• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

want to add netgate sg1100 to network that already has a router

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jojothehumanmonkey
    last edited by Mar 10, 2020, 9:11 PM

    hello,
    at one location, i have a pfsense running on a computer with dual network cards.

    at another location, i already have a watchguard that is working fine.
    at this location i want to add a sg1100 and i am not sure how to go about it.
    i have one unused public ip address which i can assign to the sg1100.
    i want to make sure that the sg1100 does not conflict with that watchguard.
    for the lan port on the sg110, i want to know what services and features i should disable.
    for sure, i will disable dhcp server.

    thanks much,
    dave

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Mar 11, 2020, 2:15 AM

      How exactly are you planning to connect the two routers here? How is the Watchguard currently connected?

      What role will the SG-1100 play when it's installed?

      Steve

      1 Reply Last reply Reply Quote 0
      • J
        jojothehumanmonkey
        last edited by Mar 11, 2020, 3:05 PM

        hi steve,
        basically, at home i have a old dell computer, with a dual-wan pci card.
        i want to learn more about pfsense, so i plan to install that sg1100 at my office
        i want to connect the two pfsense for vpn only

        at my office, current setup
        i have 5 static public ip addresses from verizon fios.
        i already have 4 other routers, each using 1 ip address.

        the output of the fios box is plugged into a 8 port network switch.

        each router is plugged into that switch.

        1. cheap linksys used as the router for the voip phones, connected to lan, dhcp disabled
        2. cheap asus router for guest wifi, no connection to lan
        3. fortigate router for site-to-site vpn to another office location, connected to lan, dhcp disabled
        4. watchguard, main router for the office, connected to lan, does dhcp.

        so the sg1100 would be the fifth router.

        i would disable dhcp on the lan.
        not sure what else i would need to disable?

        thanks much,
        david

        1 Reply Last reply Reply Quote 0
        • S
          stephenw10 Netgate Administrator
          last edited by Mar 11, 2020, 10:36 PM

          DHCP is probably the only thing you need to disable. I would also disable IPv6 entirely if you're not using it.

          Multiple routers connected to the same internal subnet like that is almost guaranteed to hit some asymmetric routing issues. You will need to NAT the traffic leaving the SG-1100 LAN from the the VPN to avoid that for example.
          https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

          Steve

          1 Reply Last reply Reply Quote 0
          • J
            jojothehumanmonkey
            last edited by Mar 12, 2020, 6:35 PM

            thanks again,

            actually you read my mind,

            each of the four existing routers use different subnets so there no ip address overlap

            but i was going to ask about two routers to 'share' a subnet.
            something like this:
            router 1 = 192.168.1.1-127 for office employees. i cannot remove this watchguard, for now i am stuck with it.
            sg1100 = 192.168.1.128-254 - to be use to vpn users.

            so i will read the link you shared.

            thanks again,
            david

            1 Reply Last reply Reply Quote 0
            • S
              stephenw10 Netgate Administrator
              last edited by Mar 12, 2020, 9:51 PM

              Yeah, you can't really do that.

              One solution here would be to put the SG-1100 on a different subnet on a different interface on the Watchguard.

              That way all clients in LAN trying to reach it (or coming from it) will send their traffic to the Watchguard as their default gateway and it will route the traffic to the SG-1100. The traffic takes the same route in both directions, there is no asymmetry. Effectively that is creating a transport subnet for the SG-1100 (and any other router) to reside on. As long as you only have routers and no hosts in the transport subnet you will probably be OK.

              Steve

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received