Where Should Firewall Be Placed?

fbgluck

I am an instructor for Cisco NetAcademy and am trying to incorporate a PFSense Firewall into my lab.

I am not sure where it should go in the network. I have some theories but I want to know if the following configuration would work?

The questions I have are:

1. What is an example of an IP address that is suitable for the outward facing port of the PFSense firewall?
2. What is an example of an IP address that is suitable for the port on the Class Edge Router that faces the firewall be set to?
3. What should the gateway address of devices on the Classroom Lab network be set to?

I do not intend to have the firewall handle anything but filtering and tracking. No NAT. NAT is handled by the edge router. between the classroom network and the school network.

Jarhead

@fbgluck Are you really an instructor??

fbgluck

@jarhead --- Yes.... (Not sure why you asked.)

Jarhead

@fbgluck To be honest, do you not think you're asking the most basic networking questions imaginable??
Not sure who you are an instructor for but I took many Cisco courses from a few different vendors and the instructors were unbelievably knowledgeable.
Is this really not stuff you already know?

To tell you the truth, this sounds more like a student who doesn't know the answers and is fishing for help.

fbgluck

@jarhead said in Where Should Firewall Be Placed?:

@fbgluck To be honest, do you not think you're asking the most basic networking questions imaginable??
Not sure who you are an instructor for but I took many Cisco courses from a few different vendors and the instructors were unbelievably knowledgeable.
Is this really not stuff you already know?

To tell you the truth, this sounds more like a student who doesn't know the answers and is fishing for help.

Ya know, Jarhead, one reason I have enjoyed being in this business for over 40 years is that (most) people on forums are really willing to help when someone asks a question -- usually just straight up, honest helpful advice. Guess that's not the case here.

I didn't ask because I was looking for criticism of what I know or don't know -- I asked because after spending about 30 hours trying to get this configuration to work, I though I would ask for advice from other professionals. Guess I missed the target here.

Are there any kind professionals who would help out and give me their opinion if I am on the right track or am I missing some core understanding about how PFsense works.

Jarhead

@fbgluck said in Where Should Firewall Be Placed?:

@jarhead said in Where Should Firewall Be Placed?:

@fbgluck To be honest, do you not think you're asking the most basic networking questions imaginable??
Not sure who you are an instructor for but I took many Cisco courses from a few different vendors and the instructors were unbelievably knowledgeable.
Is this really not stuff you already know?

To tell you the truth, this sounds more like a student who doesn't know the answers and is fishing for help.

Ya know, Jarhead, one reason I have enjoyed being in this business for over 40 years is that (most) people on forums are really willing to help when someone asks a question -- usually just straight up, honest helpful advice. Guess that's not the case here.

I didn't ask because I was looking for criticism of what I know or don't know -- I asked because after spending about 30 hours trying to get this configuration to work, I though I would ask for advice from other professionals. Guess I missed the target here.

Are there any kind professionals who would help out and give me their opinion if I am on the right track or am I missing some core understanding about how PFsense works.

Listen, I don't mean to hurt your feelings but you're actually making it worse.
40 years of networking?? And you can't answer those 3 questions?
I was figuring I was from a different generation than you and "times have changed" etc.
And kinda felt sorry for "today's students" but 40 years??

C'mon, let's try this out.
What do you think the subnet between the two routers should be.
You have to have an idea if you've been instructing this stuff for 40 years.
Take a shot.

johnpoz

@fbgluck A network that connects 2 routers would be a transit network. So what IP range to be used would be up to who manages the overall network.

if the downstream network is managed by someone else, and there is no overall person that has access to the complete network, then the owners/admins of the upstream network/router should provide you with the transit IPs to be used. This could be something as small as a /30 or if there might be other routers on the same transit maybe a /29 or /28 even..

But I am kind of with @Jarhead here, maybe it came off the wrong way.. But this does seem like a basic networking 101 sort off question..

As to

1&2) this would be something that does not overlap with the network(s) on the other side of the edge router in your drawing or on the lan side of pfsense. So something other than 10.9/16 or 192.168.0/24, common to use say 172.16/12 rfc1918 block if you are using 10 and 192.168 networks. So an example of this transit network might be 172.16.0.0/30 the upstream is normally the lower IP in the range.. So the edge router would be say .1 and the pfsense wan would be .2 That the upstream be the lower IP is not a written in stone sort of rule, it could be the last IP in the range. But normally its the first IP in the range used for the transit. Also use of small networks for transit is not a rule or anything either, it could be a /24 for example.. You would just want to make sure that the transit networks you use in your network do not overlap with other networks that are routed.

3. this is pretty clear, on your drawing you show 192.168.0.252, this would be the gateway of devices on the 192.168.0/24 network then.

edit: To your last comment, yeah pfsense doesn't have to nat for sure. Nat would only have to be done upstream in the network where the rfc1918 space might need to get to a public range, etc. Even if you natted at pfsense, you would still need an upstream nat if these devices on your classroom network have need to get off the school network and go to say the internet, etc