Best way to replace an existing router

mooncaptain

I have an old Cisco pix router that I want to replace with a pfsense box I am building from an Asus MOBO and a couple of NICs. The network is in use by our development team and there are a lot of forwarded ports (40 or so ) to various test services. I haven't used pfsense before so I am not familiar with how to use it to setup a router but I suspect the usual way is to plug in the WAN and LAN cables and use the user interface. My question is would it be possible to set it up offline and then just plug in the correct networks so I can keep the downtime of the fully configured network to just a few minutes?

By offline I mean: could I setup the port forwarding tables with the user interface without being connected to the public and private networks?

filnko

I did something like this two years ago - although I had no access to the hardware beforehand.
Basically I set up a VM with the same amount of network interfaces and started configuration there. Doing this in a VM is simple and enables you to easily connect together a network and test things in a safe environment. It's critically important to get every information needed about the firewall rules etc in place in order to enable a smooth transition.

As you have access to the hardware I suggest you start tinkering with the pfSense interface, try different things and then switch it out in order to replace the old one.
It's no problem to configure rules etc. without the "live" networks on it. As long as the interfaces are configured everything can be set up.

Of course you still need some kind of private network in order to access pfSense  :D

mooncaptain

Thanks,

I'll give it a try - and report back.

KOM

I replaced an aging MS ISA server with pfSense at one location and just built it up under a different WAN & LAN IP address.  I would change my workstation's gateway to point to the pfSense LAN for testing.  When it was ready, I unplugged the ISA server and changed the pfSense WAN/LAN IPs to the ISA's old WAN/LAN IPs and everything was good from there.

T-Monster

I totally agree with filnko: setting up a VM environment helps with the initial setup - you might even be able to try the config in a VM first, before swapping out too much hardware.

Having the setup virtualised also helps if you keep that virtual offline system in case something needs to change, or be upgraded.

Be careful though - you need to make sure you understand the virtual environment as it is another layer of complexity.

For example, I was trying to test a CARP setup and cloned a pfSense VM to make the secondary device - after a lot of headaches, I found that the cloned VM was too much of a clone - even the MAC addresses were the same!  :o

OK, that had a simple fix (regenerate the MAC addresses), but you see what I mean…

I'm also not aware of a Cisco --> pfSense conversion script either, so you're going to have to play around with some settings if you've used any of the fancier configuration settings on the PIX ;)

mooncaptain

Having a problem.

The setup:
This is what I did. Installed pfsense on an ESXi05.1 server. I have been running ESXi since 4.* versions and have about a dozen vms mostly running every flavor of windows and a couple of *nix machines now including freebsd running pfsense. I was able to get installed to the point where I could configure it with the web interface. I used an open IP address on our LAN, turned off dhcp (the old router is doing that for now), did not connect the WAN side NIC because the old router is still in use. I setup all the port forwarding rules and this weekend wanted to switch over. Our company has a static IP with the ISP. Using the currently installed router I did a tracert and found our gateway, I already know the static IP. In the interfaces setup I configured the WAN using this information including the the mask which I got by exploring the setting on the old PIX router.

The result: I pull the WAN cable from the old router plug it into the open nic on the esxi box and I can't get to the internet. I can't ping any ip addresses on the other side of the router. like the ISP's gatway for instance. I have double checked the NIC setup in vSphere and it looks OK the LAN nic is working fine since I can manage the pfsense web page. In case your were wondering: I am testing from a workstation that has a static IP address on the LAN so I didn't need a new IP from the pfsense DHCP - which is currently disabled. Also I remembered to change the gateway on my workstation nic - at least for now. Still no joy.

Also after I plugged in the WAN cable I checked in the vSphere interface to make sure the NIC was connected - the cable is showing as connected but… the vsphere networking interface could not detect an IP address or range of ip addresses - this may be the issue - don't know for sure what to do about it.

Just to see if it might be an issue I spoofed the mac address of the old router in pfsense on the WAN setup page - this did not help.

Any ideas where to start.

mooncaptain

I think I have an idea of what is happening.

I configured a windows os on the same esxi hypervisor that pfsense  is on so it will use the same nic that I want to use for the pfsense WAN. I plugged the wan cable into this nic. I then configured the nic in windows with the known static ip, mask, and gateway. I got an error saying the static ip was already in use on this network. So… I am going to call the isp in the morning - don't want to deal with it right now with weekend support personnel.

KOM

What type of NIC did you pick your WAN and LAN in ESXi?  E1000 or one of the VMX NICs?  Is there any other VMs on that same virtual switch your pfSense vNIC is plugged into?

mooncaptain

e1000

only after I setup my test with the xp vm. Before that pfsense was the only vm using the NIC.

I think my brain is shutting down. I didn't shut down the pfsense vm so it would have been using the static IP when I tested with the xp vm. Will have to test that tomorrow correctly.

KOM

Yes, even if you remove the cable, having both VMs on the same switch with the same IP address will create a conflict.  I was looking to see if both VMs could ping each other if they're on the same vSwitch.  That would help localize the problem.

mooncaptain

I hooked a pc running windows 2003 directly to the WAN cable coming from our ISP. I set the NIC to the static ip assigned to and working with the old router, also set the mask and gateway as configured on the old/current router. I pulled the LAN cable from the old router too.

I didn't get any network action at all other than the system acknowledging that the cable was connected. Couldn't ping the gateway. At this point I can't fault the nic setup on the vm and I am going to call the ISP. Since I am load up with other stuff that may have to a wait awhile.

Oh yes and I shut down the pfsense vm. When I configured the NIC on the pc I didn't get any errors.

mooncaptain

Called the ISP - it's a marriage problem - the ISP needs to reset their end because the static ip is married to the old router. Did I mention it is a 10 year old cisco pix

mooncaptain

So it is now online - this connection is setup by the pfsense vm. I preset all the forwarding rules while the router was not connected to the internet but was connected on the LAN side to an open IP address. To put it online I removed the LAN and WAN connections from the old router. Plugged in the WAN line into the unused but configured interface and turned on DHCP and moved the LAN gateway from the open IP address I used to do the configuration to the same IP as the old routers Gateway.