want to add netgate sg1100 to network that already has a router

jojothehumanmonkey · Mar 10, 2020, 9:11 PM

hello,
at one location, i have a pfsense running on a computer with dual network cards.

at another location, i already have a watchguard that is working fine.
at this location i want to add a sg1100 and i am not sure how to go about it.
i have one unused public ip address which i can assign to the sg1100.
i want to make sure that the sg1100 does not conflict with that watchguard.
for the lan port on the sg110, i want to know what services and features i should disable.
for sure, i will disable dhcp server.

thanks much,
dave

stephenw10 · Mar 11, 2020, 2:15 AM

How exactly are you planning to connect the two routers here? How is the Watchguard currently connected?

What role will the SG-1100 play when it's installed?

Steve

jojothehumanmonkey · Mar 11, 2020, 3:05 PM

hi steve,
basically, at home i have a old dell computer, with a dual-wan pci card.
i want to learn more about pfsense, so i plan to install that sg1100 at my office
i want to connect the two pfsense for vpn only

at my office, current setup
i have 5 static public ip addresses from verizon fios.
i already have 4 other routers, each using 1 ip address.

the output of the fios box is plugged into a 8 port network switch.

each router is plugged into that switch.

cheap linksys used as the router for the voip phones, connected to lan, dhcp disabled
cheap asus router for guest wifi, no connection to lan
fortigate router for site-to-site vpn to another office location, connected to lan, dhcp disabled
watchguard, main router for the office, connected to lan, does dhcp.

so the sg1100 would be the fifth router.

i would disable dhcp on the lan.
not sure what else i would need to disable?

thanks much,
david

stephenw10 · Mar 11, 2020, 10:36 PM

DHCP is probably the only thing you need to disable. I would also disable IPv6 entirely if you're not using it.

Multiple routers connected to the same internal subnet like that is almost guaranteed to hit some asymmetric routing issues. You will need to NAT the traffic leaving the SG-1100 LAN from the the VPN to avoid that for example.
https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

Steve

jojothehumanmonkey · Mar 12, 2020, 6:35 PM

thanks again,

actually you read my mind,

each of the four existing routers use different subnets so there no ip address overlap

but i was going to ask about two routers to 'share' a subnet.
something like this:
router 1 = 192.168.1.1-127 for office employees. i cannot remove this watchguard, for now i am stuck with it.
sg1100 = 192.168.1.128-254 - to be use to vpn users.

so i will read the link you shared.

thanks again,
david

stephenw10 · Mar 12, 2020, 9:51 PM

Yeah, you can't really do that.

One solution here would be to put the SG-1100 on a different subnet on a different interface on the Watchguard.

That way all clients in LAN trying to reach it (or coming from it) will send their traffic to the Watchguard as their default gateway and it will route the traffic to the SG-1100. The traffic takes the same route in both directions, there is no asymmetry. Effectively that is creating a transport subnet for the SG-1100 (and any other router) to reside on. As long as you only have routers and no hosts in the transport subnet you will probably be OK.

Steve