Are two firewalls ok or can it cause a conflict?

Are two firewalls ok or can it cause a conflict?

Here’s the configuration:

Xfinity Internet → Firewall 1 Protectli → Firewall 2 USG → UniFi Switch → UniFi AP

I’d say that it is a pretty broad question, so the answer is equally as broad: This setup can absolutely cause trouble, but it doesn’t necessarily have to.

Maybe elaborate a bit on what it is you are trying to achieve and why you would want to have 2 firewalls.

You didn’t elaborate on what issues or problems will come from a setup with those two specific firewalls.

Have a similar setup sans the Unifi pf-sense on old desktop no wifi, subnet no problems. If you place the the USG as a subnet you shouldn’t have a problem. It all hinges on how you setup pf-sense.

There are specific things that generally break when double nat’d, the specific thing that comes to mind is IPSEC VPN. I’m sure there are other things that have issues as well.

UPnP from the consoles won’t succeed, they will be able to set up the QoS router but the UPnP packets won’t reach the modem/router unit. And if you want to port forward to the consoles you’ll have to do it on both routers (modem/router forwards to QoS Router, QoS Router forwards to console).

I would prefer to try to put the modem/router unit into bridge mode, which makes it act as just a modem, and use the QoS Router as my only NAT layer.

Thanks, I want to use the Netgate for all the heavy lifting of IDS/IPS Snort pfBlocker, and use the USG for VLAN’s etc.

Sorry, my answer was confusing you with someone else who had asked a similar question but for a different reason.
I really don’t see a reason to use the USG in that scenario, but there isn’t any inherent conflicting. But what I wrote in my prior answer still applies due to the double NAT

The reason why I want to use the USG is that I’m having an anomaly in the UniFi controller dashboard where the controller software is displaying different and changing, from time to time, IP, VLAN, and Network address for my firewall 192.168. UniFi is working on the issue but haven’t solved it yet. Plus I like the Bells and Whistles look and DPI of the UniFi and dashboard.

I’ve found the USG under powered if you 1) have Gigabit internet from Xfinity and 2) use it for anything other than basic firewall and routing. I had a Protectli (no AES-NI) and found it can do everything at full gigabit internet\intranet speeds with the exception of Suricata and VPN traffic. I upgraded my Protectli to a used Dell R210ii with AES-NI and now I can literally enable everything in pfSense and have no issues at gigabit intranet/internet speeds. VPN is still limited but that is with all VPN traffic at this time. Compared to my Protectli using PIA VPN I was getting about 75mpbs down and with the Dell R210ii I get about 250mbps.

My recommendation is to ditch the USG unless you want that dumb screen to show your all GREEN on Unifi and just use pfSense to do everything you need, including VLANs.

1 Like

Just removed the USG and connected back my Protectli thanks for your information.