SG-1000 install and IP address range
-
Hi,
I have a new SG-1000 firewall for home which I'm keen to start using but would appreciate a little help. According to the Setup Guide the SG-1000 needs to use 192.168.1.1, which is currently my Gateway address on the router, DHCP is on and the range is 192.168.1.2 to 254. I have only one PC wired into the router and then a bunch of wireless devices.
What would people suggest changing the Gateway address and IP range to? (I know it's a bit of a simple question, but I've got to start somewhere!).
Thanks, in advance. -
The SG-1000 is a router itself. Why aren't you replacing your existing router with the SG-1000?
-
Ah, excuse me - I think where I put router, I meant modem.
From the Setup Guide:
"The basic firewall configuration begins with connecting the pfSense appliance to the Internet. Neither the modem nor the pfSense appliance should be powered up at this time.
Establishing a connection to the Internet Service Provider (ISP) starts with connecting one end of an ethernet cable to the WAN port (shown in the I/O Ports section) of the pfSense appliance."The default LAN subnet on the firewall is 192.168.1.0/24. The same subnet cannot be used on both WAN and LAN, so if the subnet on the WAN side of the firewall is also 192.168.1.0/24, disconnect the WAN interface until the LAN interface has been renumbered to a different subnet.
"The opposite end of the same ethernet cable should be inserted in to the LAN port of the ISP-supplied modem. The modem provided by the ISP might have multiple LAN ports. If so, they are usually numbered. For the purpose of this installation, please select port 1.
"Connect one end of the second ethernet cable to the LAN port (shown in the I/O Ports section) of the pfSense appliance. Connect the other end to the network connection on the computer. In order to access the web configurator, the PC network interface must be set to use DHCP, or have a static IP set in the 192.168.1.x subnet with a subnet mask of 255.255.255.0. Do not use 192.168.1.1, as this is the address of the firewall, and will cause an IP conflict."
Doesn't this all mean that I need to renumber the LAN subnet?
Thanks again. -
It would be much better if you could flip your modem to bridge mode where it acts as a simple conduit from the Internet to whatever is behind it. I assume this is one of those all-in-one units that has the modem, a switch and a Wifi AP built-in?
Doesn't this all mean that I need to renumber the LAN subnet?
Yes. pfSense LAN will have to be a different subnet. Try 192.168.2.1. Really, it can be anything in private IP space as long as it doesn't overlap with your pfSense WAN (192.168.1.0/24).
-
Thanks very much KOM, it is an all-in-one unit, but that's part of the bigger picture of replacing bits as I work things out.
Cheers. -
A better solution would have a simple modem in bridge mode, the SG-1000 acting as real WAN/LAN firewall, a switch on the LAN port, and a wifi AP plus any hardwired PCs plugged into the switch. Right now you have what's called a double-NAT configuration, as the traffic has to be translated twice each way. This usually isn't a problem for normal Internet use, but you will have a tremendous hassle if you need to forward some ports to allow any servers to be accessed from the Internet.
-
Hi KOM, many thanks again for the advice.
So maybe a Draytek 130 modem into the SG-1000, then a switch (for the wired stuff) and a Ubiquiti wireless AP?
Any recommendations on the switch?
Many thanks. -
How many switchports do you need?
The Cisco Small Business stuff, like SG300-10, -20 or -28, is considered capable and price worthy in here.
I wouldn't use a PoE switch to power a single AccessPoint but use a PoE injector instead.
A cheaper switch that might fit is TP-Link TL-SG3210.
Personally I'd stay away from everything with a Netgear sticker on it.
