cdub808 last edited by
I recently started working as the sole IT person at a small company affiliated with a large University. I was hired primarily to maintain backups and offer help desk support, but I've learned that the IT infrastructure here is a security nightmare. We are on the University network, but they've basically just VLANed us off with a block of public IP addresses and no security. All our network devices have public IP addresses and no firewall. Scary.
Anyway, I quickly purchased a SG-4860 pfSense appliance but need help installing it. Our company is spread out over several buildings in close proximity to each other. Each building has a switch that connects to a router in the mail room. The tricky part is that because we're on the University network, I do not have access to the router or switches. I can request configuration changes, but have no direct access.
I'm kind of under-qualified to be handling network security and my boss knows this, so there's no real expectations, but I know some basics and have the go-ahead to secure it the best I can. I have some noob questions though.
1. Is it ok if I just hook up the appliance between the router and the switch that connects to all the other switches? e.g. Router –> pfSense Firewall --> Switch --> rest of network.
2. I plan on switching everyone from public IPs to private addressing. Does it matter that the switches have public IP addresses? Will I have to request a configuration change for the switches? The University insists that they still have access to them.
3. The firewall is expected to arrive this week. I have experience maintaining a Cisco ASA 5505 from my previous job, but no experience with pfSense. Where is the best place for me to start learning how to configure this thing when it arrives?
So all of your devices are on same vlan and your switches are interconnected with 1 upstream connection to this router in the mail room, or do all the switches go directly to the uni router?
If you only have one uplink to their router, you could just ask to have this block they gave you routed to you via a /30 or /31 transit network, then all their switches could maintain their same IP and you would just have pfsense as firewall between their network and the yours. You could then allow them access to the IPs the switches are on and all your devices could maintain their public IPs you would just allow traffic at pfsense.
Or you could nat off your network yes, you could then change all your switches to your private network and port forward to them via a public IP you put on pfsense wan. Since you had a whole block to use.. You could the same switches IP and just forward to the new private IPs of the switches.
The routed network is the cleanest option if you ask me.
Your other option - which I don't like but would be to setup pfsense in transparent mode and bridge. I would not recommend this option, but this is another way for you to leave all the ip addressing the same on your devices and their switches while still giving you a firewall between their network and yours.
As to learning pfsense – just connect pfsense to one of your switch ports. Put another switch behind it connected to pfsense lan interfacde and play with putting some devices behind pfsense. This would be a mini version of option 2.