Virtualized firewall within existing network

[kylejwx]

Hello, I'm looking to add a router/firewall (probably pfSense) to my home network. I'd like to have a bit more control of my home network, but mostly I want to learn about firewalls, routing, and VLANs for running my school's network.

I've already created a Hyper-V virtual machine that I plan to install pfSense on. My first concern is how will this work since my home network is already setup with a cable modem and an ASUS RT-AC87R wireless router. Could I break anything by just installing pfSense? I think the default IP for pfSense is 192.168.1.1 which is the same as my ASUS router. Could that be a conflict?

I suppose I could run the ASUS in bridge mode, but if I did that and something went wrong with pfSense, then I'd break my home network. My wife works from home, so I'd need a backup plan.

 

Or is there a way to run both the ASUS and pfSense?

 

 

[ShadowPeo]

In short, yes unless you are using VLAN's you cannot have the same IP on the same network it will cause issues, and even bigger issues considering they are routers. do not get me wrong there are ways to do this with load balancing and alike but as it sounds that you are just starting out I would not be going into that

 

Depending on what you want to try to do Hyper-V can handle VLAN's easily enough if your hardware can, or you can use a virtual switch and a virtualized desktop client on that switch to do the configuration (its easy in Hyper-V to change VLAN's after the fact) and you can then specify different networks on the PFSense (or router, but I would go with PFSense and leave the existing ones in place, changing the router to bridge mode after the fact and putting on the input when PFSense is running correctly).

 

You can remotely access the Hyper-V Desktop client easily enough by putting in a second NIC card, just make sure to static assign the IP on your existing network and not put in a gateway

[kylejwx]

Thanks ShadowPeo. I guess I'm not really understanding all of this. What are my options if I want to leave my existing ASUS router in place and just use pfSense in an isolated environment?

 

Can I install pfSense and make it run a 10.0.0.1 network that is separate from the rest of my devices? 

 

Or should I just make all the network adapters on my Hyper V virtual machine private so it can't even talk to my physical network? But then how would I get Internet to it?

[oj88]

You can leave the cable modem and your existing router alone.

 

pfSense would typically have a WAN (external) and a LAN (internal) interface at the minimum. Assuming you've properly setup the pfSense VM and exposed the above mentioned two interfaces to the host's physical NIC ports,  all you have to do is to connect the pfSense WAN to your existing wired home network (Asus LAN port). pfSense should be able to pick up an IP address from your existing router and treat it as WAN.

 

From within the pfSense CLI console, you should be able to validate that it's getting a WAN IP address. The next thing to do is to change the LAN IP address to something else, like 192.168.2.1/24 and turn on DHCP server. You can then put an isolated switch (a managed switch if you want to practice VLANs) behind pfSense's LAN interface, put a PC on there, and you should be able to access pfSense's web console. 

 

That's it! 

 

You've just created an isolated network on 192.168.2.0/24 and your family members on your home network (192.168.1.0/24) didn't even feel anything.

 

You'll be doing dual-NAT for sure, but as this is just a test environment, it shouldn't matter much. Do note that if you need port-forwarding, it will require more work and involves doing it on both your Asus and pfSense firewalls. Just cross that bridge when you get there.

 

Good luck!

[nrf]

if you are trying to be careful during startup you can initially have the two virtual NICS connected to virtualization lans, and use the console to assign the NICs and set their IP settings. then you can unleash them on the outside in the desired configuration. enjoy!