Building a Replacement Firewall

[spetrillo]

Hello all,

I have built a new firewall and would like to be able to run it side by side with my current firewall. Right now the new firewall only has the LAN interface activated, at 192.168.1.2/24. My current firewall's LAN interface is 192.168.1.1/24. From the current firewall's LAN interface I can ping the new firewall but when I try to connect to the new firewall from another subnet it does not allow me. Is there something I need to do on the current firewall to allow it to route to the new firewall?

Thanks,
Steve

[bartjsmit]

Hi Steve, does the new firewall have a route to 'another subnet'? 

Bart...

[spetrillo]

It probably does not but I would think ARP would take care of that. The current firewall should be able to tell me that the new firewall is located on its LAN interface?

[allebone]

Thats incorrect. You would need the current firewall to have an interface in the new firewalls subnet so it can route to it and on behalf of clients. The new firewall would need a route adding where the old subnet is routed to the interface ip of the lan interface ip you added on the old firewall that is in this new subnet. So 2 things to do to make this work.

[spetrillo]

Hold on...

As mentioned the current firewall has its LAN interface(non VLAN) as 192.168.1.1/24. The new firewall has its LAN interface(non VLAN) as 192.168.1.2/24. From the current firewall I go to Intefaces/Diagnostics/Ping and I setup the ping from the LAN interface. It responds...see attached.

So the current firewall can find the new firewall...so shouldn't this information be in the ARP table of the current firewall, for all to find?

[allebone]

I see. In this case can you clarify what you mean by ‘connect to the firewall from another subnet’ ?

Ie have you added a route on that firewall to know what gateway to use for this other subnet or not?

[spetrillo]

So my personal PC is on the 192.168.0.0/24 subnet and I want to be able to connect to the new firewall, so I can configure it in real time, with the current one up. The goal is to swap them once fully configured.

Does the new firewall need an upstream gateway added, to the current firewall? Is that what I am missing?

[allebone]

It needs a route adding to be told how to get to the 192.168.0.0 network or alternatively an interface added to that network so it has an actual interface with an ip in the network. On the old firewall I assume it had an interface in both subnets. So either use the old firewall as a gateway for this specific route (system - routes- config) or setup the new firewall in a similar way.