, my answer was confusing you with someone else who had asked a similar question but for a different reason.
I really don’t see a reason to use the USG in that scenario, but there isn’t any inherent conflicting. But what I wrote in my prior answer still applies due to the double NAT

hpspar05 · April 17, 2019, 2:55pm

The reason why I want to use the USG is that I’m having an anomaly in the UniFi controller dashboard where the controller software is displaying different and changing, from time to time, IP, VLAN, and Network address for my firewall 192.168. UniFi is working on the issue but haven’t solved it yet. Plus I like the Bells and Whistles look and DPI of the UniFi and dashboard.

Arron · April 21, 2019, 3:41pm

I’ve found the USG under powered if you 1) have Gigabit internet from Xfinity and 2) use it for anything other than basic firewall and routing. I had a Protectli (no AES-NI) and found it can do everything at full gigabit internet\intranet speeds with the exception of Suricata and VPN traffic. I upgraded my Protectli to a used Dell R210ii with AES-NI and now I can literally enable everything in pfSense and have no issues at gigabit intranet/internet speeds. VPN is still limited but that is with all VPN traffic at this time. Compared to my Protectli using PIA VPN I was getting about 75mpbs down and with the Dell R210ii I get about 250mbps.

My recommendation is to ditch the USG unless you want that dumb screen to show your all GREEN on Unifi and just use pfSense to do everything you need, including VLANs.

hpspar05 · April 21, 2019, 4:30pm

Just removed the USG and connected back my Protectli thanks for your information.