pfSense in Front of a Sonicwall - Need Help

By allen001
in Smart Home, Network & Security

 Share

Recommended Posts

Rookie

allen001

Posted
Posted
I am new to networking, although I have a Sonicwall firewall, their tech suspport mostly helped me set that up long time ago.
 
I installed Ubuntu Desktop 12.04 64bit with VMware and Installed pfSense 2.1 64bit inside of it.
 
Having a difficult time figuring out how to set it up though, the 2 NIC cards and the WAN/LAN settings in pfSense.
 
I wanted to use pfSense for GEO-IP Blocking / Snort(IPS/ids) / squid-dansguardian / antivirus.
 
I wanted to use sonicwall TZ 210 for NAT/ rules, since its already setup for it.
 
From what I have read, I would need to set up pfSense in Transparent Mode ??
 
I am guesing I would need to disable NAT in the pfSense firewall?
 
A setup like this: Comcast Business SMC Modem > pfSense Box > Sonicwall -  with the pfSense box having a static ip for GUI login
 
 
 
The Comcast SMC modem settings:
1-to1 NAT > Disable all
Disable firewall for true static ip subnet only
Disable Gateway smart packet detection
 
The static ip block is: 171.7.45.246/29
The WAN Internet IP Address is: 171.7.45.246
The SMC modem has an assigned static ip, and I have 5 others for use, One is assigned to the Sonicwall: 171.7.45.245
 
 
The Sonicwall x1 WAN ip address is: 171.7.45.245
Subnet Mask: 255.255.255.248
 
Would like the pfSense box to have static ip of: 171.7.45.244 so I can access the GUI from there.
 
Not sure what to set the two VMware Network Adapter Settings(WAN and LAN)? Bridged, NAT, Host-only ? or what ip's to assign them.
 
Setting up the LAN/WAN interface ip's in pfSense: 
 
Config the ipv4 address WAN interface for DHCP? y/n
Enter the new WAN ipv4 address:
Enter the new WAN ipv4 subnet bit count:
Enter the new WAN ipv4 gateway address:
 
Just to say, the sonicwall TZ 210 will have no paid security services on it, but I still want to keep it in there.
 
 
 
Please Help

 

 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"y services on it, but I still want to keep it in there."

Why - completely and utterly pointless to double nat. Why would you think you need pfsense even if in transparent mode with sonicwall there.. Pick One and move forward you don't need both.

"I wanted to use pfSense for GEO-IP Blocking / Snort(IPS/ids) / squid-dansguardian / antivirus."

So your going to do all this fancy stuff, but a couple port forwards/NATs are beyond your scope? How many services do you have running behind sonicwall now? That you have Nats setup. Do you serve your own email, web, what? What Nats do you have in place currently? It should be all of click click to get those working on pfsense.

"nstalled pfSense 2.1 64bit inside of it."

Why 64bit? Does your VM have more than 4GB of ram given to it? Wby do you think your router needs more than 4GB if it does? Are you going to be running squid and such for hundreds of users?

If you want to use pfsense - great, love the product. If you want to run it as VM, great I do the same thing lots of advantages this way. But it is pointless to double nat, it is pointless to use 64bit unless your over 4GB of ram, and actually have a need for that much ram? If you read the pfsense forums, I assure you the 64bit version has way more issues with it than the 32bit ;)

So I would suggest you pull sonicwall out, or just don't use pfsense at all. And if you want to go with it then unless you have a great reason for that much ram on a VM, I would go 32bit..

  • fusi0n and sc302
  • Like 2
Rookie

allen001

Posted
  • Author
Posted

One of the main reasons I wanted pfsense was for the country ip blocking.  The sonicwall only has geo-ip blocking for paid services.  I do not want to sit at a keyboard and enter in 100 thousand ip ranges to block and have to update them regularly.  pfsense has a country ip blocking package.  

 

I said I was new to networking.  Why 64bit.. Why 4gb ram for VM..  That's just the way I configured it and I had enough ram for it.

 

Why can't I set it up like I explained and disable nat within pfsense? then there would be no double nat.

 

This is the only free thing I could come up with.  I am not going to use some peerblock or software junk on every computer I have and have to still enter an endless amount of ip ranges.

 

Is there a way to configure it using both pfsense and sonicwall?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

I use the pfblocker package in pfsense as well - it is very simple, click and pick the countries you dont want, etc.

Yes you can setup pfsense as transparent firewall - but WHY?? If you are tired of paying for sonicwall features, then dump it. There is just no point in running 2, there just is not. Be it you don't nat on one of them or not.

I would suggest you go to the pfsense forums for help on setting it up transparent. I am there quite a bit, and prob will help you set it up.. But it is the wrong direction.

Pfsense is great product, and used in enterprises all the time. And you wanting to go with it is great, but why are you trying to hold on to sonicwall -- for a couple of nats? That is just nuts!

Rookie

allen001

Posted
  • Author
Posted

I would like to use both.  Not everybody wants the same thing, nor does everybody agree with the same thing, nor does something somebody wants have to make sense to everybody else.  Everybody is different and wants what they want. Thats just people.  I want to be different and make no sense at all  :)

Grand Master

episode

Posted
Posted

Why - completely and utterly pointless to double nat. Why would you think you need pfsense even if in transparent mode with sonicwall there.. Pick One and move forward you don't need both.

 

Triple NAT really. The SMC modem/router from Comcast does one too.

 

My other piece of advice is to make sure you reboot the SMC after you make any changes. Sometimes they don't 'take' until a reboot on those things. They are real pieces of ######.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

^ good point. He says his netblock is

"The static ip block is: 171.7.45.246/29"

Which is just wrong from the getgo.. That is not a valid subnet boundary so clearly that is a host address. Which would fall in the block 171.7.45.240/29 which I doubt is his actual address block anyway.. Since that is owned by

3BB Broadband Internet service provider in Thailand

So he says his sonicwall wan has .245? So is the smc have the 246 address? On its wan or lan inteface? Sounds like he already has a convoluted mess and is just trying to make it more of a mess.

Didn't notice this before

" VMware Network Adapter Settings(WAN and LAN)? Bridged, NAT, Host-only"

So your wanting to run your pfsense on workstation or player? Is this a production setup? You have business connection and sonicwall that is not cheap.

I am all for being different and freedom to express yourself.. You can do that at burning man every year ;) This is a Network!! Not an art project made of trash ;)

I am more than willing to help you setup a network to the best of my ability so that it is stable, easy to understand and troubleshoot and works!! But I just don't have any desire to help someone make a mess for the sake of personal expression. But have fun!

BTW you want to run squid on a transparent bridge? Uhhh -- are you wanting squid be implicit or transparent as well? Or you going to point it at the bridge address from behind a NAT that your sonicwall is doing? Going to make it hard to filter or set policy based on ip, since your behind a nat, etc.

The point of a network is to work and be stable and perform that best it can while providing the features you require, not be a convoluted nightmare to keep up, troubleshoot or repair when there are issues...

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Scum?? Really? Sorry you feel that way, your concept of rude seems to be as far fetched as your idea of how to correctly setup a network.

Have fun and good luck..

"I did post on the pfsense forums but nobody responded in 5 days so I went here."

I am on the pfsense forums pretty much every single day, what section did you put your post in. I don't recall any sort of thread like this over there. I will take a look to see how it was worded, you do understand this is a holiday week and people are most likely busy with family and such.

edit:

Ok found your thread

http://forum.pfsense.org/index.php/topic,69613.0.html

Its in the general question for starters, why would you have not put it installation help or Virtualization?

Its badly worded, and sounds like a bunch of rambling nonsense to be honest. From reading that thread, it does seem clear your over your head.. I would really suggest you rethink what your wanting to accomplish here.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By hellowalkman · Posted

      Microsoft confirms Windows 11 26H2 to finally get one of the most requested features by Sayan Sen This past week Microsoft officially confirmed Windows 11 version 26H2 with the latest build, 26300.8697, for testing in the experimental Insider channel. The company also published more details about it mainly directed towards IT admins and system admins. Essentially version 26H2 will be delivered via an enablement package (eKB) over Windows 11 25H2. If you are wondering about some of the upcoming features in the next Windows version, one of them is certainly very interesting as Microsoft has confirmed it is finally bringing one of the most overwhelmingly requested features ever. March Rogers, the Partner Director of Design at Microsoft, recently highlighted some of the Search improvements that the company is testing, and during the interaction with users on X where he posted it, Rogers also confirmed that the company is working on disabling web search results inside Search. This is something which many users find quite annoying as Windows would often serve them links to Bing which it feels could be more helpful rather than bringing up the actual object or app the user may be searching for on their PC. Finally though the company is prioritizing local file search over the web. However the feature could not be disabled for many users as not all new features are immediately rolled out to everyone. Image via phantomofearth (X) Windows enthusiast phantomofearth who likes to dig deep into new builds uncovered the IDs you will need to enable these features. Using the following feature IDs the new Search-related features landing in Windows 11 26H2 can be used. Follow the steps below to enable the new Search experience on Windows 11 build 26300.8697: Download ViveTool from GitHub and unpack the files in a convenient and easy-to-find folder. Press Win + X and select Terminal (Admin). Switch Windows Terminal to the Command Prompt profile with the Ctrl + Shift + 2 shortcut or by clicking the arrow-down button at the top of the window. Navigate to the folder containing the ViveTool files with the CD command. For example, if you have placed ViveTool in C:\Vive, type CD C:\Vive. Type vivetool /enable /id: and press Enter. Restart your computer. If you change your mind and want to restore, repeat the steps above and replace /enable with /disable in the commands on steps 5 and 6. Delightedly and perhaps also expectedly, once you disable web search and other such bloat, the Windows 11 Search is said to get snappier as remarked by another Windows enthusiast Xeno.
    • A 13 billion year old secret about our Universe's origin was revealed

      By Michael Scrip · Posted

      Makes me think of Family Guy - "Carl Sagan's Cosmos... edited for Rednecks" 🤣 https://www.youtube.com/watch?v=Ljt5iESYA7k&t=2s
    • Microsoft PC Manager 3.21.7.0 (Offline Installer)

      By Copernic · Posted

      Microsoft PC Manager 3.21.7.0 (Offline Installer) by Razvan Serea With Microsoft PC Manager, users can easily perform basic computer maintenance and enhance the speed of their devices with just one click. This app offers a range of features, including disk cleanup, startup app management, virus scanning, Windows Update checks, process monitoring, and storage management. Microsoft PC Manager key features: Storage Manager- easily uninstall infrequently used apps, manage large files, perform a cleanup, and set up Storage Sense to automatically clear temporary files. Health Checkup feature -scans for potential problems, viruses, and startup programs to turn off. It helps you identify unnecessary items to remove, optimizing your system's performance. Pop-up Management - block pop-up windows from appearing in apps. Windows Update - scans your system for any pending updates. Startup Apps - enable or disable startup apps on your PC, allowing you to optimize your system's startup performance. Browser Protection - rest assured that harmful programs cannot alter your default browser. Also enables you to change your default browser. Process Management - allows you to conveniently terminate any active process, ensuring optimal system performance and resource utilization. Anti-virus protection - Fully integrated with Windows Security. Safeguard your PC anytime. Quick Steps: Download Microsoft PC Manager Offline Installer (APPX/MSIX) with Adguard Adguard serves as a third-party online service, offering a user-friendly method for directly downloading appx, appxbundle, and msixbundle files from the Microsoft Store. Official download links will be generated for both the app's various versions and its dependency packages. How to download Microsoft PC Manager Offline Installer (APPX/MSIX) 1. Initially, you must find the app URL within the Microsoft Store. Access the Microsoft Store via your browser and search for "Microsoft PC Manager". Once located, copy the app URL, which includes the product ID, either from the address bar or from the provided link below. https://apps.microsoft.com/detail/9PM860492SZD 2. Now paste the app URL into the designated area, then click the check mark button to produce a direct download link. 3. To download, right-click the relevant link and select “Save link as…” from your browser's menu. Occasionally, Microsoft Edge may flag the download as insecure. In such cases, consider utilizing alternative browsers such as Google Chrome or Firefox to successfully complete the download. Microsoft PC Manager is a completely free tool optimized exclusively for use on Windows 10 (19042.0 and above) and Windows 11. Download: Microsoft PC Manager 3.21.7.0 | from Microsoft Store View: Microsoft PC Manager Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Microsoft Paint used to be my favorite Windows app as a kid, and it's still pretty good

      By [deXter] · Posted

      jspaint is a lot better, if you like the classic mspaint experience and hate the new bloated Paint.
    • Amazon takes hundreds of dollars off its Kindle readers ahead Prime Day

      By TarasBuria · Posted

      Amazon takes hundreds of dollars off its Kindle readers ahead Prime Day by Taras Buria Ahead of its Prime Day, Amazon brought its Kindle readers to all-time low prices, allowing you to save on various bundles across the entire lineup, from the most affordable Kindle to the flagship Scribe and its color-enabled variant. Kindle Essentials Bundle - $108.97 | 33% off This 6-inch Kindle is a portable reader with a front light, a brighter E-Ink display, and up to 6 weeks on a single charge. The bundle includes a protective case and a charger, so that you have everything you need for comfortable reading. Kindle Paperwhite Bundle - $154.98 | 45% off Kindle Colorsoft Bundle - $169.98 | 48% off The latest Paperwite is a 7-inch reader that features significantly faster page-turning, wireless charging, an ambient light sensor, 32GB of storage, and up to 12 weeks on a single charge. Right now, the bundle with a sling bag makes the Paperwhite 25% cheaper than the non-bundle variant. The same bundle is available for the Colorsoft version with a colorful E-Ink display. Kindle Scribe 32GB Bundle - $444.97 | 27% off Kindle Scribe Colorsoft 64GB Bundle - $574.97 | 27% off The Scribe is the biggest, flagship Kindle. It has an 11-inch texturized display with a stylus support, with a big emphasis on the note-taking experience. The built-in notebook has AI-assisted features for search, refinements, summarization, and more. The Scribe comes with 32GB of storage, and the bundle gets you a case, a stylus, and a protective case. Like with the Paperwhite, there is a Colorsoft version, which is also available with a massive discount. Note: These deals are available to Prime members only. If you do not have Prime, you can sign up using one of the links below. Good to know This Amazon deal is U.S. specific, and not available in other regions unless specified. We only use first-party seller links (at the time of article publishing); ensure that you purchase from a first-party seller link only. Check out Today's Deals on Amazon | or our recent tech deals. Become a Prime member (for Students or SNAP) via Neowin Get Prime Access - Prime for half price (for qualifying Medicaid, EBT, SNAP) Subscribe to Prime Video, Audible Plus, Music Unlimited or Kindle Unlimited via Neowin As an Amazon Associate, we earn from qualifying purchases.

  • Recent Achievements

    • Dedicated
      Almohandis earned a badge
      Dedicated
    • Dedicated
      JuvenileDelinquent earned a badge
      Dedicated
    • First Post
      DrWankel earned a badge
      First Post
    • Reacting Well
      DrWankel earned a badge
      Reacting Well
    • Week One Done
      Supreme Spray LV earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      504
    2. 2
      +Edouard
      174
    3. 3
      PsYcHoKiLLa
      84
    4. 4
      Steven P.
      76
    5. 5
      Michael Scrip
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!