Using Cisco IP Services switch + Checkpoint firewall in place of home gateway?

[mct75]

Hi everyone. I have a home lab with a Cisco 3560G and just got a CheckPoint 2200 to play with. I was wondering if these two devices could be combined to replace the typical home gateway router. The 3560G can do routing, but not NAT, however the CheckPoint can do NAT so I was hoping to leverage that more so than its firewall capabilities.

I have a DOCSIS modem with a DHCP assigned address that would need to be assigned to the untrusted interface of the checkpoint. Modem will go to checkpoint, checkpoint to 3560G, all devices to 3560G.

Is this even possible/worth it? I figure the best way to get experience will be to "manage" a "production" network at my house instead of pinging devices in a lab setup.

 

[sfx2000]

Put the CheckPoint on front as the WAN Gateway...

The 3560G is an L3 managed switch, and would work nice behind the Checkpoint...

 

[mct75]

That was the plan but apparently Checkpoints require an expensive license to run! That's what I get for buying hardware off eBay...

Now I'm trying to set up pfSense on my ESXi lab, but it only has a single NIC and pfSense does not like my VLANs. I think I am off in the deep end here.

 

[sfx2000]

Most of the Checkpoint FW's are Intel based, and many can run pfSense...

https://gooroo.io/GoorooTHINK/Artic...ckPoint-Firewall-Appliance/23563#.WKdT-hiZOgw

Might be worth checking out.

https://forum.pfsense.org/index.php?topic=124485.0

The alternate approach would be to contact Checkpoint's sales dept and see what the license would be on a small seat license - convincing them it's for a lab install for investigation and learning...

 

[mct75]

Installing pfSense on the Checkpoint was the ticket. Thanks! I would have never guessed that was even possible.

Now, my configuration is: DOCSIS modem -> Checkpoint running pfSense -> Cisco 3560g -> clients. The network has a "flat" topology which is way less cool than have routing between VLANs and the cable modem plugged into a switchport, but this config actually works.

 

[sfx2000]

Cool!

The network has a "flat" topology which is way less cool than have routing between VLANs and the cable modem plugged into a switchport, but this config actually works.

Simple is better

 

[sfx2000]

Couple of tuning tips with the Checkpoint 2200...

Go to Advanced Setup, scroll down to Power Savings - enable PowerD, and then set things to HiAdaptive - this will let the Atom D525 dynamically clock as needed...

Then do the Intel NIC license check agreement... add the following to your /boot/loader.conf.local

legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1​

this helps out quite a bit...

 

[mct75]

Cool, thanks! I follow on the SpeedStep governor, but as far as the license agreement, does this unlock some features?

I did notice that some of the hardware acceleration is not enabled.

 

[sfx2000]

Cool, thanks! I follow on the SpeedStep governor, but as far as the license agreement, does this unlock some features?

I did notice that some of the hardware acceleration is not enabled.

The HW accel stuff - don't worry, it's old-school stuff... set like below

The license agreement doesn't enable any additional features - but it does remove a restriction under the hood (not pfSense, but BSD in gen)

 

[mct75]

Cool! I sort of dived into pfSense once I noticed that my checkpoint was basically a brick with the stock software. There's a lot of options in there to tweak, but the "plug and play" nature is much appreciated. I'm sure I'll have lots of little tweaks to make.

 

[sfx2000]

Cool! I sort of dived into pfSense once I noticed that my checkpoint was basically a brick with the stock software. There's a lot of options in there to tweak, but the "plug and play" nature is much appreciated. I'm sure I'll have lots of little tweaks to make.

Lot of tips here...

https://www.snbforums.com/threads/confessions-of-a-pfsense-newbie.5379/