Using pfSense as internal firewall instead of L3 switch

As the title states, I am looking to implement pfSense as an internal firewall instead of using a Layer 3 Cisco switch with ACLs. the pfSense box will also serve as the DHCP server. The perimeter firewall is not a pfSense unit, but that should not matter, its handling the IDS and proxying. Really the only thing the internal firewall would be doing is giving more granular control over what is allowed between internal networks and more visibility into what is going on internally. I do not want to use the perimeter firewall to handle this, as with the internet traffic, VPNs and whatnot I think it would be too much load on it.

Any reason this would not work? Any advice?

I cannot think of a reason why this wouldn’t work.

Depending on your requirements, it might make certain routing scenarios more involved to configure. E.g., unless your perimeter firewall is transparent, you would have to route public IPv4 addresses to the internal firewall to avoid double NAT. If you have deployed IPv6 (which you absolutely should have), you’ll need to route prefixes to the internal firewall as well.

My understanding there are two concerns basically:

  • performance of the box where PFsense is deployed on
  • network throughput to PFsense box

I’m overbuilding my home network, so I decided to use an older PC to host PFsense. It will have 2.5G NIC towards Internet and two 10GB NICs to the internal network.

Now trying to figure out which way to go for switches and access points - Unifi vs Omada.

The biggest compromise you will likely deal with is reduced throughput. If you have 1Gb switch ports ideally you would want a setup with 2.5Gb or 10Gb uplinks to your internal firewall. Also, that firewall will be routing in software where the L3 switch leverages hardware via an ASIC.

It would be easy enough to setup a test environment on your existing switch to see if this config makes sense. I would setup your firewall to terminate to the switch with a trunk link and then configure two test VLANs and have your test devices terminate to those on the switch. You can run a throughput test using iPerf and see the differences in performance.

The way I understand the proposed setup is not that the firewall will be used in place of a switch, but specifically in place of a L3 switch which would handle routing between internal networks. That means that layer 2 traffic within each network is still going through a switch. There will not be any bridged ports in pfSense, which would indeed not be my recommendation either.

That is precisely how I would be using it. I want to replace an old 3560x with a Netgate device and use firewall rules between our different networks instead of ACLs. My switches are all linked together via 10Gb fiber and that is how I would be linking from pfSense to switches as well.

But reading your comment again, in case there is a lot of traffic between networks the firewall would indeed be a bottleneck compared to a L3 switch.

Even if you are using 10Gb uplinks, the processing within the firewall will likely have a throughput of less than 1Gbit, but only way to know is to test. I don’t think it’ll be as fast as your L3 switch though.