Re: [pfSense] Change WAN interface
I think that I just figure it out... Yeah it was at that page I was looking at but didn't understand the difference beetween interface and network port, I found this a bit confusing. -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-14 14:18 GMT-04:00 Steve Yates <st...@teamits.com>: > Interfaces/(assign) page should have drop downs to pick the interface. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin > Sent: Friday, October 14, 2016 1:16 PM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: [pfSense] Change WAN interface > > How can I assign the wan interface to another interface ... > Let say I initally assign WAN to bge0, but then I need to move WAN to > bge3 How can this be done Look like we can't delete the assign WAN > interface. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Change WAN interface
How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. Am I missing something ? -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Change WAN interface
Interfaces/(assign) page should have drop downs to pick the interface. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 14, 2016 1:16 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Change WAN interface How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Change WAN interface
How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. Am I missing something ? -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Change WAN interface address to new subnet
Hey Adam! Thanks for getting back! I was able to complete the move in under 60 seconds. Since the address I wanted to move was only for outbound requests, and those requests were stimulated by inbound requests on the other subnet, dropping SYN packets (ignoring connection requests) for a minute gave me the time I needed to move the WAN interface IP address. The upstream switches responsible for my uplink were happy enough to update their ARP tables pretty quickly when the addresses were moved to another port, and things just worked, as some might say. I'll keep in mind your comments about making the second pfSense firewall work as slave to F2. There are many things I learned working on this, and I confess it would have been nice to have an expert available to avoid any choices that were complicating the process. That said, I suspect I would not have learned so much as I did. On Thu, Aug 7, 2014 at 10:50 PM, Adam Thompson athom...@athompso.net wrote: On 14-08-06 02:42 PM, Adam Williams wrote: You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... I've got two firewalls, F1 and F2, facing the public internet, each hosting different public subnets, N1 and N2. There are computers behind them which are dual homed - connected to both firewalls. I want to make F2 host both N1 and N2, decommissioning F1. Then I'll decommission N2. Since I want to decommission N2, I thought I should make the WAN interface of F2 configured for N1. Ouch... I'm sure I could create a more difficult setup to work with, but it would take some time and effort to do so! Why do you need to do things one step at a time? Again, that contradicts #2, above. I want to configure 87.54.0.34 (N1) on F2 before having the IP addresses moved from F1, because of the acceptable downtime of... about 60 seconds. Hopefully my following answers will clarify how I think this can be done. asdf You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? It may be the uplink switches are making these VRRP advertisements. I realize I do not understand perfectly how the protocol is implemented, and assumed there was a relationship with CARP, though it's clear enough now that they are different tech solving similar problems. I suppose I need to read up on VRRP to understand why my F2 WAN address (50.31.0.14) is the SRC address of these advertisements. If F2 is a pfSense firewall, then you have some much larger problem to solve before you worry about switching over to new firewalls. Once I have the configuration I want, I will be adding another pfSense firewall as a sync slave of F2. I would strongly recommend starting with HA, not adding a HA peer later. Adding HA later is much more likely to cause downtime; adding it right away means you'll catch all the problems immediately, (hopefully) before you put the new firewall into production. The switches our old VLANs operated on are being replaced. There were new VLANs created on the new switches, and the computers were made to be dual homed for a time so I could work through getting all the services running over the new switch VLANs/subnets. F2 is the firewall of the new switch VLANs/subnets. Now that the computers behind the firewalls are communicating over the new switches through F2, I'm ready to move the IP addresses of F1 over, as I've mentioned. The ONLY reason we need the old WAN on F2 at all is because outbound connections to third parties must come from addresses in the old WAN. That is happening today because the computers are still routing Internet-bound connections through F1. Don't bother changing WAN, add a new interface (WAN2, let's say...) and configure it with the appropriate IP address and gateway(s), etc. If I understand correctly, you're going to wind up with a dual-WAN setup, right? F1 must hold the N1 address until the last moment, since the computers are still routing Internet-bound connections through F1, and I do not believe I have the option of having F1 and F2 on the same uplink both claiming the N1 address. That's correct; they'll be fighting over the IP address (unless they are a CARP pair, which doesn't sound likely). If I am able to put F2 in a position where it's nearly completely configured to host N1, such that I can have N1 moved to F2, change outbound NAT on F2 to use the address of N1, use N1 as the default gateway of F2, and immediately change the routing of the computers behind the firewall so that they make Internet-bound connections through F2, I'll be happy. If I have to move N1 to F2 before I can configure F2 this way, downtime will be longer. Ugh. You have set yourself a complex task; I would have simply preconfigured a new firewall (F2) exactly the same as the existing firewall (F1), and taken a 2-minute outage to swap firewalls. You're
Re: [pfSense] Change WAN interface address to new subnet
On 14-08-06 02:42 PM, Adam Williams wrote: You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... I've got two firewalls, F1 and F2, facing the public internet, each hosting different public subnets, N1 and N2. There are computers behind them which are dual homed - connected to both firewalls. I want to make F2 host both N1 and N2, decommissioning F1. Then I'll decommission N2. Since I want to decommission N2, I thought I should make the WAN interface of F2 configured for N1. Ouch... I'm sure I could create a more difficult setup to work with, but it would take some time and effort to do so! Why do you need to do things one step at a time? Again, that contradicts #2, above. I want to configure 87.54.0.34 (N1) on F2 before having the IP addresses moved from F1, because of the acceptable downtime of... about 60 seconds. Hopefully my following answers will clarify how I think this can be done. asdf You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? It may be the uplink switches are making these VRRP advertisements. I realize I do not understand perfectly how the protocol is implemented, and assumed there was a relationship with CARP, though it's clear enough now that they are different tech solving similar problems. I suppose I need to read up on VRRP to understand why my F2 WAN address (50.31.0.14) is the SRC address of these advertisements. If F2 is a pfSense firewall, then you have some much larger problem to solve before you worry about switching over to new firewalls. Once I have the configuration I want, I will be adding another pfSense firewall as a sync slave of F2. I would strongly recommend starting with HA, not adding a HA peer later. Adding HA later is much more likely to cause downtime; adding it right away means you'll catch all the problems immediately, (hopefully) before you put the new firewall into production. The switches our old VLANs operated on are being replaced. There were new VLANs created on the new switches, and the computers were made to be dual homed for a time so I could work through getting all the services running over the new switch VLANs/subnets. F2 is the firewall of the new switch VLANs/subnets. Now that the computers behind the firewalls are communicating over the new switches through F2, I'm ready to move the IP addresses of F1 over, as I've mentioned. The ONLY reason we need the old WAN on F2 at all is because outbound connections to third parties must come from addresses in the old WAN. That is happening today because the computers are still routing Internet-bound connections through F1. Don't bother changing WAN, add a new interface (WAN2, let's say...) and configure it with the appropriate IP address and gateway(s), etc. If I understand correctly, you're going to wind up with a dual-WAN setup, right? F1 must hold the N1 address until the last moment, since the computers are still routing Internet-bound connections through F1, and I do not believe I have the option of having F1 and F2 on the same uplink both claiming the N1 address. That's correct; they'll be fighting over the IP address (unless they are a CARP pair, which doesn't sound likely). If I am able to put F2 in a position where it's nearly completely configured to host N1, such that I can have N1 moved to F2, change outbound NAT on F2 to use the address of N1, use N1 as the default gateway of F2, and immediately change the routing of the computers behind the firewall so that they make Internet-bound connections through F2, I'll be happy. If I have to move N1 to F2 before I can configure F2 this way, downtime will be longer. Ugh. You have set yourself a complex task; I would have simply preconfigured a new firewall (F2) exactly the same as the existing firewall (F1), and taken a 2-minute outage to swap firewalls. You're almost sure to have more than 60 seconds of downtime anyway, since ARP data typically has a 5-minute lifetime. If you can cause the new firewall to proactively overwrite each local host's ARP cache (e.g. by pinging each host from the firewall) then you can probably get that down quite a bit. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Change WAN interface address to new subnet
Hello! I need to change the WAN interface address to one that is on another subnet. I need to end up getting off the 50.31.0.0 network altogether, ultimately, but need to do so one step at a time. However, I'm concerned that I don't quite understand the implications of changing the WAN primary IP address. I would very much appreciate any guidance you might offer. Suppose the following current configuration of IP addresses on the WAN interface: WAN 50.31.0.14 GW 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 * Gateway is monitored using SRC 50.31.0.14 ICMP * DNS forwarding is configured, so SRC 50.31.0.14 UDP * VRRP packets are SRC 50.31.0.14 TCP * Clients are connecting to 50.31.0.71 (the CARP address) * Outbound connections are masqueraded as 50.31.0.71 (the CARP address) I want to begin the migration by changing the WAN interface address to, say, 87.54.0.34. Here is what I imagine the configuration needs to become: WAN 87.54.0.34 GW2 87.54.0.29 GW (default) 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 My first question would be, will this work? More specifically, what will be the SRC IP address of the a) gateway monitoring, b) DNS, and c) VRRP traffic? The gateway monitoring traffic would have to choose the ALIAS address for GW, and the WAN address for GW2; the routes to those subnets would be used (a direct link). It seems the DNS traffic would end up with SRC 87.54.0.34; the default gateway is not on the same subnet and would therefore drop the packets. Would VRRP traffic for 50.31.0.71 choose the ALIAS address, since it's the only one on the subnet of the CARP address? However, perhaps complicating things, we do not yet have the subnet of the new WAN IP address routing over our uplink. We're moving it over from another firewall and want to preconfigure this firewall as much as possible to host the new subnet, so that we might minimize downtime for connections to 87.54.0.34. Therefore, we cannot yet receive packets at 87.54.0.34; the gateway 87.54.0.29 is unreachable. Will this plan work at all, or is the role of the WAN address so critically important that we really cannot preconfigure it for a new subnet like this? Please let me know if this is not clear enough to help. Thank you! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Change WAN interface address to new subnet
You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... Which is it? Why do you need to do things one step at a time? Again, that contradicts #2, above. Also, how much downtime is acceptable? You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? Are you in fact setting up redundant firewalls, or are you just using CARP as a convenient way to establish additional IP addresses? If you're moving to a new firewall, why do you have it connected directly to the old WAN at all? Right now, it sounds like you're worrying about trivial items (e.g. source IP addresses) without having a good big-picture grasp on the process first. Who cares what source IP address gateway-monitoring ICMP packets or DNS packets come from? I assume anything originating from the firewall will by default use the primary interface IP, but I don't know for sure - that stuff Just Works regardless of which IP address it originates from. I'll stop here for now until you've addressed the contradiction. -Adam On 14-08-06 10:29 AM, Adam Williams wrote: Hello! I need to change the WAN interface address to one that is on another subnet. I need to end up getting off the 50.31.0.0 network altogether, ultimately, but need to do so one step at a time. However, I'm concerned that I don't quite understand the implications of changing the WAN primary IP address. I would very much appreciate any guidance you might offer. Suppose the following current configuration of IP addresses on the WAN interface: WAN 50.31.0.14 GW 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 * Gateway is monitored using SRC 50.31.0.14 ICMP * DNS forwarding is configured, so SRC 50.31.0.14 UDP * VRRP packets are SRC 50.31.0.14 TCP * Clients are connecting to 50.31.0.71 (the CARP address) * Outbound connections are masqueraded as 50.31.0.71 (the CARP address) I want to begin the migration by changing the WAN interface address to, say, 87.54.0.34. Here is what I imagine the configuration needs to become: WAN 87.54.0.34 GW2 87.54.0.29 GW (default) 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 My first question would be, will this work? More specifically, what will be the SRC IP address of the a) gateway monitoring, b) DNS, and c) VRRP traffic? The gateway monitoring traffic would have to choose the ALIAS address for GW, and the WAN address for GW2; the routes to those subnets would be used (a direct link). It seems the DNS traffic would end up with SRC 87.54.0.34; the default gateway is not on the same subnet and would therefore drop the packets. Would VRRP traffic for 50.31.0.71 choose the ALIAS address, since it's the only one on the subnet of the CARP address? However, perhaps complicating things, we do not yet have the subnet of the new WAN IP address routing over our uplink. We're moving it over from another firewall and want to preconfigure this firewall as much as possible to host the new subnet, so that we might minimize downtime for connections to 87.54.0.34. Therefore, we cannot yet receive packets at 87.54.0.34; the gateway 87.54.0.29 is unreachable. Will this plan work at all, or is the role of the WAN address so critically important that we really cannot preconfigure it for a new subnet like this? Please let me know if this is not clear enough to help. Thank you! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Change WAN interface address to new subnet
Adam, thank you for your time and questions. On Wed, Aug 6, 2014 at 12:04 PM, Adam Thompson athom...@athompso.net wrote: You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... I've got two firewalls, F1 and F2, facing the public internet, each hosting different public subnets, N1 and N2. There are computers behind them which are dual homed - connected to both firewalls. I want to make F2 host both N1 and N2, decommissioning F1. Then I'll decommission N2. Since I want to decommission N2, I thought I should make the WAN interface of F2 configured for N1. Why do you need to do things one step at a time? Again, that contradicts #2, above. I want to configure 87.54.0.34 (N1) on F2 before having the IP addresses moved from F1, because of the acceptable downtime of... Also, how much downtime is acceptable? about 60 seconds. Hopefully my following answers will clarify how I think this can be done. You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? It may be the uplink switches are making these VRRP advertisements. I realize I do not understand perfectly how the protocol is implemented, and assumed there was a relationship with CARP, though it's clear enough now that they are different tech solving similar problems. I suppose I need to read up on VRRP to understand why my F2 WAN address (50.31.0.14) is the SRC address of these advertisements. Are you in fact setting up redundant firewalls, or are you just using CARP as a convenient way to establish additional IP addresses? Once I have the configuration I want, I will be adding another pfSense firewall as a sync slave of F2. If you're moving to a new firewall, why do you have it connected directly to the old WAN at all? The switches our old VLANs operated on are being replaced. There were new VLANs created on the new switches, and the computers were made to be dual homed for a time so I could work through getting all the services running over the new switch VLANs/subnets. F2 is the firewall of the new switch VLANs/subnets. Now that the computers behind the firewalls are communicating over the new switches through F2, I'm ready to move the IP addresses of F1 over, as I've mentioned. The ONLY reason we need the old WAN on F2 at all is because outbound connections to third parties must come from addresses in the old WAN. That is happening today because the computers are still routing Internet-bound connections through F1. Does this clarify things? Right now, it sounds like you're worrying about trivial items (e.g. source IP addresses) without having a good big-picture grasp on the process first. Who cares what source IP address gateway-monitoring ICMP packets or DNS packets come from? I really don't care at all, except that I thought this information would be useful to demonstrate that the SRC address is currently the primary address (source address selection). When the primary address of the WAN interface becomes an IP address which is not known to the default gateway of F2, I have no reason to think that packets now having the N1 address will go anywhere. F2 cannot yet reach the gateway of N1. F1 must hold the N1 address until the last moment, since the computers are still routing Internet-bound connections through F1, and I do not believe I have the option of having F1 and F2 on the same uplink both claiming the N1 address. I assume anything originating from the firewall will by default use the primary interface IP, but I don't know for sure - that stuff Just Works regardless of which IP address it originates from. I would assume the same thing, and I even think we can say this is the case based on the SRC IP address of the aforementioned packets. Again, if the WAN primary address is one not on the subnet of the default gateway, I believe it will be dropped; the gateway of N1 is not yet reachable. If I am able to put F2 in a position where it's nearly completely configured to host N1, such that I can have N1 moved to F2, change outbound NAT on F2 to use the address of N1, use N1 as the default gateway of F2, and immediately change the routing of the computers behind the firewall so that they make Internet-bound connections through F2, I'll be happy. If I have to move N1 to F2 before I can configure F2 this way, downtime will be longer. I'll stop here for now until you've addressed the contradiction. -Adam Again, thank you for your time and for asking for clarification! Adam Williams ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
