New build: migrating from Sonicwall
-
I'm migrating from a Sonicwall TZ400 that was gifted to me after a corporate acquisition and to be fair, it has been reliable. However, with kids that are becoming increasingly computer savvy I found that the Content Filtering features from Sonicwall are overtly expensive for a household and decided to try pfSense on my friend's recommendation. After committing to the process, I built myself a rackmount system comprised of obsolete parts to run it. Parts rundown (totally overkill, I'm sure, but these were all free and collecting dust):
- iStarUSA D-300 3U rackmount chassis
- Supermicro X8STE mobo
- 24GB ECC RAM
- Intel Xeon X5690 CPU (6-core, 12 HW threads) @ 3.47GHz
- Dual NICs on the mobo, natively
- 60GB SSD
The system is up and running pfSense 2.7.0 currently. One of my major hurdles at the moment is trying to get the system stood up in a sandbox while keeping the TZ400 in "production." I can wade my way through SonicOS 6.5.x, but certainly not an expert. I currently have an Arris SB8200 cable modem feeding an interface on the TZ400 and have configured 2 other interfaces for the LAN and WLAN, each on different networks. I have several free interfaces remaining on the TZ400 and I am hoping there is a way to mirror the WAN connection from the modem so I can "feed" pfSense in the same way. I've investigated Wire Mode, Tap Mode, Port Mirroring and DMZ setup, but not quite arrived where I need to be (with some internet connectivity on the pfSense appliance). Any help with that would be appreciated!
My network isn't very complicated - some address objects and rules, mostly MAC and IP range based. I am looking forward to implementing VLANs to segregate traffic from devices in varying contexts - not something I ever setup in SonicOS. Anyway, that's my 1st post!
-
Using DMZ mode for the interface pfSense is connected to would probably be easiest. You would end up with dual NAT for devices behind pfSense but that probably won't be an issue.
If you have multiple public IPs you could try to bridge one of them to pfSense directly somehow.
Steve
-
@stephenw10
Only one public IP, AFAIK. Simple Comcast Xfinity cable modem service with roughly 200 Mbps down, 12.5 up. I actually tried setting up the DMZ and failed. I've currently got it connected to one of the wired interfaces on a Unifi Edgeswitch at the moment and have come to terms with a cut over that will take down the network for a day or less.I created new VLANs for my servers, workstations, cameras, IOT devices, HVAC and general wireless clients. I then suddenly realized that I might not have a way to assign wireless clients to a specific VLAN without MAC-based VLAN assignment. As my cameras, IOT devices, HVAC and all other wireless clients will be connected to an Amplifi HD mesh network running in bridge mode, pfSense would have to implement MAC-based VLAN assignment to get them into the right VLANs.
Currently, on the TZ400, I have MAC based address objects for wireless devices and have created address groups for cameras, HVAC, etc. This allows me to assign group specific IP ranges. While not segregated using VLANs, it achieves the same end result. Not sure I can replicate this with pfSense, but that is likely just my lack of knowledge with the system perhaps.
-
MAC based VLAN assignment would be done at the switch or access point not the router/firewall. By the time traffic arrives at pfSense it would already be tagged.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@stephenw10
Thanks for clarifying this. It looks like I will probably need to upgrade my switch from an Edgeswitch 18X to a USW-Pro-48-PoE that I have collecting dust in my office. I believe the larger switch allows for MAC-based filtering... might still be a little while yet before switching to pfSense in that case. -
I have a 4-port Intel NIC arriving next week and it dawned on me that perhaps I could gain some performance and make the overall configuration simpler by using it to segregate networks. I currently have only 2 networks, however: one for servers and workstations and another for all of the wireless stuff (IOT, cameras, HVAC, etc.). My existing Edgeswitch X does have VLAN tagging facilities, just not MAC address based tagging capability. All I want to do is the following:
- Certainly segregate the servers & workstations from anything wireless.
- Have exceptions to this rule for specific devices (currently implemented based on MAC and IP ranges).
I've become very hung up on the wireless client segregation. Since the wireless clients are a smorgasbord of contexts (IOT, cameras, HVAC, etc.) and my WAP (Amplifi HD in bridged mode) does not have any way to segregate traffic itself, I was thinking that VLAN tagging could achieve that. The Amplifi system is a single port connection to the core switch, so there's no way to segregate the contexts on different physical interfaces. I think VLAN tagging is the only way to do this, but I feel like I might be overcomplicating things and am not an expert in networking either.
-
You could just use multiple SSIDs on different VLANs to seperate the wireless clients. That's what most people do. If the AP has that function.
-
It looks like the Amplifi HD does support VLAN tagging, but only if it's running in its normal router mode. Since I'm currently running a Sonicwall router (to be replaced with pfSense), my understanding is that I need to run Amplifi in its bridged mode, so no tagging by the system itself.
I do see that it can still setup additional SSIDs, including one specifically for an IoT network which creates a 192.168.251.x subnet for isolation. It seems that would work for all the wireless clients, but as far as VLAN tagging is concerned, one of my other network appliances would have to do that. I was thinking perhaps one of my Unifi switches may be able to do that? One switch is an Edgeswitch X, which I'm fairly certain would not be able to do that, but I believe the larger 48-port (enterprise grade) unit runs a completely different firmware and can be configured using Unifi Network Controller... it may be able to do some more advanced configuration with regards to VLAN tagging of attached devices. Not sure, though.
-
Hmm aren't those Ubiquity devices? I'm surprised they can't do multiple SSIDs bridged to different VLANs, pretty sure most of their other devices do.
-
My switches are Ubiquity devices and so is the Amplifi HD mesh network system. The switches are enterprise grade, but the Amplifi system is not. So, I guess it's possible that the switches may be able to do some tagging based on SSID, but I don't know. Might be a question worth posing on the UI community forum.
-
That would need to be done at the AP. Nothing beyond that sees the SSID.
