Internal and External pfSense Firewalls

Hello, sorry for a lengthy read.

I’ve come to rely on my pfSense setup and realized if it went down, I can’t just slap something in place and be up, so I bought a 2nd one as a backup. Instead of just having it sit here I would like to learn from it knowing I have a known good backup for a single router situation ready to throw on it if needed.

I want to have an internal and external pfSense setup to learn from as well as add another layer. Here’s the general idea.

ISP <-> Modem <-> (WAN) EXT FW (LAN) <-> (WAN) INT FW (LAN) <-> Core Switch > Etc.

I’m planning on putting Outbound NAT on the EXT FW and disabling it on the INT FW, but assume I will need static routes and rules along the way somewhere, and that’s what’s stalled me. I feel like this should be a simple thing to do but I am either overthinking it or underthinking it. Hoping to be able to make changes within a few hours and have things back to working.

Just looking for some feedback or suggestions. Both appliances will have 2 OPT ports I will be using for other things, but for now I want to make sure I am not missing something to be able to get the current devices I have back online with minimal disruption.

Any thoughts or comments are appreciated.

You can just “Double NAT” them.

ISP <-> Modem <-> (WAN) First pfsense (LAN) <-> (WAN) Second pfsense (LAN) <-> Switch > Etc.

For this to work the LAN range on pfsense one has to be different than the LAN pfsense two. For example, If the LAN on both are both on 192.168.1.0/24 it will not work.

Is it possible to setup PfSense Boxes in HA?

I don’t think I’d be able to do HA. My ISP only provides me with a single lease, and there are nodes on that WAN subnet that a randomly find online. So hooking a switch up with static IPs might break things.

I am avoiding double NAT because I only need to NAT for my traffic past the external firewall to my public IP. That’s where my snag is.

I’m planning on giving this a go this weekend and will post some results on how it goes.

You have a couple of options

10.0.0.0/24 Transport Network.
10.0.1.0/24 Internal LAN.

FW1 LAN - 10.0.0.1/24
FW2 WAN 10.0.0.2/24
FW2 LAN 10.0.1.0/24

create a static route on FW1 sending 10.0.1/0/24 to 10.0.0.2
on FW2 set 10.0.0.1 as you default route.
on FW2 disable NAT for 10.0.1.0/24 - so it will route the network to FW1 instead of NAT
on FW1 create a NAT for 10.0.2.0/24 for the WAN
on FW2 create WAN Rule to allow traffic from as desired from FW1
on FW1 create LAN rule to allow traffic from 10.0.1.0/24

This will give you a Single NAT through both firewalls, and allow you to create a DMZ between them.

However this will not solve your concern of if FW1 goes down.
To do that with a single ISP interface you need to use a switch between the modem and the firewalls and go HA. However with pfSense that will require 3 Public IP Addresses. One for each firewall plus the VIP. The alternative would be to use FW2 as a warm spare, leave the WAN disconnected export the config from FW1 and import it into FW2. Making sure to repeat anytime you make a change on FW1

I finally had time to get this done. I upgraded to pfSense 2.5 which broke stuff, so I blew out all configs I had and started from scratch.

In the end I created an address of 192.168.0.1 on the external firewall, and 192.168.0.2 on the internal firewall. The static routes mentioned above were what was needed. I Have a diagram and screenshots of the pfsense dashboards, if anyone is interested.

The external firewall handles all NAT, VPN clients, and VPN servers. The internal firewall handles all of the internal VLAN traffic.

Thank you for your input! I went with most of this advice. In regards to consideration of a single FW failing, I’m just going to buy another one and have configs ready to drop in the event of any failures. I’m super happy with the setup, wasn’t so happy when getting it all put together lol.