Advice on configuration (Switching from Sonicwall - keep current network setup if possible)
-
Hello everyone,
I am very new to pfSense and we recently decided to switch from Sonicwall as the license costs where just too much.I'm not a network expert at all and inherited the administration of the network and other stuff from someone else, so forgive my inexperience.
Essentially I need to replace two Sonicwalls with two boxes with pfSense (Netgate 6100). Current Sonicwalls operate in HA mode.
I have attached a diagram of current setup.
I would like to keep the current setup of the network as much as possible so as to have minimal reconfiguration of other devices and therefore down time.
I would appreciate any help in understanding whether keeping the current setup is at all possible, mainly how ADSL modem, core switch and firewalls are connected, or how to get as close to it as possible or obtain the same result. If yes, any tips on configuration and if not, any advice on the best alternative configuration would be greatly appreciated.
I have read a lot and tried a lot before posting, so I have a pretty good understanding of pfSense but my networking knowledge is limited to basic/medium stuff so yeah, since this will go into production soon, I hope to get some advice from people who know way more than me.
Thanks in advance for any help.
-
The biggest issue you're likely to have there is the WAN connection when running as an HA pair in pfSense.
CARP in pfSense requires at least 3 IPs for each HA interface and it looks like you have a public IP in a /30 there. Hard to say for sure but I'm assuming those are public IPs?See: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html#ip-address-requirements-for-carp
Additionally PPP type interfaces are not supported in HA so you would need a different approach there if it's PPPoE.Steve
-
Indeed we only have 2 public IPs.
One is assigned to the HP2920 switch (X.X.X.33) and the other to the Sonicwall (X.X.X.34)We can ask for one more, hoping they'll give to us, but if not I was thinking of changing this configuration and using private addresses on the 2 pfSense boxes for the WAN.
Not ideal from what I gathered, but we won't have much of a choice.Apologies for not making this clear.
-
Hmm, you actually have a public IP on the core switch upstream of the firewalls?
I had assumed the .33 address would be the ISP gateway and the switch was just passing that VLAN.
What is the .149 address shown on the modem? Just to access the modem? Is that a public IP?
You can use a private subnet on the WAN interfaces. You would be NATing somewhere else though, in the 'modem'?
It's possible to use a single public IP in an HA setup but it's not a supported configuration. In such a setup the secondary node cannot access the internet to fetch updates etc without failing over to it. There are people running that succesfully though.
-
Yeah it is a weird setup which I inherited and never went down the road of changing it as it worked fine.
The .149 is the IP of the modem within the ISP's network. It's not a public IP.
The switch routes internet traffic to that via the .150 address in the same subnet.At least this is what I've been told.
One thing to note is that the modem is supplied by the ISP and we have no control over it. We cannot access it to change configuration or anything else.
About NAT I'm a bit lost. I don't know much about it and know how/where it should be configured.
The public IPs we don't really use for anything except VPN and with pfSense we plan on using Tailscale. Initially I believe they wanted to have a DMZ (eg: web site, exchange server, etc.) but this was never implemented and such things are cloud based.
In the past days I've tried to create a lab setup to simulate things and I got it work work like this:
Ubiquiti USG router with the .149 address simulating the ADSL modem in the diagram
HP 2920 switch with .150 address and routing internet traffic to .149, VLAN 102
HP 2920 switch with 10.10.4.1 address in VLAN 103 on 2 ports
pfSense Primary with WAN IP 10.10.4.2 and gateway 10.10.4.1
pfSense Secondary with WAN IP 10.10.4.3 and gateway 10.10.4.1
WAN CARP IP 10.10.4.4
Static route in USG to route 10.10.4.0 to .150 addressBoth pfSense can access internet in this way but that's where I stopped and came to the forum to make sure I'm in right direction. Also, since I had to add the static route to the USG and we cannot do that on the ISP's modem, I guess this setup won't work.
We also have a 4G router which we want to use as backup internet in case ADSL goes down.
No public ip on that. With Sonicwall it's all pretty simple and works perfectly fine.Running a single public IP and forcing the secondary pfSense to take over to get updates etc. is not something I would like to have unless there's no other choice.
-
Hmm, so the .149-.150 is also a public subnet? I that case I guess they are routing the /30 to you via that. That is an odd setup. That's the sort of thing I might expect if the ISP also owned the switch but that's not the case here?
I suspect .149 is actually the ISP gateway not on the modem device itself?Yeah in your test setup the USG is NATing that private subnet. In your actual setup that would have to be the switch or the ISP 'modem'. I'm not sure that's possible.
-
Since pfSense allows a CARP VIP to be on a different subnet from the physical interfaces, can't I just use this:
- 1st public IP on the switch as in the diagram (ISP will route to it)
- 2nd public IP as the WAN CARP VIP
- Private WAN IPs on the pfSense boxes (same subnet)
- Manually created default gateway route
This would essentially replicate the same setup we have with Sonicwalls
The only doubt I have is what happens with the backup wan in this case.
-
So I've tested my last idea in the lab and it seems to be working.
This is what I did:
ISP Modem simulated by USG (.149/30) <-> HP Switch (.150/30)
HP Switch .33/30 (1st public IP) <-> pfSense .34/30 (2nd public IP). Set this as CARP WAN VIP
pfSense WAN 10.10.4.2/24 with Gateway .33/30
pfSense Outbound NAT: 'This firewall' * * * NAT Address .34/30Static routes:
HP Switch: everything to the internet is routed via .149/30
USG: Routing public IPs network via .150 (which is the HP switch IP)In production the static route on the USG is not needed as ISP already routes the public IPs via .149 (their ADSL modem).
We'll see if it actually works when I'll test it on-site.
-
Yes, you can do that. As I said that's what you have to do if you have only a single public IP.
The drawback there is that whichever node is in backup will not be able to reach the internet. Unless something upstream is NATing the private subnet and I don't think anything is in your case.
Steve
-
You're indeed correct. And my bad for not understanding this is what you meant earlier.
To fix the drawback you mentioned, I tried creating a tagged VLAN (same ports) on the HP switch which is used only by the two firewalls to access the internet whenever they are in 'backup/secondary' mode, since they can't use shared public CARP VIP IP for that.
All other VLANs are outbound natted via the main WAN CARP VIP, and firewalls can use this second path to the internet.
Seems to work. Do you see any issue with it?
BTW thanks a lot for your kind assistance and time.
-
I'm unclear exactly how you have set that up. It would require some special rules to NAT traffic from the backup via the master to the pubic IP without breaking in the other direction.
-
Yeah, I thought it worked but as you correctly suspected, it doesn't. Upstream device natting would solve the issue, but yeah I don't have that option.
Well, I guess that for now we'll go for the option where backup firewall cannot access the internet and force the switch when I need to make updates.
It's a pitty pfSense doesn't handle HA like Sonicwall, which makes it super simple. Then again Sonicwall is way more expensive, and perhaps for good reasons.
We'll deal with this inconvenience.
Thanks again for your help.
-
There are workarounds to allow it but the config becomes increasingly complex!
Like add the primary as a gateway on the secondary and use that as a failover group.
