SG-3100 As Perimeter Firewall and VPN Appliance



  • We have a simple SMB-SOHO network setup and it's been working great for years. It is as follows:
    ISP(modem in bridge mode)(lan) --> (wan)Cisco SMB router(lan ) --> (lan)switch(lan) --> WAP+devices

    The Cisco router was serving as the firewall and VPN appliance. However, it has limitations that we have outgrown. Thus, I'd like to keep the network setup as follows because of all the VLAN setups, DHCP, the VOIP behind it, ACL's, etc, but add in the SG-3100 we just bought as a perimeter firewall and VPN appliance. So would it look like this?

    ISP(modem in bridge mode)(lan) --> (wan)SG-3100(lan) --> (wan)Cisco SMB router(lan) --> (lan)switch(lan) --> WAP+devices

    Or like this?

    ISP(modem in bridge mode)(lan) --> (wan)SG-3100(lan) --> (lan)Cisco SMB router(lan) --> (lan)switch(lan) --> WAP+devices

    Note I'm not sure if I need to connect the WAN port or LAN port of the Cisco router to the LAN port of the SG-3100.
    Also, I'm not sure how to configure the SG-3100 pfSense settings to avoid double-NAT'ing. I just want it to serve as the VPN appliance into the internal network, but also act as the external firewall.

    I am new to pfSense and have been reading the documentation, but figure someone has already figured this out.

    Thank you.



  • Well, you definitely want the SG-3100 connected to the LAN side of the Cisco device. Beyond that, I cannot say what would work best. What model of Cisco SMB do you have? Is the switch a manageable device?



  • The Cisco is the RV320. The switch is managed, yes.



  • More than one way I suppose.

    If you want to keep the Cisco, just go with your 2nd plan. May need to configure a trunk/uplink port on the Cisco for the SG-3100.

    If you want to get rid of the Cisco, you'd have to directly connect the switch to the SG-3100 and configure all the VLANs there.

    Perhaps some other folks can chime in with their experiences and/or recommendations.