• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PfSense to replace cisco router, sonicwall firewall, and wireless NAT router?

Scheduled Pinned Locked Moved Routing and Multi WAN
10 Posts 2 Posters 8.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    netmagi
    last edited by Sep 16, 2008, 2:39 PM

    Hi,

    I currently have a commercial connection with my ISP providing a pool of 6 public IP addresses.

    It's currently configured like this:

    Cable Modem
            |
            |
    Cisco 2500 Series Router
            |
            |
    Sonicwall Firewall
            |
            |
    Ethernet Switch
      |               
      |                 
      |                   
    Public IP'd           
    servers                    Dlink Wireless NAT Router (with public IP on the WAN side)
                                                  |
                                                  |
                                              Ethernet Switch
                                                    |
                                                    |
                                                Workstation PC's (with private IP's 192.x.x.x)

    Can pfSense replace this entire rat's nest of aging equipment?  I would need technically, I guess 3 interfaces. . .

    Interface 1:  WAN on ISP's network

    Interface 2:  LAN (still public IP's but routed to the WAN IP)  Would pfSense do this routing??? I'm counting on the cisco 2500 series for this right now.  There would be 3 servers with public IP's connected here

    Interface 3:  NAT'd LAN with DHCP assigning 192.x.x.x addresses.  Anything plugged into this interface (through a switch) would get assigned an IP and NAT through.  (I have 10 workstations in the house. . )

    I would also like to put a wireless card in the system, and have it act as a WAP and DHCP, NAT anything connected here (bridged with interface 3?)

    I would need to have firewall rules to permit anything on interface 3 to have full access to interface 2, and certain ports (for services) to be permitted from interface 1 to servers connected on interface 2.  I would also like to do some port forwarding so I can redirect say RDP on the WAN side to a NAT'd IP on interface 3.

    My current setup works just fine, but the cisco and sonicwall are both old and I'm just waiting for the day they croak.  I already have a server running vmware with plenty of NIC's and I was thinking it would be sweet to replace all that old hardware with a vm running something like pfSense, monowall, smoothwall, etc.  I really like what I've seen of pfSense so far.

    Can pfSense do all this?  My understanding of routing is fairly limited.  My cisco config is as follows:

    Current configuration:
    !
    version 11.2
    !
    hostname xxxxxxxx
    !
    enable password xxxxxxxxxxxxxxxx
    !
    ip subnet-zero
    no ip source-route
    ip name-server xxxxxxxxxxx
    !
    interface Ethernet0
    description xxxxxxxxxxxxxxxx
    ip address xxxxxxxxxxxxx  255.255.255.224
    no ip directed-broadcast
    !
    interface Ethernet1
    description xxxxxxxxxxxxxxxx
    ip address xxxxxxxxxxxxx 255.255.255.248
    no ip directed-broadcast
    !
    interface Serial0
    no ip address
    shutdown
    !
    interface Serial1
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx

    Thanks for reading,

    -Rich

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Sep 16, 2008, 3:03 PM

      Yes pfSense can do this.
      Does your ISP route these 6 IP's to the public IP of your WAN?
      –> Is the WAN-IP in a different subnet than your public IP's for your servers?

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • N
        netmagi
        last edited by Sep 16, 2008, 3:31 PM

        @GruensFroeschli:

        Yes pfSense can do this.
        Does your ISP route these 6 IP's to the public IP of your WAN?
        –> Is the WAN-IP in a different subnet than your public IP's for your servers?

        Yes,  per my understanding of what my ISP does, they route the 6 to the public IP of my router.  Admittedly I'm not 100% sure on this as it's been years since I originally set it up.

        My cisco router has 2 IP's and they are on different subnets. One of these IP's is on the same subnet as the servers.  The other is not.  I realized I obscured too much in the router config, and I'll paste it in again, with less obscured.

        Current configuration:
        !
        version 11.2
        !
        hostname xxxxxxxxxxxxxxxxx
        !
        enable password xxxxxxxxxxxxxxxx
        !
        ip subnet-zero
        no ip source-route
        ip name-server xxx.xxx.xxx.xxx
        !
        interface Ethernet0
        description xxxxxxxxxxxxxxxxxxxxxxxxxx
        ip address xxx.229.80.xxx 255.255.255.224
        no ip directed-broadcast
        !
        interface Ethernet1
        description xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        ip address xxx.229.0.xxx 255.255.255.248
        no ip directed-broadcast
        !
        interface Serial0
        no ip address
        shutdown
        !
        interface Serial1
        no ip address
        shutdown
        !
        ip classless
        ip route 0.0.0.0 0.0.0.0 xxx.229.80.xxx

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Sep 16, 2008, 3:37 PM

          Then i dont see any problems at all.

          You might want to read this: http://forum.pfsense.org/index.php/topic,7001.0.html
          because you will have to enable "advanced outbound NAT" for your routed public subnet.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • N
            netmagi
            last edited by Sep 16, 2008, 3:44 PM

            @GruensFroeschli:

            Then i dont see any problems at all.

            You might want to read this: http://forum.pfsense.org/index.php/topic,7001.0.html
            because you will have to enable "advanced outbound NAT" for your routed public subnet.

            Anything I should know about running pfSense under vmware server?  I'm about ready to at least try pulling the trigger on this since it sounds doable.

            Can you give me an overview of how I'd configure the routing in pfSense to get started?

            Thanks soo much for all your help.  2 hours ago I was unsure what direction I wanted to go, but now I'm 100% sure I want to go with pfSense.  The user contrib and activity on the forums here is exceptional (I've been reading through posts)  :)

            -Rich

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Sep 16, 2008, 3:53 PM

              I dont know much about running pfSense in VmWare.
              Try reading on the virtualisation-forum
              http://forum.pfsense.org/index.php/board,37.0.html
              But my general impression is: real hardware > virtual hardware.
              The ALIX http://pcengines.ch/alix.htm might just be what you're looking for since it has a pretty low power consumtion and enough power for most applications… as long as you dont want to route ~100 Mbit.
              Here some sizing numbers: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

              To get started follow the link i posted in the link above.
              I put there together where the tutorials and docs are.

              You could try the liveCD on an old computer you might have lying around without installing pfSense to get a feeling for it.
              It's pretty much selfexplaining.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • N
                netmagi
                last edited by Sep 16, 2008, 4:33 PM

                It looks like I may run into some issues with trying to get wireless to work under vmware as well. .

                My main goals here are to have a solution more serviceable/replaceable than the current 3 devices, lower power consumption, and not spending any money :)

                I have plenty of old hardware laying around so I guess the next step is determining how much juice an old PC draws in comparison to the cisco, sonicwall, and dlink together.

                -Rich

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Sep 16, 2008, 5:28 PM

                  Probably more.
                  Unless it's a Laptop ;)
                  Disable the display, replace the HDD with a CF-card, plug in a PCMCIA-NIC and you should have a ~20~30~ W router.

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • N
                    netmagi
                    last edited by Sep 16, 2008, 6:36 PM

                    maybe,maybe not. . I know the cisco and the sonicwall are drawing a fair amount. . the cisco is ancient and power-hungry :)

                    I have a fluke clamp meter so I'll plug em all into the same strip and see how many amps they're drawing and compare to a single-core low-spec pc.  I'd be willing to accept a small increase in amperage for the peace of mind that if there's a hardware failure it can be repaired/replaced.  The current cisco and sonicwall are essentially unserviceable and costly to replace.

                    -Rich

                    1 Reply Last reply Reply Quote 0
                    • N
                      netmagi
                      last edited by Oct 29, 2008, 3:40 PM

                      Hey guys,

                      Just wanted to let you know I did end up building a box:

                      http://forum.pfsense.org/index.php/topic,12270.0.html

                      and finally got it working:

                      http://forum.pfsense.org/index.php/topic,12286.0.html

                      The box is now in production, and replaced the cisco router, sonicwall firewall, and dlink NAT router successfully.  Plain and simply, pfSense rocks!

                      -Rich

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received