Newbie Network Setup
-
Hi,
I'm still a newbie with pfsense and I'd like to ask help from you guys.
Currently this our setup.
Everything is working. Now management decided to put in a firewall so this is our planned setup. Forgive the quality of the images hehe
We installed pfsense and configured the ff:
LAN IP - 192.168.1.7
WAN IP - DHCP enabledin the WAN interface we plugged the connection coming from the router.
in the Lan interface we connected it to our local switch.With that, we were able to access the webGui through 192.168.1.7 and configured the Firewall to permit LAN any.
Now our problem is with the WAN interface. our pfsense box doesn't have internet connection. Also what should we set in our host IP address for it to pass through pfsense?We plan on setting up our pfsense box as a firewall only since we already have a router.
Any violent feedback or comment is appreciated. I am still new at this and i'm willing to learn and accept what opinion,suggestion or criticism you'll give me. Thank you so much for the help in advance! :)
-
LAN IP - 192.168.1.7
WAN IP - DHCP enabledin the WAN interface we plugged the connection coming from the router.
in the Lan interface we connected it to our local switch.With that, we were able to access the webGui through 192.168.1.7 and configured the Firewall to permit LAN any.
Now our problem is with the WAN interface. our pfsense box doesn't have internet connection. Also what should we set in our host IP address for it to pass through pfsense?Since you have enabled DHCP on WAN (I presume you mean the IP address of the WAN interface is to be assigned by DHCP rather than you want a DHCP server operating on the WAN interface) the IP address should be supplied by the CISCO. Is it correctly configured to do that?
Is the physical link between the CISCO and pfSense up and running? If not, you might need a cross over cable between those two boxes.
We plan on setting up our pfsense box as a firewall only since we already have a router.
Unless there is something you haven't told us, I can't see the value in retaining the CISCO - it just adds complexity (two boxes to configure and manage instead of one). pfSense is a perfectly good router AND firewall.
I presume in the existing setup, the CISCO acts as a DHCP server for the desktops. I'd have pfSense act as DHCP server for the Desktop clients. Normally the clients will get their default gateway when their address is assigned by DHCP.
-
if, as suggestedd above, your cisco is your LAN's dhcp server, your desktops will not get a lease through your pfsense box.
are your desktops configured to use the pfsense as their gateway?i agree with above… ditch the cisco.
-
Thanks for the help guys! Appreciate it.
Since you have enabled DHCP on WAN (I presume you mean the IP address of the WAN interface is to be assigned by DHCP rather than you want a DHCP server operating on the WAN interface) the IP address should be supplied by the CISCO. Is it correctly configured to do that?
Yes you are right regarding the DHCP part on WAN and yes our cisco 2800 router has been configured correctly to do that. Would it be better if I just assign the WAN port with a static address?
Is the physical link between the CISCO and pfSense up and running? If not, you might need a cross over cable between those two boxes.
No not yet. I will try your suggestion and give you a feedback asap.
Unless there is something you haven't told us, I can't see the value in retaining the CISCO - it just adds complexity (two boxes to configure and manage instead of one). pfSense is a perfectly good router AND firewall.
Aside from the fact that the company is trying to find a way to save its investment with the cisco 2800 series as you all know they dont come cheap, then No I have told you everything that you need to know about the router. :D
I presume in the existing setup, the CISCO acts as a DHCP server for the desktops. I'd have pfSense act as DHCP server for the Desktop clients. Normally the clients will get their default gateway when their address is assigned by DHCP.
Say If I were to ditch our cisco router then just use the pfsense box. Should I assign a public ip given by our ISP to the WAN interface on the pfsense box and enable DHCP on the LAN interface to make things work? Sorry for the hassle but I would really like to test everything you guys said and unfortunately for me our internet connection/router is used almost 24/7 and the only time I can actually test the pfsense setup and remove the router is on a sunday. Hope you understand guys… My compnay is in the BPO business so please bear with me ;)
Thank you so much!
-
Ok, so as it stands, the 'LAN' side of your Cisco Router is in the range 192.168.1.xxx, the same as the LAN side of the pfSense.
To keep the cisco router in place, you need to configure a different subnet between the Cisco and pfSense box, such as 10.10.1.xxx. then set up DHCP on the LAN side of the pfSense, ensuring that it is pointing to the pfSense LAN IP for the client gateway.
How happy are you with reconfiguring a cisco router?taking the cisco router out of the equation…
if the modem is set up in bridged mode (and not as a router), you could plug it into the WAN side of pfSense, set the WAN interface to DHCP and the IP assigned by your ISP will appear on the WAN of the pfSense. again set up DHCP on LAN interface accordingly. -
How happy are you with reconfiguring a cisco router?
Not too happy but what you suggested is doable but then again everything has to be tested first before I can give an accurate feedback on this.
taking the cisco router out of the equation…
if the modem is set up in bridged mode (and not as a router), you could plug it into the WAN side of pfSense, set the WAN interface to DHCP and the IP assigned by your ISP will appear on the WAN of the pfSense. again set up DHCP on LAN interface accordingly.Great suggestion! the Hosts' gateway in our network is 192.168.1.1 so that should be assigned to pfsense LAN IP right? Correct me if i'm wrong but basically you're suggesting that I enable DHCP server on pfsense LAN side and configure all the host in our network to point to pfsense as gateway and make it act as an Internet Gateway/Firewall on our network. Right?
Thank you for your help Gob! :D
-
Yes, that's correct.
For simplicity in testing, configure pfSense as above and then swap the two cables from the Cisco router into the pfSense box. Easy to swap back then if you break something ;-)
-
Here's the result of our testing.
I ditched the cisco router and plugged in the modem to the WAN interface with DHCP enabled. Second, Assigned LAN interface to 192.168.1.1 and connected it to the switch. I was able to access pfsense through the webGUI but I didn't have internet connection. I tried bridging the two interface to see if it works but it still doesnt have internet connection. I already assigned the proper DNS for our ISP accordingly but it still didn't work. Is there something wrong with the Firewall Rule or something? Thanks!
Here is what it says in the Log on pfsense. Hope this helps!
Time If Source Destination Proto
May 9 15:12:07 WAN 206.169.171.56 192.168.1.2 ICMP
May 9 15:12:08 WAN 206.169.171.56 192.168.1.3 ICMP
May 9 15:12:08 WAN 206.169.171.56 192.168.1.4 ICMP
May 9 15:12:08 WAN 115.39.59.224:1197 121.96.47.111:445 TCP:S
May 9 15:12:11 WAN 69.94.226.146 192.168.1.2 ICMP
May 9 15:12:12 WAN 87.116.230.131:1042 121.96.47.120:445 TCP:S
May 9 15:12:12 WAN 69.94.226.146 192.168.1.3 ICMP
May 9 15:12:12 WAN 69.94.226.146 192.168.1.4 ICMP
May 9 15:12:15 WAN 87.116.230.131:1042 121.96.47.120:445 TCP:S
May 9 15:12:17 WAN 17.149.36.102:5223 192.168.1.2:51262 TCP:P
May 9 15:12:18 WAN 206.169.171.56 192.168.1.2 ICMP
May 9 15:12:19 WAN 206.169.171.56 192.168.1.3 ICMP
May 9 15:12:19 WAN 206.169.171.56 192.168.1.4 ICMP
May 9 15:12:22 WAN 69.94.226.146 192.168.1.2 ICMP
May 9 15:12:23 WAN 69.94.226.146 192.168.1.3 ICMP
May 9 15:12:23 WAN 69.94.226.146 192.168.1.4 ICMP
May 9 15:12:28 LAN 192.168.1.250:3528 192.168.1.4:22 TCP:A
May 9 15:12:29 WAN 206.169.171.56 192.168.1.2 ICMP -
my gut feeling is that the modem may actually be set up as a router, possibly without dhcp. have you tried plugging a workstation/laptop straight into the modem? do you get an ip address allocated? can you access internet?
you could check the wan configuration on the cisco and replicate that on pfsense. -
I have the same speculation as well since when I checked the WAN Interface status, it doesn't have any IP, subnet mask or gateway assigned to it but the connection and DNS is up. I will have to try it again tomorrow.
I also checked the cisco configuration and found out that there are two Public IP address assigned to the WAN interface of the cisco router.
Here is what it looked like.
Fa0/1 (WAN)
ip address 121.96.xx.xxx 255.255.255.224 secondary
121.96.xx.xxx 255.255.255.252
ip nat includedI tried setting up the WAN int of pfsense to static IP but what I don't get is what to put in in the Gateway portion after the Static IP.
Any help would be appreciated. :)
-
Look on the cisco for the route statements. The gateway should be listed there.
As for the second IP, you probably don't need that as they have it. You may be able to get by using that as a Virtual IP and not directly assigned.
-
okay jimp! i'll try that later and i'll give you a feedback asap!
Thanks buddy!! ;)
-
Holy Smokes! It worked!!!
Gob was right with our modem, It was acting as a router with no dhcp enabled so I followed jimps advise and everything is working now!
Thanks so much guys for all the help!!!
