PFSense Lan no Wan
I am newer to PFSense and wanted to see if any PFSense and networking experts out there might have any good advice. I am managing a network that I didn't build. It's a little odd in that there are multiple buildings (same lan) and our internet does not come in to same building that our router lives in (Rough Diagram attached). Although not ideal, there was a decent reason (mostly cost savings) for why it was done this way. Our internet comes through a provider and we are on the same network as them, they just gave us 16 bits to carve our own network out of. Currently switches and router are all Cisco products. The handoff from our provider goes into a switch that just wraps that connection in a vlan and it goes back to our centralized location where we have a Nexus switch/router to route the traffic.
My boss bought a very nice Netgate device with PFSense because he wanted a more traditional firewall in place to guard incoming and outgoing traffic to our internet provider. The initial thought was just drop it between our connection from our equipment to the internet provider and use it to monitor traffic passing through similar to a web filter. The more I read about PFSense though it didn't seem like that was the best way make use of it. It seems it would work better moving all the interface vlans we created on the Nexus switch over to PFSense and using that as our router/firewall. If anyone has strong feelings about this concept please let me know.
Going off of that idea, I have been attempting to re-create our router setup on the pfsense machine while it sits on my desk. I have re-created the vlans and routing rules.
My big questions are about how to make the physical connections. In my mind the simplest way to do this is make all of the vlans available on the lan port, rack the pfsense right next to our current router, then remove the int vlans and routing rules from the cisco device (with a good backup ready of course), and then simply patch the lan port of the pfsense box into the nexus switch. In my mind with the default gateways now living on PFSense it should be able to take over routing.
I haven't made a switch over like this before, so I was just hoping people more experience would be willing to comment if I am thinking about this correctly or I have this all wrong. If I am going about this wrong I'd love to know before I pull the plug on the current setup.
Thanks for anyone willing to share.
So a bit confused by your drawing.. So your internet is vlan into router there in the center.. So that is a hairpin? You have just 1 10g fiber connection?
So the 2 sites on the top, if they want to get to the internet they have to share the 1 physical connection to the router, and then hairpin back over that same connection to get to the internet?
make all of the vlans available on the lan port,
Again - so you want to take how many connections that are 10g, and put them into 1 lan port?
Thanks so much for taking the time to reply. My apologies for the confusion. Definitely a lot like a hairpin, although I am not sure if this would technically be considered a hairpin. Nat happens back at the internet provider as we are on the same physical LAN. We don't NAT at all within "our" network.
Sadly though with our physical limitations you are correct that the two locations at the top share a connection back to the internal router. That is the same connection that is shared for the rest of the buildings to get back out to the internet provider. When it was installed this way it was determined better to have the router at the most centrally located place where it directly connects to the most buildings, even though that's not where the internet is coming to us(It is where the old internet connection came into).
When I say routing, we don't actually do much routing. We have a gateway of last resort going to the internal ip provided to us by the internet provider on their equipment. There are some other local things that we route, but mostly insignificant.
The setup has been in place for a while and luckily bandwidth wise we are pretty good shape. Although I am well aware of all the problems that come with the fiber runs the way they are. The problem is getting the money to fix it. We have some redundancy with Air Fibers if needed, although not full capacity.
With this I am more interested in the prospect of replacing the vlan configs that are on the Nexus Switch and moving them to Pfsense box. The connections are already all coming back to the Nexus switch (technically two with HSRP). While I don't love it, that part I can't change at the moment. So if they are already physically coming back to the Nexus, can I remove the vlan configs on the Nexus and plug the Nexus into PFSense so long as the vlans are all on the Lan port of the PFSense? We plan on actually having two running Carp for some redundancy. From what I was reading it just seems like I get much more functionality from the PFSenese firewall if it is managing my vlans.
Thanks for your time.
I am not sure if this would technically be considered a hairpin.
Doesn't matter where nat happens, what matters is you traveling over the same physical path twice.. That is by definition a hairpin.. Your going back out the same physical interface you came in on.. Your a router on a stick.
Why would you send traffic from those 2 locations down to your center router just to go to the internet? Makes no sense at all.. Only reason traffic should come down that path is to go to one of the other locations.
@johnpoz That makes sense to me. I believe the reason as given to me for current setup was it made more sense for all the other buildings not have to make two jumps to get to the router. When internet provider was changed it was cheaper for to get the new uplink to a different building than the centralized one. At the same time a new building was built so they just ran fiber to where the new internet connection was going.
So I am guessing what your telling me is when I go to install PFSense I should just do it right where our providers connection comes in.
Yeah that is normally where you install your edge router - at the edge ;) If you also want to use it as internal or core router that is fine too, etc. You can have more than 1 router in a network...
Unless your really worried about complicated firewall rules between your locations/networks routing of traffic can just be done on your L3 switches..
If your looking to replace hardware in your setup - this is perfect time to evaluated that overall design, and does it make sense... Maybe it made sense when it was done, or maybe shortcuts were taken at the time... Or maybe the guy doing it at the time didn't have a freaking clue... But trying to maintain some setup, just because that is the way it was setup before you is not a good plan..
Look at the details of the network, what talks to what, how much bandwidth is available and or used, etc. What hardware you have to work with.. Or what budget you have to replace, uplift aging hardware, etc.
What I can see from just your original drawing - is does not seem optimal at all.. Now maybe you drew it wrong, maybe you left out details and works different than it looks? But my gut reaction to that drawing is its borked..