Cisco > PFsense > Switches
-
I am more comfortable with pfSense than Cisco; that's why I understand that it is better to replace the Cisco with Pfsense, and that's what I am aiming for now.
I am not a Cisco guy; I only know some basic configurations. I just want to know this setup, for me to present it to my boss as an alternative.
He prefers to use Cisco because we have been using it for years, and he doesn't want to throw it away for good.
-
What is the cisco device?
-
Hello johnpoz,
I am using Cisco 1841 router. Looking forward to your reply. Thank you.
-
Zero reason to keep that 1841 in the path unless it is terminating T1s or something.
-
Zero reason to keep that 1841 in the path unless it is terminating T1s or something.
Yeah, I understand. But hopefully, someone can help me to configure it along with pfSense. :'(
-
What is there to configure?? Just double nat your setup and away you go.. Really its like 2 minutes and your done.. Prob want to put the pfsense wan IP in the dmz host or whatever so you don't have to forward ports inbound on both. But if a corp setup rare there are inbound port forwards, etc.
Why do you want to keep dhcp on router, and what routing?? Your nat to the public internet? Do you have more than 1 public IP? Do you have services behind that need to be accessed by the public internet?
There is like zero reason to keep a 1841 when you have pfsense, unless as mentioned your terminating some type of connection that you can not do on pfsense. 1841 has been EOL for quite some time, and pretty sure OCT of this year is END of HW support even.. Why would you be keeping it??
-
What is there to configure?? Just double nat your setup and away you go.. Really its like 2 minutes and your done.. Prob want to put the pfsense wan IP in the dmz host or whatever so you don't have to forward ports inbound on both. But if a corp setup rare there are inbound port forwards, etc.
Why do you want to keep dhcp on router, and what routing?? Your nat to the public internet? Do you have more than 1 public IP? Do you have services behind that need to be accessed by the public internet?
There is like zero reason to keep a 1841 when you have pfsense, unless as mentioned your terminating some type of connection that you can not do on pfsense. 1841 has been EOL for quite some time, and pretty sure OCT of this year is END of HW support even.. Why would you be keeping it??
Thank Johnpoz.
Where should I setup the DMZ? on Cisco or on the Pfsense?
What I mean about routing is the assigning of IP addresses, I want the DHCP on the Cisco router so everything will be handled by the Cisco.
As of now, I am working on 1841 router, but once I can successfully integrate the pfsense captive portal on Cisco Network, this would be applied to other Cisco routers as well.
We are a providing internet to our clients and we have plenty of networks operating in other areas which working for several years.
We want to use the pfsense captive portal in providing hotspot to some of our clients.
-
well you can setup dhcp relay on the pfsense. But again those 1841 are EOL.. Your plan should be removing them not continued use of them. Or replace them with current cisco models.
-
well you can setup dhcp relay on the pfsense. But again those 1841 are EOL.. Your plan should be removing them not continued use of them. Or replace them with current cisco models.
Yes, we should replace it with current cisco models.
Btw, It seems that the DHCP relay is not working.. I enable the dhcp relay on LAN interface and my destination server is 172.16.1.1
I can get the IP address and connect to the internet, when directly connecting to the Cisco.
I can ping cisco router from pfsense and vice versa.
Below is my Cisco configurations:
Router(config)#ip routing
Router(config)#config-register 0x2102
Router(config)#interface FastEthernet0/0
Router(config-if)#description Outside World
Router(config-if)#ip address 23.42.53.24 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#description Internal LAN
Router(config-if)#ip address 172.16.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 23.42.53.1
Router(config)#endRouter# configure terminal
Router(config)# service dhcp
Router(config)# ip dhcp pool TEST-Pool
Router(dhcp-config)# network 172.16.1.0 255.255.255.0
Router(dhcp-config)# default-router 172.16.1.1
Router(dhcp-config)# dns-server 172.16.100.50 172.16.100.51
Router(dhcp-config)# domain-name test.mydomain.com
Router(dhcp-config)# exit
Router(config)# ip dhcp excluded-address 172.16.1.1
Router(config)# access-list 15 permit 172.16.1.0 0.0.0.255
Router(dhcp-config)# exit -
It doesn't work that way dude.. You can have your dhcp server hand out an IP for the network your coming from.. But you can not put the wan network on clients behind pfsense.
cisco –- 172.16.1/24 --- pfsense -- 192.168.0/24 pc
So you can setup a multiple scopes/pols for cisco to hand out say 192.168.0.x but if you hand the pc a 172.16 address no its not going to work.
Lets go over this again.. Your 1841 are EOL, you want to start using pfsense.. Why would you not just use pfsense where your 1841's are. Control everything with pfsense. What feature ties you to cisco?? Makes no sense to put pfsense behind your 1841.. Just replace the 1841's
-
It doesn't work that way dude.. You can have your dhcp server hand out an IP for the network your coming from.. But you can not put the wan network on clients behind pfsense.
cisco –- 172.16.1/24 --- pfsense -- 192.168.0/24 pc
So you can setup a multiple scopes/pols for cisco to hand out say 192.168.0.x but if you hand the pc a 172.16 address no its not going to work.
Lets go over this again.. Your 1841 are EOL, you want to start using pfsense.. Why would you not just use pfsense where your 1841's are. Control everything with pfsense. What feature ties you to cisco?? Makes no sense to put pfsense behind your 1841.. Just replace the 1841's
Thanks for the inputs, Johnpoz.
We have Cisco ASR1001 and Cisco ASR1002 in the fields, and I am using 1841 for testing purposes.
As much as possible, we will be keeping these devices on the networks and planning to purchase SG-4860 pfSense for the captive portal services.
If it's not possible to use DHCP relay on pfsense? Do you have any other recommendations on how to integrate pfsense on our network other than replacing the cisco router with pfsense?
Thanks again.
-
It is possible to use relay on pfsense.. Your dhcp server just has to setup the pools to provide the correct address space..
So your going to purchase SG-4860, just for captive portal? And still maintain your cisco cost as well? Sure seems pointless waste of money to me.. And complexity for no reason.
-
Thanks for your time johnpoz!
Yes, I understand that having pfsense and cisco together is not a good idea. But for now, please help me how to integrate pfsense with cisco router.
With my cisco configuration, what should I need to add/change for the DHCP relay to work?
Router(config)#ip routing
Router(config)#config-register 0x2102
Router(config)#interface FastEthernet0/0
Router(config-if)#description Outside World
Router(config-if)#ip address 23.42.53.24 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet0/1
Router(config-if)#description Internal LAN
Router(config-if)#ip address 172.16.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip route 0.0.0.0 0.0.0.0 23.42.53.1
Router(config)#endRouter# configure terminal
Router(config)# service dhcp
Router(config)# ip dhcp pool TEST-Pool
Router(dhcp-config)# network 172.16.1.0 255.255.255.0
Router(dhcp-config)# default-router 172.16.1.1
Router(dhcp-config)# dns-server 172.16.100.50 172.16.100.51
Router(dhcp-config)# domain-name test.mydomain.com
Router(dhcp-config)# exit
Router(config)# ip dhcp excluded-address 172.16.1.1
Router(config)# access-list 15 permit 172.16.1.0 0.0.0.255
Router(dhcp-config)# exit -
You would have to create another pool for your dhcp server on your cisco.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html
