Access to WAN-Side switch from LAN-side devices through the firewall



  • Hi, any advice on configuring access to access a WAN-Side switch from LAN-side devices through the firewall for a Multi-WAN on a stick via setup would be much appreciated!!!

    Here's what's got me stumped:

    Today I have a Multi-WAN on a stick configuration working perfectly with a managed switch, but the WAN traffic is on the same switch that carries the LAN traffic.

    While this works fine, and I have configured the switch to isolate the WAN VLANs from the LAN VLANs such that all communication from WAN <> LAN is required to pass through the pfSense firewall/router. Each WAN provider is also on its own VLAN, with a single Trunk running to the pfSense WAN port, so the traffic among WANs should also be isolated form one another.

    However, I don't like the risk of having the WAN and LAN networks on the same switch. If the switch somehow gets reset to default configuration, the WAN and LAN will have unlimited access to each other, and anytime the LAN-side switch is rebooted, pfSense loses connectivity to all the WANs.

    Since I already have this setup, I can move the Multi-WAN configuration part to a separate switch, but the configuration steps that have me stumped is how to be able to communicate with the WAN-side switch from the LAN through the firewall to the switch. The setup I have today has the LAN-side switch fundamentally connected to the LAN which makes it configurable via the management VLAN from LAN side devices.

    If I configure the WAN-side switch to have a separate VLAN for management, and then connect the management port via an ethernet cord into my LAN-side switch, then I effectively still have the setup I have today, with the same risks except for improving the fact that the WAN won't drop when I reboot the original LAN-side switch.

    The problem that I am not able to get my mind around is that to access the WAN-side switch, the switch itself has to have an IP address and a gateway. My LAN side switches get their IP addresses and gateway via DHCP from pfSense.

    I was thinking to solve this, that I could assign the WAN-side switch a static IP address in the RFC1918 (non-public) range that has a different subnet from any of my LAN subnets, and then configure the firewall rules to allow me to access that specific IP address through the firewall. I do this type of configuration today to access one of my WAN configuration pages, since that is an LTE WAN provider, and the service provider uses Carrier-grade NAT to assign an RFC1918 WAN address.

    This setup works fine to access that LTE WAN web configuration page via the LAN > pfsense, but the LTE WAN modem/router also provides a gateway address that I use to access that page.

    The problems that I obviously don't know enough to solve is:
    The contemplated WAN-side switch that I will use is currently only configured as a switch, so I'm not sure how I would access the switch at all once I set the configuration for the Multi-WAN VLANs. If I assign the WAN-side switch a static IP address, it is still missing a gateway.

    Does anyone have any advice on how to set up this WAN-side switch so I can manage it via a device on the LAN through pfSense, without connecting that WAN-side switch to the LAN-side switches?

    Do I need a WAN-side switch that has some built-in routing capability so that the switch itself provides a gateway and IP or something, and if so would something like a Netgear GS108Tv3 have this capability?

    Thanks in advance for any help, I would really appreciate it!!


Log in to reply