Replace Cisco ASA with the pfsense
-
Dear Friends / Experts,
I want to replace the cisco asa with pfsense firewall. I am setup pfsense ip address same as cisco asa firewall. 192.168.9.254. connected with core swtich. i am getting internet only 192.168.9.0 networks. In my network i have 10 Vlan talking with each others. how do i setup the firewall rules and access rules in pfsense
Thanks
kiruba
-
So your 192.168.9 is your transit network.. So you have to adjust the outbound nat to account for these other networks. You need to make sure your lan rules allow for these networks and not just 192.168.9 (lan net)
You need to create a gateway in pfsense and then use that gateway for your routes to the downstream networks hanging off your L3.. Not on the lan interface but in System, Routing
-
Dear John,
How to adjust NAT rule. it was set as an automatic.
192.168.2.0
192.168.3.0
192.168.4.0
192.168.5.0
192.168.6.0Here is my asa configuration
route INSIDE 192.168.3.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.4.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.5.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.6.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.7.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.8.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.9.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.10.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.11.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.12.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.13.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.14.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.15.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.16.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.17.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.18.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.19.0 255.255.255.0 192.168.9.1 1
route INSIDE 192.168.30.0 255.255.255.0 192.168.9.1 1Thanks
Kiruba
-
I would of used networks I could use a summary route much easier.. How about make your transit say 172.16.0.0/30 and then you could just summarize with a simple 192.168/16 route to your L3 IP in the transit.
As to how to edit the outbound nat your going to have to go hybrid or full manual mode and allow your other downstream networks to be natted.. for example that 192.168.30/24
-
Dear,
Thanks a lot for helping me john.
Still cant able to fix my problem.I am getting internet only on 192.168.9.0 networks where my pfsense was installed
i cant able to ping pfsense (192.168.9.254) from 192.168.4.0. i dont know why. but i can able to ping my servers 192.168.9.2 , 9.3 ,9.24.
i know i am the begginer for pfsense.
Pls help me and guide me
thanks
kiruba
![static routes.JPG](/public/imported_attachments/1/static routes.JPG)
![static routes.JPG_thumb](/public/imported_attachments/1/static routes.JPG_thumb)
![Lan firewall rules.JPG](/public/imported_attachments/1/Lan firewall rules.JPG)
![Lan firewall rules.JPG_thumb](/public/imported_attachments/1/Lan firewall rules.JPG_thumb)
![VLAN 4 firewall rules.JPG](/public/imported_attachments/1/VLAN 4 firewall rules.JPG)
![VLAN 4 firewall rules.JPG_thumb](/public/imported_attachments/1/VLAN 4 firewall rules.JPG_thumb)
![Outbound rules.JPG](/public/imported_attachments/1/Outbound rules.JPG)
![Outbound rules.JPG_thumb](/public/imported_attachments/1/Outbound rules.JPG_thumb) -
what is ITLANGW?? You show that is pfsense IP, and then you have a gateway setup pointing to the same address 192.168.4.1.. That is never going to work..
And what are the rest of your nats? What do you have a gateway setup on 192.168.4 in the first place if this is just a network hanging off pfsense??
-
Dear John,
Now i keep only One WAN and One LAN Interface
WAN Address
IP: 87.206.49.51
Subnet: 255.0.0.0
Gateway:87.206.49.209LAN Address:
IP: 192.168.9.254(static)
Subnet: 255.255.255.0
Gateway:192.168.9.1For your information:- my nortel layer 3 switch IP Address: 192.168.9.1. Routing and vlan and access list configured on Layer 3 routing switch.
i am add the static route address 192.168.4.0 and Gateway 192.168.9.1
If i am wrong please correct. I shown you i have 8 vlans, now i trying with one vlan(192.168.4.0) if i can able to connect the internet. others i can able to configure.
If you provide some screen shots which is more useful to gain the knowledge.Thanks
Kiruba
-
IP: 87.206.49.51
Subnet: 255.0.0.0So you own a /8 and use it on your routers wan interface?
So if this 192.168.9 is your transit.. There should be nothing (hosts) on this network that need to talk to downstream network, or downstream talking to them.. Or your going to have asymmetrical routing unless you create routes on each host in this transit network and tell them which way to go for what.. If your going to have downstream networks then you have to tell pfsense about them via route, and you have to allow your lan/transit interface rules for those other downstream networks. And you have to correct your outbound nats to nat those networks.
When you set
Gateway:192.168.9.1
Did you actually set that on the lan interface? Bad.. Or did you create a new gateway (not default) and then just create routes? Your lan interface on pfsense should not have a gateway set on the actual interface..
Yes I have multiple vlans - none of them our downstream via a transit.. I can fire one up if you really need screenshots..
edit:
Ok I fired up a downstream router with a network hanging off of it in my dmz network..
So in the attached (pic #1) you see I am using pfsense (dmz network) 192.168.3/24 as the transit network to 10.0.0/24.. So this downstream router IP in the transit is 192.168.3.104, pfsense IP is 192.168.3.253
So I created a gateway in pfsense (pic #2).. Called it transit pointed it to the 192.168.3.104 address, notice its NOT set as default.
I then created a route in pfsense (pic #3) hey you want to get to 10.0.0/24 use the gateway "transit" 192.168.3.104
Then created a firewall rule on the "transit" interface (pic #4) - the actual dmz interface in my case that allows the downstream network 10.0.0/24
I then created an outbound nat (pic #5) so that pfsense would nat this downstream network 10.0.0/24 for to its WAN (public) IP..
So you then see when I do a traceroute from box in the downstream network 10.0.0.100 it hits its gateway the downstream router at .254, then goes to pfsense interface in the transit network and then out pfsense internet (wan) connection to my isp (pic #6)..If I traceroute from my pc at 192.168.9.100 in the drawing you see I hit pfsense 9.253, then the downstream router 3.104 and finally the box in the downstream network (pic #7)
Does this clear it up for you??
-
Dear John,
Many thanks for your guidance and help. Now i can able to get internet on my 8 vlan networks. i am attached my configuration screen shots.
Can you please help me on squid and squid gaurd configuration
i need to open social media( facebook and youtube) on 192.168.8.0 and need to block in 192.168.6.0 and 192.168.7.0 networks.If possible i can open social media on only one 192.168.6.12
teach me please.
once again many thanks for your help.
Kiruba
![Routing Conf.JPG](/public/imported_attachments/1/Routing Conf.JPG)
![Routing Conf.JPG_thumb](/public/imported_attachments/1/Routing Conf.JPG_thumb)
![Static Routes for vlan and multiple Networks.JPG](/public/imported_attachments/1/Static Routes for vlan and multiple Networks.JPG)
![Static Routes for vlan and multiple Networks.JPG_thumb](/public/imported_attachments/1/Static Routes for vlan and multiple Networks.JPG_thumb)
![Lan confi.JPG](/public/imported_attachments/1/Lan confi.JPG)
![Lan confi.JPG_thumb](/public/imported_attachments/1/Lan confi.JPG_thumb)
![Lan Firewall Rules.JPG](/public/imported_attachments/1/Lan Firewall Rules.JPG)
![Lan Firewall Rules.JPG_thumb](/public/imported_attachments/1/Lan Firewall Rules.JPG_thumb)
![Outbound Rules.JPG](/public/imported_attachments/1/Outbound Rules.JPG)
![Outbound Rules.JPG_thumb](/public/imported_attachments/1/Outbound Rules.JPG_thumb)
![DMZ Transit.JPG](/public/imported_attachments/1/DMZ Transit.JPG)
![DMZ Transit.JPG_thumb](/public/imported_attachments/1/DMZ Transit.JPG_thumb)
![DMZ Firewall Rules.JPG](/public/imported_attachments/1/DMZ Firewall Rules.JPG)
![DMZ Firewall Rules.JPG_thumb](/public/imported_attachments/1/DMZ Firewall Rules.JPG_thumb) -
What dude??
Why do you have so many gateways? And where downstream getting dns? Because your rules are only TCP.. WTF is the transit dmz for? those the same networks?