• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Configuring Netgate W/ Dedicated Switch

Scheduled Pinned Locked Moved L2/Switching/VLANs
8 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chalabi2
    last edited by Aug 13, 2022, 4:57 AM

    Configuring Netgate 6100 to supply firewall to dedicated switch.

    Warning Networking Newb

    Recently received my Netgate 6100 and deployed it at a data center. Before ordering the design I had in my head was rather simple. Our fiber connection from the data center would plug into the netgate, from the netgate to the dlink switch and from the switch to our servers. The Dlink would serve as a simple firewall. Before you say "Why not just use IPtables.", idk it just seemed like id rather block connections from the top then for every server.

    Currently our connections are as follows:

    Fiber -> NETGATE 6100 via SFP in WAN 1 (1G)
    
    NETGATE 6100 -> DLINK (WAN 4 converted to LAN -- SFP+)
    

    We have an IP range from our data center

    CIDR .128/28
    Gateway .129
    IP's .130 - .142
    

    Heres a crappy image

    PFSENSE6100.png

    Things I've tried :

    Converting WAN 4 to a LAN port and connecting to the switch but then I get overlapping errors when trying to assign an different IP and same gateway to both ports.

    Do we need to configure a transparent bridge? Is it possible the whole SFP ingress to SFP+ egress situation we have going is causing an issue?

    Any tips are much appreciated, please excuse our lack of networking knowledge and apologies in advanced if this is the incorrect forum subject.

    S 1 Reply Last reply Aug 13, 2022, 10:42 PM Reply Quote 0
    • S
      SteveITS Galactic Empire @chalabi2
      last edited by Aug 13, 2022, 10:42 PM

      @chalabi2 What do you mean use the switch as a firewall??

      Is the intent to use your IPs on the LAN side of the pfSense? The "normal" way this is done is to have the data center allocate you a WAN IP in a different subnet (can be a /29 if you want to use CARP/HA). Then they route the /28 to the WAN IP. pfSense "knows" to forward those packets to the LAN network. You can then create whatever firewall rules you want to protect the LAN IPs.

      If they will only provide one subnet then that usually means using NAT, perhaps 1:1 NAT. Or one can use a bridge.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      C 1 Reply Last reply Aug 13, 2022, 10:53 PM Reply Quote 0
      • C
        chalabi2 @SteveITS
        last edited by Aug 13, 2022, 10:53 PM

        @steveits Thanks for the reply steve, I meant use the netgate as a firewall.

        Or one can use a bridge.

        I was reading about transparent firewalls/bridges. Seemed like that is the approach that would best suit what we are looking to accomplish. Ive yet to try it but was confused as to why the 6100 doesnt just route the connection without doing all this. Shouldnt it be as simple as connecting fiber to wan of netgate, out of another wan port(converted to lan only calling it wan because its one of the sfp ports) of the netgate to the dlink switch then assigning IPs on the server level.

        S 2 Replies Last reply Aug 14, 2022, 12:38 AM Reply Quote 0
        • S
          SteveITS Galactic Empire @chalabi2
          last edited by Aug 14, 2022, 12:38 AM

          @chalabi2 A router needs to know where to route the packet. If an IP (subnet) is on both WAN and LAN then it gets confused. (To simplify). A bridge tells the router to not route.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          C 1 Reply Last reply Aug 14, 2022, 4:35 AM Reply Quote 0
          • S
            SteveITS Galactic Empire @chalabi2
            last edited by Aug 14, 2022, 12:40 AM

            @chalabi2 routing doc:
            https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • C
              chalabi2 @SteveITS
              last edited by Aug 14, 2022, 4:35 AM

              @steveits I think im getting close to understanding, so if i dont want Netgate to do any routing I can create a bridge for the WAN & the LAN and just do the port/ip blocking on pfsense firewall while allowing the switch to distribute internet connection via ethernet to my servers? That way I would be utilizing the data centers router and would just have to configure gateway/ip on the Netgate, Dlink Switch & all my servers in the order?

              Again, apologies if theres any redundant questions in here and i have a feeling actually trying to configure the transparent bridge would be beneficial to my understanding.

              S 1 Reply Last reply Aug 14, 2022, 2:16 PM Reply Quote 0
              • S
                SteveITS Galactic Empire @chalabi2
                last edited by Aug 14, 2022, 2:16 PM

                @chalabi2 Yes in that case a bridge is necessary. I’ve never had to use one though.
                https://docs.netgate.com/pfsense/en/latest/bridges/index.html

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                C 1 Reply Last reply Aug 14, 2022, 7:01 PM Reply Quote 0
                • C
                  chalabi2 @SteveITS
                  last edited by Aug 14, 2022, 7:01 PM

                  @steveits Thanks for the help Steve! Bridge worked :)

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received