Installing a Netgate 1100 pfSense+ Security Gateway to a office network
-
@sanjdbn said in Installing a Netgate 1100 pfSense+ Security Gateway to a office network:
one cable from WAN on the 1100 going to the WAN port on the LTE router
WAN goes "towards Internet"...surprised an LTE router has a WAN port? Unless it can also connect "not over LTE"? Anyway, don't use that port.
Since it's LTE you're presumably not replacing that router. The pfSense would therefore go between it and your network, so pfSense WAN connects to LTE LAN. Note either your LTE router LAN subnet needs to change or your office subnet needs to change since no router can have the same subnet on both sides of the router...it won't know where to send packets. You will have double NAT but it should work to connect out.
-
If you insert the 1100 between the LTE router and the switch when the LTE router was previously handling DHCP then it will break that. Everything on the network will start using pfSense or DHCP with the default subnet, 192.168.1.0/24.
What subnet are you using currently?
Are your VoIP phones using a VLAN? They probably are and that will be a different subnet.
-
Hi Steve,
Thanks for getting back to me, and I'm sorry for my late reply. I've got a few more questions about the setup process. Should I still plug the PfSense's LAN cable into the network switch? Also, I noticed that the 1100 Netgate uses the 192.168.1.1 subnet. Is it right for me to think that I should change the LTE router's subnet to something else to prevent any issues? Eg:192.168.2.0/24
Can you just let me know if this plan sounds good?
Once im done on the cable and subnet changes, I'm also a bit unsure about how to set up the Netgate device. I just clicked through the setup without really understanding it. Should I turn off the DHCP because the LTE router is handling IP addresses? I'm not sure what to enter for manual settings either. What I mainly want to do is block certain websites and have some general reports.
I'm sorry if I'm not fully grasping all of this; Netgate and firewalls are pretty new to me. I really appreciate your patience and help.
Thanks,
Sanjay -
Hello,
I'm sorry for the late response. I appreciate your reply.
There's a bit of an issue: the LTE router uses the 192.168.1.0/24 subnet, and the PfSense Netgate is also on 192.168.1.1, which seems to be causing a conflict. Also, I have a hunch that the phone company might have set up the MikroTik to use a different subnet.
I have to get the Netgate set up by tomorrow, so I'm feeling a bit anxious. I could really use some guidance on the setup process once I log into the GUI. I'm not fully grasping this yet, as I'm new to both PfSense and firewalls. Thank you for your patience
Regards,
Sanjay -
Yes, you will need to change either the LTE LAN or the 1100 LAN to some other subnet. You can't have the same subnet on the 1100 WAN and LAN.
You should also make sure it's not using the same subnet as a VoIP VLAN if that exists. Check the switch and Mikrotik router.
Steve
-
Thank you. I am going to do this. May i ask, what will be the most simple way to setup via the GUI? There are a lot of options there that require data to be filled in and i did get puzzled. Am i correct in saying that this setup will now route traffic through the 1100 so do i need to switch off DHCP on the LTE router? Or leave that on and make changes on the 1100?
Thank you for your patience
-
@sanjdbn I thought you were using the LTE for Internet? If so it would need to connect to pfSense not the office network. Daisy chained. It would need DHCP on unless you configure a static IP on pfSense WAN.
Netgate support/TAC has a “zero to ping” free support for getting people going on new purchases, that might be appropriate.
-
Yup leave DHCP enabled on the LTE router so the pfSense WAN can pull a lease from it. Just make sure to change the subnet so there's no conflict.
And (just to be clear ) I expect there to be a VoIP VLAN configured on the switch and Mikrotik router and you should check to see what subnet that is using.
-
So should the setup on the netgate 1100 also stay on the default DHCP? I will make sure to change the subnet on the LTE, keep the DHCP on and also look at the Mikrotek IP details so there is no conflict with the Voip.
Thank you so much for all your help. I really appreciate it and I truly value your advice. I also will contact Netgate if I have further issues when I’m setting up tomorrow.
-
The 1100 LAN should still have DHCP enabled, yes. That is what will serve as DHCP server to devices in the internal network.
-
Thank you so much.