Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gistron
New Contributor

Fortigate behind Pfsense

Hi,

I have a 40F and want to use it for websecurity. At the moment I use a PfSense firewall with 2 internet connections and a 4G backup. Because I don't want to configure everything new at this time (homeoffices, second branch connected via Wifi, Vlans etc...) I only want to secure the traffic to our terminal server as everybody uses this server for webbrowsing.

TerminalServer is 192.168.100.2

PfSense is 192.168.100.169.

I set the Lan address of the FG to 192.168.100.168, set a route 0.0.0.0 to pfsense (192.168.100.169) and changed the gateway on the server to .168. This works for outgoing traffic, but not for incoming traffic. I also created on the pfSense a default route for 192.168.100.2 -> 192.168.100.168. But this did not help.

I think segmenting the subnet would be an option, but .1 is taken and connot be changed, alsochangeing   the address of the TS would be a lot of work. 

 

Can anybody tell me if it is possible what I want to do and how? I know this is not best practice and I should replace pfSense with FG and that is what I want to do in the long term, but for now I don't have the time to configure everything.

 

1 Solution
Toshi_Esumi
Esteemed Contributor II

I don't know about PfSense, but at least any FGTs wouldn't like the asymmetric routing. For out-to-in sessions, the PfSend would directly pass packets to 192.168.100.x because it's locally connected, but its return packets are coming to the FGT because it's the GW. The FGT would drop it because it didn't see the original/initinating incoming packets. In other words, this is NOT "FGT behind PfSense". You have to make it really behind by putting the FGT in-line between the PfSense and all other devices. Means you need to set a new like /30 subnet between them and only FGT has the 192.168.100.x subnet.

 

Toshi

 

View solution in original post

2 REPLIES 2
Toshi_Esumi
Esteemed Contributor II

I don't know about PfSense, but at least any FGTs wouldn't like the asymmetric routing. For out-to-in sessions, the PfSend would directly pass packets to 192.168.100.x because it's locally connected, but its return packets are coming to the FGT because it's the GW. The FGT would drop it because it didn't see the original/initinating incoming packets. In other words, this is NOT "FGT behind PfSense". You have to make it really behind by putting the FGT in-line between the PfSense and all other devices. Means you need to set a new like /30 subnet between them and only FGT has the 192.168.100.x subnet.

 

Toshi

 

Gistron

You are right. It is nog FG behind PfSense but FG in same subnet as PfSense. I hoped there would be something to trick them in doing what I want. I will rethink my approach and create a new subnet or drop pfSense completely.