Connect WAN and LAN on same switch?
-
@jgfoster said in Connect WAN and LAN on same switch?:
Because there is just one line from IT (and the new ISP) leading to our main switch, we have both the WAN and LAN traffic on our main switch
Not ideal at all.
Why don't you put the main switch behind the firewall?You could route traffic to internal destinations to the "internal" gateway and upstream traffic to the ISP gateway.
I can use the device's Diagnostics/Ping menu command to ping 8.8.8.8 from both the WAN and LAN interfaces. I understand why this would work for the WAN interface since it has a route to the internet, but I don't understand why it works from the LAN port which doesn't have a gateway configured.
Because of the same reason. pfSense has a route, which might point to the upstream gateway in the WAN subnet. So traffic is directed out on WAN and natted to the WAN IP due to automatic Outbound NAT rules.
You can sniff the traffic on WAN and LAN using Diagnostic > Packet Capture to see, what's going on.
-
@viragomann said in Connect WAN and LAN on same switch?:
Why don't you put the main switch behind the firewall?
- The moment we disconnect the switch from the wall we are offline and our services are no longer available.
- The time we take connecting the new firewall and configuring it we are offline.
- All the existing services will be offline until they are configured to use the new firewall as a gateway.
- This configuration means that all inbound traffic goes through the firewall. (I had hoped to use the device as a gateway, not a firewall.)
@viragomann said in Connect WAN and LAN on same switch?:
pfSense has a route, which might point to the upstream gateway in the WAN subnet. So traffic is directed out on WAN and natted to the WAN IP due to automatic Outbound NAT rules.
So even when I specify to use the LAN port it uses the WAN port?
-
@jgfoster
You cannot instruct pfSense to use a certain network port, just to use a certain IP.
Network packets just go the shortest way.So it would be better to add all IPs to a single interface, say WAN.
But at least for incoming connections if any to the local network you would have to disable the Outbound NAT. -
You cannot instruct pfSense to use a certain network port, just to use a certain IP.
I see now that the label for the dropdown says "Source address" (I was thinking of source interface since the dropdown selection is "WAN").
So it would be better to add all IPs to a single interface, say WAN.
I don't understand. The Interface/WAN page allows only one static IP on an interface. How do I "add all IPs" to the WAN interface?
But at least for incoming connections if any to the local network you would have to disable the Outbound NAT.
I don't understand. I want the device to take incoming connections to the LAN and route them to the WAN. I want this device to serve as a gateway between the LAN and the WAN.
-
@jgfoster said in Connect WAN and LAN on same switch?:
The Interface/WAN page allows only one static IP on an interface. How do I "add all IPs" to the WAN interface?
Firewall > Virtual IPs
Here you are able to add further IPs to any interface.But at least for incoming connections if any to the local network you would have to disable the Outbound NAT.
I don't understand. I want the device to take incoming connections to the LAN and route them to the WAN. I want this device to serve as a gateway between the LAN and the WAN.
LAN > WAN ... outgoing, upstream
WAN > LAN ... incoming, downstream
I don't know, what you need.By default, if you have configured the WAN interface with an upstream gateway, pfSense nats outgoing traffic (from LAN or anywhere behind) to the WAN address.
If you have incoming connections to the LAN this might be undesirable. -
@jgfoster said in Connect WAN and LAN on same switch?:
The interesting thing is that during the transition IT put everything on the same ethernet cable leading to our department's switch
So your new internet connection is on the same vlan is your internal company network?
How this would normally work is this 1 cable from the company would have your new isp connection this 35.x network on vlan X, and your company network on vlan Y..
This would connect to your local switch which would split the vlans for you.. So you can connect the wan of your router into your 35.x then another interface for the company network.. And then another interface on the router would be your local dept network.. That could be anything if you nat into the company network from your pfsense IP in the companya network. But this would be a different vlan you create on your local switch. But a better way to do would be for it to just be routed subnet off their other network.
Since the ports on the sg1100 are switch ports you could do some vlan on them as well.. But what switch do you have locally for your dept? I would have to hope it can do vlans?
If your IT dept is just running both your company network and this new internet connection over the same vlan on that wire.. They are completely clueless would first thing that comes to mind for me..
I really don't understand why they gave you another router, unless you want to firewall the company network from talking to your devices?
Simpler solution would of been to ok get you a new internet connection - but vs handing that off to some router in your dept.. Would of just carved out a vlan for you to use in your dept, and routed your traffic out to whatever internet connection they want you to use.. They could control access into the company network at their router/firewall for your network.
-
I do appreciate the help and suggestions and apologize for my ignorance.
@viragomann said in Connect WAN and LAN on same switch?:
Firewall > Virtual IPs
Here you are able to add further IPs to any interface.Thanks. I found that and added a new private IP on the WAN interface. I'm not able to ping it and suspect that it is because of the "Block private networks" rule. I've tried disabling that rule but after unchecking the box and clicking "Save" I get the error "This Switch port is already in used by another interface."
@johnpoz said in Connect WAN and LAN on same switch?:
So your new internet connection is on the same vlan is your internal company network?
The two subnets are on the same cable but I'm not sure if they are the same VLAN. I've asked IT if this is a trunk link with VLAN tagging (for two VLANs) or if they have it all on one VLAN. If they are tagging then I think we should be able to split the VLANs in our switch. When I get that cleared up I'll proceed...
-
@jgfoster so do they manage the switch in your dept as well? Or is that a your switch? Because if its your switch they would have to give you the info on what vlan IDs etc.. If they manage it and told you plug your wan of your router on the pfsense into port X on that local switch and your lan into port Y, etc..
-
@johnpoz We own and manage our switch and other infrastructure (which is why they want to reduce their risk and move us out of the organization's internal network). I'm told that the two subnets are on the same VLAN. What we've been given is an RJ45 jack and told that it has two subnets on one VLAN. That cable has a gateway to the rest of the organization and the internet on 172.27.0.1 (this is what will soon go away) and the new ISP with a 35.x.x.x/29 subnet (and gateway to the internet).
-
@jgfoster said in Connect WAN and LAN on same switch?:
n RJ45 jack and told that it has two subnets on one VLAN.
Freaking idiots to be honest.. They have isolated nothing doing it that way.. Nothing!!
So this is transition only? After your on the 35 network, the company network will be removed from the wire? That is ok then..
Not really how I would of done it - there should really be zero reason to get you your own firewall and internet to isolate you from the rest of the company.. They could of just put you on your own vlan and used whatever firewall they are currently using to isolate you from the company network.
-
@johnpoz Right, transition only; soon they will remove their gateway and leave us on a VLAN that talks only to the outside. They started down the path of "putting us outside" by getting the new ISP link—but instead of having it installed in our closet, they had it installed in their closet. Once the external fiber came in at their location they needed a way to get it to our location and just dumped it onto the existing VLAN. And, yes, I think the isolation could have been done entirely at their end, but my political capital has a negative balance right now (partly from having said so).
My challenge is to set up the NetGate so it takes 172.27.0.0/16 and routes it to 35.x.x.x—all on the same VLAN. Any advice on that? Plugging both WAN and LAN interfaces to the same VLAN seems to be causing problems. The current one is the LAN address doesn't respond to ping for the first ten seconds or so.
-
There are multiple ways to skin this cat really..
You could just plug this cable from them into your pfsense wan port.. Give it the 35 address.. Then create a vip on this interface for the company 172 network
Then come up with some other network 172.28.x/mask you want.. How many devices do you have? Would a /24 or /23 be enough?
This would be pfsense lan.. Now if your devices behind pfsense want to talk to the company 172.27 network you can just nat to the vip. If they want to talk to anything else, ie the internet then they would nat to your 35 address.
Once your up and running and they take the company network off that wire.. just remove your vip and your outbound nat to that vip. Now everything will just go to the internet
This would really be a big bang sort of move - all your devices would have to this new network to work.. There would also be way to slowly migrate over to your network network using your switch if it can do vlans.. The problem with no vlan for isolation is you can't really just turn up a dhcp on pfsense if its lan is connected in any way to the old corp network.. Without prob causing some issues.
There are for sure multiple ways to get transitioned over..
-
@johnpoz Thanks. I'll start down that road and see how it goes...