Using pfSense as a Server Only

December 7th, 2007 by Chris Buechler

In this forum post, “rklopoto” describes how he runs pfSense WAN-less as only a DHCP server in an environment that already has a firewall. We didn’t think this was possible, it’s interesting what users run into!  :)

This isn’t the best solution as essentially a DHCP server appliance, but it works. And he has good reason to do so – a single consistent interface to train administrators to use.

You do need two interfaces in the box, though you can leave the WAN unplugged.  Then assign your LAN IP, and its default gateway as your WAN gateway. Just put in a fake/made up IP on a different subnet on the WAN page.

You can probably use a lot of different services in this fashion. Post a comment here, or on the forum or mailing list if you’ve done something like this.

16 Responses to “Using pfSense as a Server Only”

  1. The Dave Says:

    Do you even need a second physical interface, wouldn’t a VLAN work?

    (although this solution might possibly generate some garbage traffic on the LAN, but probably not enough to worry about in most cases)

  2. Chris Buechler Says:

    A VLAN should work, but it would create some garbage traffic on the LAN. Probably wouldn’t matter in most cases, but has the possibility to create problems. I’d rather see two physical interfaces personally, but VLANs would likely work (I’ve done it before, but not in a long-term production setup).

  3. Albert Says:

    This is a cool use for pfsense – but I’m wondering about the need for 2 interfaces. There are lots of good reasons why appliances might only have one. Both askozia and freenas only need one ip (don’t worry – I totally realize that pfSense is first and foremost a firewall).

  4. Chris Buechler Says:

    Sure, an appliance typically only needs one interface. But if we easily allowed that, we’d have a thousand people on the forum screaming because their one interface firewall doesn’t work. :) We have to cater to the primary user base, 99.999% of installs need two or more interfaces.

    Allowing single interface configurations is something we’ve discussed in the past and may see in the future, but this is a perfectly suitable workaround. NICs are dirt cheap, and most server hardware has two built in anyway.

  5. Jonathan Puddle Says:

    Hi Chris. I’m interested in your comments about VLANs and not recommending it for production use. Is that VLANs in general you don’t recommend, or just using the WAN connection as a VLAN?

  6. Chris Buechler Says:

    No, no, I’m just talking about using a VLAN as a fake WAN in production. i.e. configuring a VLAN that won’t be used, where the switch isn’t configured for it, strictly for the purpose of faking the system with a second interface.

    I and many others use VLANs with properly configured switches in production in many locations and it works great. It’s definitely suitable for production use when used properly. The above use isn’t “used properly”. :)

  7. Quick links « FreeBSD - the unknown Giant Says:

    [...] Using pfSense as a Server Only (pfSense) [...]

  8. Jonathan Puddle Says:

    Haha, good to know. I use VLANs extensively also, and just wanted to make sure I understood your comment :)

  9. Raymond Says:

    May I be so rude as to request that you would pubish these news items on the front page as news and update the “hackathon is coming” news item into history like it should be?

  10. Chris Buechler Says:

    The new site we’re staging has the RSS feed of this blog as the news on the front page of the site, the current site is going to be dumped before the end of the year.

  11. Mark J Crane Says:

    I’m interested in a seperate version of PFSense as a server. Would be great with access to the ports. As well as a specialized set of PFSense packages. Sure initially it would be less work to just install an application on a straight freebsd machine but that would miss the benefits of PFSense. What I like about PFSense is the configuration stored in xml and the web based GUI. That enables easy backup and restore of the config. I would be willing to make some packages for this enironment.

    Why would this be cool? Think of what m0n0wall has done for FreeNas, and for Askozia.

  12. Patrick G. Says:

    Using vlans does work, if tagging is implemented on your entire site you could stick the wan vlan on an unused vlan which while sending out some garbage traffic would be sent to a small portion of the network. This shouldn’t provide any noticeable effect on a network.

  13. Quick links | FreeBSD - the unknown Giant Says:

    [...] Using pfSense as a Server Only (pfSense) [...]

  14. xminer Says:

    pfSense should make is a standard feature to run the firewall on only one port, with the use of VLANing and routing subnets it quite possible and makes pfSense truly flexible, here’s why:

    It becomes important to a lot of people how flexible your appliance is as far as required NICs when you consider a service provider who uses it as managed firewall has to use 48 switch ports to deploy 24 firewalls in the scenario that the customer has multiple managed server sitting all over the facility on a VLAN.

    Even if you are using a 2000 dollar distribution switch (cheap!) by allowing single ported firewall (router/firewall on a stick!) you have just saved the provider a significant portion of the cost of deploying the firewall considering at this point 2 ports on $2000 switch cost about the same or more than the hardware the firewall is running on… and made it easier to manage and install… some people may not get it… but in a large facility where you have lot of customers whos bandwidth commits are well below the limits of full duplex 100Mb nic ports it make perfect sense, and with vLANing and routing subnets it would work if it was allowed…

    As a side note… putting the LAN and WAN interfaces on the same VLAN when using a routing subnet works famously too… use the check box under advanced to suppress ARP messages… this is an easy way to tie in an end customer VLAN onto the firewall without needing to care where physically on a network the hosts are with out having to deploy more than 1 VLAN or do any out of the ordinary routing, IMO…

    give the option to do it on NIC, it gets even easier…

  15. Chris Buechler Says:

    xminer: single interface mode is a standard feature in 2.0.

  16. xminer Says:

    “xminer: single interface mode is a standard feature in 2.0.”

    Thanks for the clue… I have not played with the upcoming versions past 1.2.3… should be interesting….

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply