Reflashed WatchGuard XTM 500 series/beginnings of a homelab

  • At work we're retiring several WatchGuard firewalls, so I've acquired one of these bad boys.

    Before I start creating a VM domain I'd like to get some basic network infrastructure in place. What I'd like is a class A IP range (10.x.x.x) Sandboxed from my home network (NAT?) with no access except for internet/the firewall acting as the gateway.

    It would be great if someone would explain to me the configuration steps required.

  • Netgate Administrator

    That's quite a big ask!  ;) Probably best to break that down into smaller steps. A diagram of what you're trying to achieve always helps also.
    That's an XTM5 you have there by the way, not an X500 which was a much older platform.


  • Quite right. I knew that already, just got the title wrong. Corrected.

    Good idea on the diagram. I'll draw one up tonight or tomorrow.

  • Hope that makes sense. Happy to answer any questions.

  • Netgate Administrator

    Ok, you can do that. You will have a double NAT situation though, both the home router and the pfSense firewall are NATing,  which is usually best avoided. It will be fine for almost everything in a test situation though.

    So you will need to change the default IP settings since pfSense uses for it's LAN by default which conflict with your existing network. I suggest you connect a client machine to the pfSense LAN port to configure that before you connect it to the home-router to avoid routing issues.

    Then you need to add firewall rules to prevent devices in the homelab network accessing the subnet. By default the LAN 'allow any' rule will allow that. Put a rule in above that blocking traffic with destination That will still allow access to the pfSense LAN interface for DNS and NTP etc and access to external destinations.

    You will not have access to the Homelab network from the subnet. I don't know if you need that.

    A better setup would be to replace the home router with the pfSense firewall and then have both and (do you need that large a subnet?) subnets configured as internal networks directly. That would mean having some type of modem to connect to your upstream WAN.


  • Hi Steve

    Thanks for the detailed reply. I'm going to work on this tonight in a VM (the WG is too loud for the current room it's in) and I'll let you know how far I get.

    Thanks again.

Log in to reply