PfSense to replace cisco router, sonicwall firewall, and wireless NAT router?
-
Hi,
I currently have a commercial connection with my ISP providing a pool of 6 public IP addresses.
It's currently configured like this:
Cable Modem
|
|
Cisco 2500 Series Router
|
|
Sonicwall Firewall
|
|
Ethernet Switch
|
|
|
Public IP'd
servers Dlink Wireless NAT Router (with public IP on the WAN side)
|
|
Ethernet Switch
|
|
Workstation PC's (with private IP's 192.x.x.x)Can pfSense replace this entire rat's nest of aging equipment? I would need technically, I guess 3 interfaces. . .
Interface 1: WAN on ISP's network
Interface 2: LAN (still public IP's but routed to the WAN IP) Would pfSense do this routing??? I'm counting on the cisco 2500 series for this right now. There would be 3 servers with public IP's connected here
Interface 3: NAT'd LAN with DHCP assigning 192.x.x.x addresses. Anything plugged into this interface (through a switch) would get assigned an IP and NAT through. (I have 10 workstations in the house. . )
I would also like to put a wireless card in the system, and have it act as a WAP and DHCP, NAT anything connected here (bridged with interface 3?)
I would need to have firewall rules to permit anything on interface 3 to have full access to interface 2, and certain ports (for services) to be permitted from interface 1 to servers connected on interface 2. I would also like to do some port forwarding so I can redirect say RDP on the WAN side to a NAT'd IP on interface 3.
My current setup works just fine, but the cisco and sonicwall are both old and I'm just waiting for the day they croak. I already have a server running vmware with plenty of NIC's and I was thinking it would be sweet to replace all that old hardware with a vm running something like pfSense, monowall, smoothwall, etc. I really like what I've seen of pfSense so far.
Can pfSense do all this? My understanding of routing is fairly limited. My cisco config is as follows:
Current configuration:
!
version 11.2
!
hostname xxxxxxxx
!
enable password xxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
ip name-server xxxxxxxxxxx
!
interface Ethernet0
description xxxxxxxxxxxxxxxx
ip address xxxxxxxxxxxxx 255.255.255.224
no ip directed-broadcast
!
interface Ethernet1
description xxxxxxxxxxxxxxxx
ip address xxxxxxxxxxxxx 255.255.255.248
no ip directed-broadcast
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxThanks for reading,
-Rich
-
Yes pfSense can do this.
Does your ISP route these 6 IP's to the public IP of your WAN?
–> Is the WAN-IP in a different subnet than your public IP's for your servers? -
Yes pfSense can do this.
Does your ISP route these 6 IP's to the public IP of your WAN?
–> Is the WAN-IP in a different subnet than your public IP's for your servers?Yes, per my understanding of what my ISP does, they route the 6 to the public IP of my router. Admittedly I'm not 100% sure on this as it's been years since I originally set it up.
My cisco router has 2 IP's and they are on different subnets. One of these IP's is on the same subnet as the servers. The other is not. I realized I obscured too much in the router config, and I'll paste it in again, with less obscured.
Current configuration:
!
version 11.2
!
hostname xxxxxxxxxxxxxxxxx
!
enable password xxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
ip name-server xxx.xxx.xxx.xxx
!
interface Ethernet0
description xxxxxxxxxxxxxxxxxxxxxxxxxx
ip address xxx.229.80.xxx 255.255.255.224
no ip directed-broadcast
!
interface Ethernet1
description xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ip address xxx.229.0.xxx 255.255.255.248
no ip directed-broadcast
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.229.80.xxx -
Then i dont see any problems at all.
You might want to read this: http://forum.pfsense.org/index.php/topic,7001.0.html
because you will have to enable "advanced outbound NAT" for your routed public subnet. -
Then i dont see any problems at all.
You might want to read this: http://forum.pfsense.org/index.php/topic,7001.0.html
because you will have to enable "advanced outbound NAT" for your routed public subnet.Anything I should know about running pfSense under vmware server? I'm about ready to at least try pulling the trigger on this since it sounds doable.
Can you give me an overview of how I'd configure the routing in pfSense to get started?
Thanks soo much for all your help. 2 hours ago I was unsure what direction I wanted to go, but now I'm 100% sure I want to go with pfSense. The user contrib and activity on the forums here is exceptional (I've been reading through posts) :)
-Rich
-
I dont know much about running pfSense in VmWare.
Try reading on the virtualisation-forum
http://forum.pfsense.org/index.php/board,37.0.html
But my general impression is: real hardware > virtual hardware.
The ALIX http://pcengines.ch/alix.htm might just be what you're looking for since it has a pretty low power consumtion and enough power for most applications… as long as you dont want to route ~100 Mbit.
Here some sizing numbers: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49To get started follow the link i posted in the link above.
I put there together where the tutorials and docs are.You could try the liveCD on an old computer you might have lying around without installing pfSense to get a feeling for it.
It's pretty much selfexplaining. -
It looks like I may run into some issues with trying to get wireless to work under vmware as well. .
My main goals here are to have a solution more serviceable/replaceable than the current 3 devices, lower power consumption, and not spending any money :)
I have plenty of old hardware laying around so I guess the next step is determining how much juice an old PC draws in comparison to the cisco, sonicwall, and dlink together.
-Rich
-
Probably more.
Unless it's a Laptop ;)
Disable the display, replace the HDD with a CF-card, plug in a PCMCIA-NIC and you should have a ~20~30~ W router. -
maybe,maybe not. . I know the cisco and the sonicwall are drawing a fair amount. . the cisco is ancient and power-hungry :)
I have a fluke clamp meter so I'll plug em all into the same strip and see how many amps they're drawing and compare to a single-core low-spec pc. I'd be willing to accept a small increase in amperage for the peace of mind that if there's a hardware failure it can be repaired/replaced. The current cisco and sonicwall are essentially unserviceable and costly to replace.
-Rich
-
Hey guys,
Just wanted to let you know I did end up building a box:
http://forum.pfsense.org/index.php/topic,12270.0.html
and finally got it working:
http://forum.pfsense.org/index.php/topic,12286.0.html
The box is now in production, and replaced the cisco router, sonicwall firewall, and dlink NAT router successfully. Plain and simply, pfSense rocks!
-Rich
