Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help on adding a firewall to the network

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 536 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • kiokomanK
      kiokoman LAYER 8
      last edited by

      Network (1).jpg

      I need to add a firewall between the MPLS and our network,
      the problem is that I cannot change the MPLS IP without calling our ISP. also I may need to go back. Lan and Wan would have the same subnet
      can the problem be solved without changing the MPLS ip?

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @kiokoman
        last edited by

        @kiokoman So the firewall in your drawing is pfsense? And you host route on all these devices in the 192.168.8 network to talk to 8.1 (mpls router) vs pfsense at 8.7 to get to the internet? Or other local networks.

        You could always add a transparent firewall on this 8 network.. But better solution would be to get mpls network changed to something you just use for a transit network to pfsense.

        Maybe say 172.16.8.0/29 or even /30 would work..

        Now you wouldn't need any host routes on these devices pointing to 8.1 for these 192.168.1xx networks. And you could still leave 192.168.8/24 on all your devices.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        kiokomanK 1 Reply Last reply Reply Quote 1
        • kiokomanK
          kiokoman LAYER 8 @johnpoz
          last edited by kiokoman

          @johnpoz
          yes, there are 2 pfsense firewall (HA), the static routes are configured inside pfsense, that route leads to another DC of a customer (we go to the internet via 8.7 (Carp), we go to another local network via 8.1). we need to access them but they should not access our network so we need to put another pfsense firewall between the MPLS and our network. we need to call the ISP to change that IP so i was thinking what could be done. my first assignment in the new job was to configure HA and openvpn with 2FA 😁

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @kiokoman
            last edited by

            @kiokoman said in Need help on adding a firewall to the network:

            the static routes are configured inside pfsense

            Well that screams asymmetrical to me... If your clients are talking to pfsense on 8.7, and it sends traffic to 8.1 to get to one of those 100 networks.. The return traffic wouldn't go back to pfsense it would just go back to whatever 8.x IP..

            That is bad..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            kiokomanK 1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8 @johnpoz
              last edited by

              @johnpoz
              indeed it is.
              I'm here to fix this
              my intention is to change ip to that mpls and move it to the pfsense wan and remove that static routes

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @kiokoman
                last edited by

                Well you could move the mpls connection to a wan on pfsense sure, but that would still need routing.. You could do something dynamic vs static.. But that can add complexity, so unless your using it for monitoring of path to change routing, or networks come and go all the time.. A hand full of static routes is easier solution.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.