This article applies to the Smoothwall Filter & Firewall On-Prem solution in either Hardware or VM form.
A Primer on External Connections
Where the Smoothwall Filter & Firewall is deployed as a parameter firewall, on occasion you may be required to edit or alter the external facing interfaces(s) due to network changes, such as migrating to a new ISP connection. Making the switch on the Smoothwall Firewall is in itself quite straight-forward and requires just a little configuration.
The following examples presume any ISP router upstream of the Smoothwall is in a 'bridge/modem' mode and passing the public IP directly to the Smoothwall Firewall. The procedure is largely the same for any upstream router that is providing a NAT service or is otherwise in its 'router' mode.
Note: The Smoothwall does not support /31 IPv4 addressing. A /30 subnet or greater is required.
Reconfigure an existing interface
If you wish to reconfigure an existing External interface, you will need to remove traces of the existing IP addressing from the Smoothwall's networking configuration. For more detail on deleting interfaces or the IP addresses on them, please see Deleting an Interface/IP Address.
- In the Networking menu, go through the following pages and remove any reference to old ISP IP addresses or the Interface they exist on:
- DNS
- Link Load Balancing
- SourceNAT & LLB Rules
- Port Forwards
- Firewall Rules
- Smoothwall Access
- Services > Intrusion Systems > IDS (if present).
- Go to Network > Configuration > Interfaces, and select the interface.
- Remove the old IP addresses - if the Smoothwall refuses to remove an IP address and errors, there is likely a networking policy that still exists with that IP specified. If all policies have been double-checked, reboot the appliance to clear any cached data.
- Once the old IP's are removed, add in the new ones. Click the blue IP Addresses tooltip to drop the IP table and select Add new IP address from the right of the table. In the following menu add the IP, subnet mask, and gateway address provided by the ISP.
NOTE: If you intend to set up multiple External interfaces for Link Load Balancing, be sure to set the expected bandwidth for the link in the field provided below the Gateway field. - You will need to reconfigure any Firewall Rules, Port Forwards, Smoothwall Access Rules, and the SourceNAT & LLB Rules with the new IP information.
Configure an unused Interface
Where you have unused interfaces you need only change an interface role to 'External' and add the IP addresses and Gateway Address provided by your ISP. Then a quick switch of the Source NAT settings will get you back online.
- Navigate to Network > Configuration > Interfaces and select a new interface to use.
- Click the Edit button when hovering over that interface listing and in the following menu and select Use as: External. Save this change.
- Once the page has reloaded, click the blue IP Addresses tooltip to drop the IP table and select Add new IP address from the right of the table. In the following menu add the IP, subnet mask, and gateway address provided by the ISP.
NOTE: If you intend to set up multiple External interfaces for Link Load Balancing, be sure to set the expected bandwidth for the link in the field provided below the Gateway field. - Repeat step 3 if you have been given multiple IP addresses.
- Navigate to Network > Configuration > SourceNAT & LLB Rules and under the Local Traffic heading set the Guardian and Default LLB to one of the new IP addresses. These options denote which IP address proxied web requests from the Guardian WebFilter and other non-filter traffic is sent out on.
- If there are any custom rules below for specific devices or services that use old IP addresses, amend them accordingly.
Configure PPPoE Interfaces
PPPoE connections require one additional, initial step, and that is to create a PPPoE Interface.
- Navigate to Network > Configuration > Interfaces and select Add New Interface.
- From the configuration menu, name the new Interface, select PPPoE from as the Type and fill in the Username, Password, and Confirm Password field with the details provided by your ISP. Be sure to enable Connection Monitoring.
- Proceed with IP and SourceNAT Configuration as above.