Migrate from Sophos, some questions...
-
Just a few questions hopefully someone can help with based on my current Sophos UTM config and it things would be properly supported in pfsense.
Right now, I have a WAN IP of x.x.x.118/30 – so one usable IP on this subnet for my firewall. This is the primary WAN link. However, my ISP routes additional IP’s through that initial IP, so I also have y.y.y.32/29 available to me, a completely separate network of addresses. In Sophos I created additional “interfaces” for each IP in the /29 network on the WAN interface and everything works. In NAT rules, I simply choose these new ones and everything is routed nicely through the primary WAN link. Will this work as similar on in pfsense?
Also looking at setting up a HA config and needing the multiple WAN IP's, I'd plan to use the x.x.x.118 one as the CARP shared IP and then assign a y.y.y.33 and y.y.y.34 address to each unit. Will this work or do those additional WAN IP's need to be in the same subnet as the shared IP?
Thanks!
-
@whaler_99 yes you can route public IP space.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
-
@johnpoz Thanks, that is kind of what I want. But I wouldn't be assigning these IPs to the OPT1 interface, which I gather is a physical interface in that example? There isn't anything I can connect to a physical OPT1 port. All the inbound traffic on these additional IP's is routed through my primary WAN link, the .118.
I want all internal LAN traffic to route out via the primary WAN link by default. The only use for these additional IP's is for some specific services inbound. Basically additional 80/443 nat'ing. I nat the traffic coming in on these additional interfaces to different servers, but all outbound traffic goes back out the primary WAN link.
-
@whaler_99 said in Migrate from Sophos, some questions...:
But I wouldn't be assigning these IPs to the OPT1 interface
And what would you be assigning them to if they are routed to you? If you just want them as vips on your wan you can do that too..
-
Yes, just assign the IPs from the /29 subnet as Virtual IPs on WAN and then you can use them in port forwards etc.
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.htmlSteve
-
@stephenw10 OK, thanks sounds about right, basically what I do with Sophos, virtual IP's assigned to the WAN interface.
-
Now, any ideas on if I can use these virtual WAN IP's in concert with my WAN IP to setup HA?
-
HA with CARP? Two pfSense nodes?
Hmm, it's unusual but you should be able to do it. You will end up with some asymmetry. Really you would want the /29 directly on the WAN for HA, not routed via a /30.
You will have to use the /30 IP as the WAN side CARP VIP and two IPs from the /29 as the WAN IPs on each node. But that means the /29 will always be routed to the master node including backup node WAN IP. The Master node will redirect it but you will get some asymmetric routing and might need appropriate firewall rules to pass that.
Steve