Smoothwall Filter & Firewall: Adding or Altering External Connections

This article applies to the Smoothwall Filter & Firewall On-Prem solution in either Hardware or VM form.

A Primer on External Connections.

Where the Smoothwall Filter & Firewall is deployed as a parameter firewall, on occasion you may be required to edit or alter the external facing interfaces(s) due to network changes, such as migrating to a new ISP connection. Making the switch on the Smoothwall Firewall is in itself quite straight-forward and requires just a little configuration.

The following examples presume any ISP router upstream of the Smoothwall is in a 'bridge/modem' mode and passing the public IP directly to the Smoothwall Firewall. The procedure is largely the same for any upstream router that is providing a NAT service or is otherwise in its 'router' mode. 

Note: At the time of writing, the Smoothwall does not support /31 IPv4 addressing. A /30 subnet or greater is required.

Case 1: I Have Spare interfaces.

Where you have unused interfaces you need only change an interface role to 'External' and add the IP addresses and Gateway Address provided by your ISP. Then a quick switch of the Source NAT settings will get you back online. 

  1. Navigate to Network > Configuration > Interfaces and select a new interface to use. 
  2. Click the Edit button when hovering over that interface listing and in the following menu and select Use as: External. Save this change. 
  3. Once the page has reloaded, click the blue IP Addresses tooltip to drop the IP table and select Add new IP address from the right of the table. In the following menu add the IP, subnet mask, and gateway address provided by the ISP. 
  4. Repeat step 3 if you have been given multiple IP addresses. 
  5. Navigate to Network > Configuration > SourceNAT & LLB Rules and under the Local Traffic heading set the Guardian and Default LLB to one of the new IP addresses. These options denote which IP address proxied web requests from the Guardian WebFilter and other non-filter traffic is sent out on. 
  6. If there are any custom rules below for specific devices or services that use old IP addresses, amend them accordingly. 

 Case 2: I Have No Spare Interfaces.

If you have used up all the available interfaces on the Smoothwall, you will need to re-configure the current External interface, which requires a bit of housekeeping. 

  1. In the Networking menu, go through the following pages and remove any reference to old ISP IP addresses or the Interface they exist on:
    • DNS
    • Link Load Balancing
    • SourceNAT & LLB Rules
    • Port Forwards
    • Firewall Rules
    • Smoothwall Access
  2. Under Network > Configuration > Interfaces, you may now begin removing the old ISP IP addresses - if the Smoothwall refuses to remove an IP address and errors, there is likely a networking policy that still exists with that IP specified. If all policies have been double-checked, reboot the appliance to clear any cached data.
  3. Once the old IP's are removed, add in the new ones as detailed in Case 1 Step 3. 
  4. You will need to reconfigure any Firewall Rules, Port Forwards, Smoothwall Access Rules, and the SourceNAT & LLB Rules with the new IP information. 

Case 3: PPPoE Interfaces.

PPPoE connections requires one additional, initial step, and that is to create a PPPoE Interface. 

  1. Navigate to Network > Configuration > Interfaces and select Add New Interface
  2. From the configuration menu, name the new Interface, select PPPoE from as the Type and fill in the Username, Password, and Confirm Password field with the details provided by your ISP. Be sure to enable Connection Monitoring.
  3. Proceed with IP and SourceNAT Configuration as above.