ISP > Switch > firewall aka wan breakout?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

sadpanda

New Member
Jan 19, 2022
11
0
1
ISP provides one IP address / single port on modem. Adding a switch upstream of firewall seems handy for testing ISP connection, playing around without disturbing main network etc From my searching this is common practice (failover/two ISP/HA) but I'm not finding any guides and I'm curious how it works.

Basic 5 port switch seems common but I think it has to be more than just vlan aware.
Obviously lock down management vlan/port (say vlan 10, port 5, could add IP/other restrictions)
ISP modem on port 1
Switch in DHCP mode so it gets IP/Gateway from modem (ie 174.xxx.xxx.90/174.xxx.xxx.xxx.1) and modem stays happy seeing only one MAC

.... Then what ????

firewall/router A on port 2
firewall/router B on port 3
Ports 1-3 PVID and untagged on vlan 20?

It seems at this point there has to be some sort of NAT or routing configured right? I'm playing with netgear GS108T for reference.


Thanks!
 

vangoose

Active Member
May 21, 2019
326
104
43
Canada
Use fw as dhcp client to get IP, then you can do all the normal stuff in fw.

If you have 2 isps, you can connect each modem to one fw port, you don't really need switch here. If you want to use switch, either a seperate unmanaged switch or port based l2 vlan.
 

aero

Active Member
Apr 27, 2016
346
86
28
54
The typical purpose of fronting the ISP connections with a switch is so you can have redundancy with high-availability firewalls. Don't need any vlans, can be unmanaged switches. Each firewall of the HA pair will have a connection to each ISP in this scenario.

see this crude diagram

edit: If you don't have dual firewalls, I don't see any real reason to have a switch in front.
 

Attachments

oneplane

Well-Known Member
Jul 23, 2021
845
484
63
If your ISP only allows for 1 connection as described in your post, none of this works. This is because unless you have some fort of etables facility you'd have to rewrite the MAC address regardless of what you are using as a DHCP client, at which point the switch is of no added value because a firewall does the same thing.

If you want to 'hot swap' firewalls or something like that, it is much easier to just enter an interface MAC override that is the same on all firewalls so the ISP only sees the 'same' MAC. Some (most) residential ISPs have DHCP limits where you may not actually get your IP re-issued until the lease expires (so it just ignores your requests, even if it comes from the 'correct' MAC address).

Normally you'd not solve this using DHCP and some MAC address emulation but using BGP and/or OSPF, which is not something most ISPs will do, especially not residential and SMB ISPs.

If you want to have 'redundant' firewalls with a residential/consumer-level ISP your best bet is a relay bypass and then two firewalls with a HA sync connection between the two so they share IP state tables and DHCP client data etc.
 

sadpanda

New Member
Jan 19, 2022
11
0
1
Thanks for replies. I too did some more digging - more or less what you all have said.

https://www.reddit.com/r/PFSENSE/comments/y33ke1 Multi-WAN on a Stick

Mirroring works by copying packets but I think its a one way street. If not, outgoing data originating from the main port and mirror will appear the same but how a devices/routers handle incoming data may be an issue? I'm guessing normal drop firewall rules would work but there would be collision/confusion if same end point/port was initiated by both main/mirror.

However, this raises a bigger question: My dual stack ISP is handing me /56 block IPv6, the router gets a /64 and a public IPv4 address (though I'm sure both are at least somewhat dynamic). Obviously only one IPv4 address can be assigned but whats stopping the ISP from handing out multiple IPv6 addresses in that block if connected via dumb switch? Correct me if I'm wrong but my understanding is that in the 'normal' IPv6 enabled router situation, IPv4 gets NATd by router but IPv6 DHCP requests get punted up to ISP unless you segment it/run your own DHCP.
 

oneplane

Well-Known Member
Jul 23, 2021
845
484
63
Thanks for replies. I too did some more digging - more or less what you all have said.

https://www.reddit.com/r/PFSENSE/comments/y33ke1 Multi-WAN on a Stick

Mirroring works by copying packets but I think its a one way street. If not, outgoing data originating from the main port and mirror will appear the same but how a devices/routers handle incoming data may be an issue? I'm guessing normal drop firewall rules would work but there would be collision/confusion if same end point/port was initiated by both main/mirror.

However, this raises a bigger question: My dual stack ISP is handing me /56 block IPv6, the router gets a /64 and a public IPv4 address (though I'm sure both are at least somewhat dynamic). Obviously only one IPv4 address can be assigned but whats stopping the ISP from handing out multiple IPv6 addresses in that block if connected via dumb switch? Correct me if I'm wrong but my understanding is that in the 'normal' IPv6 enabled router situation, IPv4 gets NATd by router but IPv6 DHCP requests get punted up to ISP unless you segment it/run your own DHCP.
The ISP probably gives you an IPv6 prefix, and a daemon on your gateway/firewall has to take care of distributing the addresses, so that's not something the ISP does for you (unless they decided to run DHCPv6 for all those hackers out there :D )
 

sadpanda

New Member
Jan 19, 2022
11
0
1
The ISP probably gives you an IPv6 prefix, and a daemon on your gateway/firewall has to take care of distributing the addresses, so that's not something the ISP does for you (unless they decided to run DHCPv6 for all those hackers out there :D )
Just read more about prefix delegation which led to reading about prefix changes by ISP causing pain... I've got a better grasp on whats going on now. Thanks!