Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switching from Sonicwall NSA 4600 to a pfsense box

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pjaneiro
      last edited by

      Hello, we will be switching from a SonicWALL NSA 4600 to a pfsense box, we don't have much NAT policies and access rules, but trying to figure out how to apply what I have from the SonicWALL to the PFSense is more complicated than I thought, is there a table or config tool somewhere or even someone on here that has experience in doing this ? there's about 30 NAT policies and 30 access rules on my existing SonicWALL that needs converting

      1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo
        last edited by DaddyGo

        @pjaneiro said in Switching from Sonicwall NSA 4600 to a pfsense box:

        we will be switching from a SonicWALL NSA 4600 to a pfsense box

        Hi,

        Nope, ๐Ÿ˜‰

        if you are looking for a migration tool such does not exist.
        NAT rules mean the same thing everywhere, you only configure them in a different interface, hardware, SW, etc., but they have the same meaning...

        +++edit:

        I would read this:
        https://github.com/jaredhendrickson13/pfsense-api

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        P 1 Reply Last reply Reply Quote 0
        • P
          pjaneiro @DaddyGo
          last edited by pjaneiro

          @daddygo

          this is how sonicwall sets up their NAT policies

          f8f89e5e-e0d8-47f7-b0a9-e5ac0cdf029c-image.png

          dcb765a9-8b8c-4452-a467-9778cabafbd6-image.png

          as you can see the NAT policies portion on PFSense is a lot more simpler and easier to use

          So yeah, when I'm trying to decipher what from sonicwall goes where on the pfsense, it gets garbled in my head

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @pjaneiro
            last edited by

            @pjaneiro said in Switching from Sonicwall NSA 4600 to a pfsense box:

            as you can see the NAT policies portion on PFSense is a lot more simpler and easier to use

            You evoked memories in me (with the picture) ๐Ÿ˜‰

            Yup, that's why I forgot the Sonicwall, a long time ago.
            this is similar to configuring Cisco SMB fool FW and NAT

            I can say that this will be manual work...
            but I say the good news too, is pfSense is a very friendly "animal"

            Once you are done with the config you will enjoy it..

            Forget the APIs, this is not a walkable path, I can already see.

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            P 1 Reply Last reply Reply Quote 0
            • P
              pjaneiro @DaddyGo
              last edited by

              @daddygo Hmm, not sure if I understand your post here, My post is about needing help trying to decipher what portions of the sonicwall nat rules are relevant to PFSense

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @pjaneiro
                last edited by

                @pjaneiro said in Switching from Sonicwall NSA 4600 to a pfsense box:

                what portions of the sonicwall nat rules are relevant to PFSense

                Okay, ALL because NAT rules donโ€™t depend on what device you're applying to

                if you need them you need to set them up

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 0
                • P
                  pjaneiro
                  last edited by

                  Bump Bump, just checking to see if anyone here has experience in this and has actual insight

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo @pjaneiro
                    last edited by

                    @pjaneiro said in Switching from Sonicwall NSA 4600 to a pfsense box:

                    anyone here has experience in this and has actual insight

                    nothing serious happened

                    Everyone wants to get the job done easily, okay. ๐Ÿ˜‰
                    In this case, you need to do it manually, sorry.

                    NAT is NAT, wherever it is set up...
                    (so anyone who deals with firewalls or routing must have an insight into this)

                    I would do, -examine and collect the predefined NAT rules of the stupid Sonicwall one by one.
                    I would then create it in "edible" form in pfSense.

                    There is no better way and I know there will be a lot of work.

                    I am with you in spirit, if you need help when you activate them (NAT rules) with pfSense, you can find us here.

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      pjaneiro @DaddyGo
                      last edited by

                      @daddygo

                      Not wanting to get the job done for me or easily, I'm asking for help in transcoding what means what

                      like you wrote -

                      I would do, -examine and collect the predefined NAT rules of the stupid Sonicwall one by one.
                      I would then create it in "edible" form in pfSense.

                      This is what I am trying to do, but on the pfsense half the crap on the sonicwall is not there
                      source original - source translated / destination original - destination translated

                      If i look on the pfsense, if i try to match those rules, nothing works, so if there is a table somewhere where there are comparable rules that have been translated from a sonicwall to a pfsense that would be awesome and i'll be able to do the rest

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @pjaneiro
                        last edited by

                        Here's an example for HTTPS:
                        e5d00209-5462-4633-b840-48f3bb821833-image.png
                        By default pfSense creates a firewall rule allowing the traffic ("Filter rule association" at the bottom of the page).

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote ๐Ÿ‘ helpful posts!

                        P 1 Reply Last reply Reply Quote 0
                        • DaddyGoD
                          DaddyGo
                          last edited by

                          @pjaneiro said in Switching from Sonicwall NSA 4600 to a pfsense box:

                          nothing works, so if there is a table somewhere where there are comparable rules that have been translated

                          Hi,

                          No one can do more for you than that, everyone learned pfSense from this book ๐Ÿ˜‰
                          https://docs.netgate.com/pfsense/en/latest/nat/index.html

                          Of the Youtube stuff, I only recommend him:
                          https://www.youtube.com/watch?v=eb1pTs7XamA

                          of course:
                          https://www.youtube.com/channel/UC3Cq2kjCWM8odzoIzftS04A/videos

                          There are no explicit migration tool or instructions from Sonicwall to pfSense, or I have never met one...

                          Cats bury it so they can't see it!
                          (You know what I mean if you have a cat)

                          1 Reply Last reply Reply Quote 0
                          • P
                            pjaneiro @SteveITS
                            last edited by pjaneiro

                            @steveits I'm looking at what you highlighted

                            And this is where I get really confused, All my rules and port forwarding are done

                            so my issue is what goes where here when I look at one set of my sonicwall rules for one of my services

                            c59aa36b-8d9e-49db-a966-462228f04e98-image.png

                            this is where I do not quite grasp where what goes where

                            53743357-775a-4e03-830c-16314a1eef57-image.png

                            Since I do not transform my services (ports) I don't need worry about that

                            And I also know that rule that starts with firewalled subnets is the loopback rule, but that also confused the heck outta me, Is a loopback rule necessary for pfsense ?

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              SteveITS Galactic Empire @pjaneiro
                              last edited by

                              Are you trying for inbound NAT redirection (RouterWAN:443 -> WebServerLAN:443) or outbound NAT? Those are very different and your screen cap is for outbound. Outbound makes the outgoing packet use a different IP address, useful for instance if one has 1:1 NAT mapping and the outbound connection should use that IP not the default IP.

                              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                              Upvote ๐Ÿ‘ helpful posts!

                              P 1 Reply Last reply Reply Quote 0
                              • P
                                pjaneiro @SteveITS
                                last edited by

                                @steveits

                                Basically I have about 40 ip wan adresses, let's say someone from the outside is hitting one of my public servers at 2.2.2.2, pfsense should know that when wan IP 2.2.2.2 receives a packet it should be redirected to internal private ip 10.1.1.1 and when private ip 10.1.1.1 answer back the outside world should see that 2.2.2.2 is answering and not my firewall that has an ip of 2.2.2.7

                                Am i writing this ok or did i screw the pooch i my explanation ?

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  SteveITS Galactic Empire @pjaneiro
                                  last edited by

                                  You're OK. So inbound would likely be 1:1 NAT then.

                                  Our setup is old, but for Outbound probably either Hybrid or Manual with a manual entry for each server:

                                  Source: 10.1.1.1/32
                                  Destination: any (the Internet)
                                  NAT Address: 2.2.2.2

                                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                  Upvote ๐Ÿ‘ helpful posts!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.