Advice on configuration (Switching from Sonicwall - keep current network setup if possible)
-
Hmm, you actually have a public IP on the core switch upstream of the firewalls?
I had assumed the .33 address would be the ISP gateway and the switch was just passing that VLAN.
What is the .149 address shown on the modem? Just to access the modem? Is that a public IP?
You can use a private subnet on the WAN interfaces. You would be NATing somewhere else though, in the 'modem'?
It's possible to use a single public IP in an HA setup but it's not a supported configuration. In such a setup the secondary node cannot access the internet to fetch updates etc without failing over to it. There are people running that succesfully though.
-
Yeah it is a weird setup which I inherited and never went down the road of changing it as it worked fine.
The .149 is the IP of the modem within the ISP's network. It's not a public IP.
The switch routes internet traffic to that via the .150 address in the same subnet.At least this is what I've been told.
One thing to note is that the modem is supplied by the ISP and we have no control over it. We cannot access it to change configuration or anything else.
About NAT I'm a bit lost. I don't know much about it and know how/where it should be configured.
The public IPs we don't really use for anything except VPN and with pfSense we plan on using Tailscale. Initially I believe they wanted to have a DMZ (eg: web site, exchange server, etc.) but this was never implemented and such things are cloud based.
In the past days I've tried to create a lab setup to simulate things and I got it work work like this:
Ubiquiti USG router with the .149 address simulating the ADSL modem in the diagram
HP 2920 switch with .150 address and routing internet traffic to .149, VLAN 102
HP 2920 switch with 10.10.4.1 address in VLAN 103 on 2 ports
pfSense Primary with WAN IP 10.10.4.2 and gateway 10.10.4.1
pfSense Secondary with WAN IP 10.10.4.3 and gateway 10.10.4.1
WAN CARP IP 10.10.4.4
Static route in USG to route 10.10.4.0 to .150 addressBoth pfSense can access internet in this way but that's where I stopped and came to the forum to make sure I'm in right direction. Also, since I had to add the static route to the USG and we cannot do that on the ISP's modem, I guess this setup won't work.
We also have a 4G router which we want to use as backup internet in case ADSL goes down.
No public ip on that. With Sonicwall it's all pretty simple and works perfectly fine.Running a single public IP and forcing the secondary pfSense to take over to get updates etc. is not something I would like to have unless there's no other choice.
-
Hmm, so the .149-.150 is also a public subnet? I that case I guess they are routing the /30 to you via that. That is an odd setup. That's the sort of thing I might expect if the ISP also owned the switch but that's not the case here?
I suspect .149 is actually the ISP gateway not on the modem device itself?Yeah in your test setup the USG is NATing that private subnet. In your actual setup that would have to be the switch or the ISP 'modem'. I'm not sure that's possible.
-
Since pfSense allows a CARP VIP to be on a different subnet from the physical interfaces, can't I just use this:
- 1st public IP on the switch as in the diagram (ISP will route to it)
- 2nd public IP as the WAN CARP VIP
- Private WAN IPs on the pfSense boxes (same subnet)
- Manually created default gateway route
This would essentially replicate the same setup we have with Sonicwalls
The only doubt I have is what happens with the backup wan in this case.
-
So I've tested my last idea in the lab and it seems to be working.
This is what I did:
ISP Modem simulated by USG (.149/30) <-> HP Switch (.150/30)
HP Switch .33/30 (1st public IP) <-> pfSense .34/30 (2nd public IP). Set this as CARP WAN VIP
pfSense WAN 10.10.4.2/24 with Gateway .33/30
pfSense Outbound NAT: 'This firewall' * * * NAT Address .34/30Static routes:
HP Switch: everything to the internet is routed via .149/30
USG: Routing public IPs network via .150 (which is the HP switch IP)In production the static route on the USG is not needed as ISP already routes the public IPs via .149 (their ADSL modem).
We'll see if it actually works when I'll test it on-site.
-
Yes, you can do that. As I said that's what you have to do if you have only a single public IP.
The drawback there is that whichever node is in backup will not be able to reach the internet. Unless something upstream is NATing the private subnet and I don't think anything is in your case.
Steve
-
You're indeed correct. And my bad for not understanding this is what you meant earlier.
To fix the drawback you mentioned, I tried creating a tagged VLAN (same ports) on the HP switch which is used only by the two firewalls to access the internet whenever they are in 'backup/secondary' mode, since they can't use shared public CARP VIP IP for that.
All other VLANs are outbound natted via the main WAN CARP VIP, and firewalls can use this second path to the internet.
Seems to work. Do you see any issue with it?
BTW thanks a lot for your kind assistance and time.
-
I'm unclear exactly how you have set that up. It would require some special rules to NAT traffic from the backup via the master to the pubic IP without breaking in the other direction.
-
Yeah, I thought it worked but as you correctly suspected, it doesn't. Upstream device natting would solve the issue, but yeah I don't have that option.
Well, I guess that for now we'll go for the option where backup firewall cannot access the internet and force the switch when I need to make updates.
It's a pitty pfSense doesn't handle HA like Sonicwall, which makes it super simple. Then again Sonicwall is way more expensive, and perhaps for good reasons.
We'll deal with this inconvenience.
Thanks again for your help.
-
There are workarounds to allow it but the config becomes increasingly complex!
Like add the primary as a gateway on the secondary and use that as a failover group.
