Route certain VLAN traffic out through separate IDS/IPS and back again

In my web searches, I see various articles and videos that cover somewhat similar to what I’m about to ask, but I’m not quite sure and wanted to ask the expertise here.

I’m running Pfsense and was interested in routing specific VLANs through a separate IDS/IPS system, in this case a Firewalla Gold which has some interesting functionality I’d like to experiment with. But what I’d like is to have that traffic routed out one Pfsense interface, then back in a second one, then out to the internet like the rest of the network.

The Firewalla can actually be configured in a few different modes. I think it can be in a true router mode which presumably would give me a multi-NAT situation (which could work fine) but also some transparent modes where traffic flows through and can be blocked, but also maybe an observation-only mode where it’s strictly promiscuous.

I wouldn’t mind testing the various configs, but just curious the right way to set up the basics in Pfsense - namely sending specific VLANs out to it but allowing the traffic to come back in again, then out to the WAN.

Let me know if my ask makes sense, perhaps I need to provide a diagram (?)

This seems way harder than doing something simple like putting the firewalla behind the pfsense and putting devices behind the firewalla making it just a simple double NAT setup. That is how we do all of our firewall testing.

:slight_smile: I think part of the motivation is to see if it could actually be done. But the other thing is that all my devices pretty much connect via a Unifi poe switch and then uplinks into the pfsense, and I think i’d need some kind of routing at the switch to get specific vlans to exit the switch into the firewalla, no?

perhaps i need a second uplink from the switch to firewalla and somehow use a gateway IP that directs the traffic that way?