Network Assumptions
For this tutorial we are going to assume the following:- Physical Layout
- We have 3 buildings
- Building 1 (1 switch) - building-1a
- ports 1-10 - staff access
- ports 11-15 - guest access
- ports 16-17 - wireless access points
- ports 18-19 - connect to building-2a
- ports 20-21 - unused
- ports 22-23 - connect to building-3a
- ports 24 -
- Building 2 (1 switch) - building-2a
- ports 1-10 - staff access
- ports 11-15 - guest access
- ports 16-17 - wireless access points
- ports 18-19 - connect to building-1a
- ports 20-21 - connect to building-3a
- ports 22-24 - unused (currently)
- Building 3 (1 switch) - building-3a
- ports 1-10 - staff access
- ports 11-15 - guest access
- ports 16-19 - wireless access points
- ports 20-21 - connect to building-2a
- ports 22-23 - connect to building-1a
- ports 24 - connect to fw-3
- Building 1 (1 switch) - building-1a
- We have 3 buildings
- - VLAN Configuration
- Default (1)
- STAFF (10)
- VOICE (20)
- GUEST (99)
- Subnet Configuration
- building1
- STAFF - 10.10.0.0/24
- Gateway: 10.10.0.1
- DHCP Range: 10.10.0.50 - 10.10.0.254
- VOICE - 10.20.0.0/24
- Gateway: 10.20.0.1
- DHCP Range: 10.20.0.50 - 10.20.0.254
- GUEST - 10.99.0.0/24
- Gateway: 10.99.0.1
- DHCP Range: 10.99.0.2 - 10.99.0.254
- STAFF - 10.10.0.0/24
- building2
- STAFF - 10.10.20.0/24
- Gateway: 10.10.20.1
- DHCP Range: 10.10.20.50 - 10.10.20.254
- VOICE - 10.20.20.0/24
- Gateway: 10.20.20.1
- DHCP Range: 10.20.20.50 - 10.20.20.254
- GUEST - 10.99.20.0/24
- Gateway: 10.99.20.1
- DHCP Range: 10.99.20.2 - 10.99.20.254
- STAFF - 10.10.20.0/24
- building3
- STAFF - 10.10.30.0/24\
- Gateway: 10.10.30.1\
- DHCP Range: 10.10.30.50 - 10.10.30.254\
- VOICE - 10.20.30.0/24\
- Gateway: 10.20.30.1\
- DHCP Range: 10.20.30.50 - 10.20.30.254\
- GUEST - 10.99.30.0/24\
- Gateway: 10.99.30.1\
- DHCP Range: 10.99.30.2 - 10.99.30.254
- STAFF - 10.10.30.0/24\
- building1
Build Physical Network Layout
Use the configurations above to build the physical layout in GNS3 or EVE-NG. The Watchguard has been configured with 8 ports and each switch has been configured with 25 ports (the max allowed, and takes in account the MGMT interface).Configure pfSense (or other firewall)
This is not an in depth configuration of pfSense, there are plenty of good examples out there.Create Default Network
In this example we are going to use port 0 as the WAN and it will be DHCP, and then port 1 will be our LAN on subnet- 10.0.0.254/24
Create Address Aliases
- StaffNetwork with the subnets
- VoiceNetwork with the subnets
- GuestNetwork with the subnets
Create Port Aliases
- 80, 443, 53 (Guest)Hybrid Outbound NAT
- Add aliases with Outbound Nat rulesFirewall
- Allow staff network to access LAN address of pfsense
- Configure Firewall rules to allow outbound traffic for the StaffNetwork (all traffic) and GuestNetwork (TCP/UDP of port alias)
Install FRR
Use package manager to install FRR during the install you must creat area first, then interface then set your OSPF and Global settings to enabled, also make sure to check that the following are checked.- Redistribute Default
- Always Redistribute
Configure the Routers
Lets start with building 3 becuase its where the internet is connectedBuilding 3
Configure VLANS
Lets first start by naming our switch
Code:
configure snmp sysName building-3a
Code:
create vlan STAFF tag 10 description "STAFF NETWORK"
create vlan VOICE tag 20 description "VOICE NETWORK"
create vlan GUEST tag 99 description "GUEST NETWORK"
lets start by confuring the ap ports
Code:
configure vlan 1 add ports 16-19 untagged
configure vlan 10 add ports 16-19 tagged
configure vlan 99 add ports 16-19 tagged
Code:
configure vlan 10 add ports 1-10 untagged
configure vlan 99 add ports 11-15 untagged
configure vlan 20 add ports 1-19 tagged
Code:
save
enter
then pressying "Y" and hitting enter
againConfigure Default VLAN and start the OSPF config
Lets add our ipaddresses to our management vlan1
and enable ipforwarding.
Code:
configure vlan 1 ipaddress 10.0.0.30/24
enable ipforwarding vlan 1
Code:
configure ospf routerid 10.0.0.30
configure ospf add vlan Default area 0.0.0.0 link-type broadcast
enable ospf
If you did everything correctly if you use
show ospf neighbor
you should see something similar to below
Code:
Neighbor ID Pri State ... Address
10.0.0.254 1 FULL /BDR 10.0.0.254
...
Total number of neighbors: 1 (All neighbors in Full state)
show iproute
you should see something like
Code:
Ori Destination Gateway Mtr ...
#o2 Default Route 10.0.0.254 10 ...
#d 10.0.0.0/24 10.0.0.10 1 ...
#o2 192.168.1.0/24 10.0.0.254 20 ...
However if you power on a VM connected to any switch at this point you still won't have network access and thats because we don't have any DHCP configured.
so lets configure the staff network with dhcp and add it to our OSPF area
Code:
configure vlan STAFF ipaddress 10.10.30.1/24
enable dhcp ports 1-10 vlan STAFF
configure vlan STAFF dhcp-address-range 10.10.30.50 - 10.10.30.254
configure vlan STAFF dhcp-options default-gateway 10.10.30.1
configure vlan STAFF dhcp-options dns-server primary 208.67.222.222
configure vlan STAFF dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 10
configure ospf add STAFF area 0.0.0.0 link-type broadcast
Lets go ahead and do the same for the voice and guest networks.
Code:
configure vlan VOICE ipaddress 10.20.30.1/24
enable dhcp ports 1-19 vlan VOICE
configure vlan VOICE dhcp-address-range 10.20.30.50 - 10.20.30.254
configure vlan VOICE dhcp-options default-gateway 10.20.30.1
configure vlan VOICE dhcp-options dns-server primary 208.67.222.222
configure vlan VOICE dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 20
confiugre ospf add VOICE area 0.0.0.0 link-type broadcast
configure vlan GUEST ipaddress 10.99.30.1/24
enable dhcp ports 11-15 vlan GUEST
configure vlan GUEST dhcp-address-range 10.99.30.2 - 10.99.30.254
configure vlan GUEST dhcp-options default-gateway 10.99.30.1
configure vlan GUEST dhcp-options dns-server primary 208.67.222.222
configure vlan GUEST dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 99
configure ospf add GUEST area 0.0.0.0 link-type broadcast
Now lets navigate over to building 1 and get it configured
Building 1
Again we're going to create our vlans
Code:
configure snmp sysName building-1a
create vlan STAFF tag 10 description "STAFF NETWORK"
create vlan VOICE tag 20 description "VOICE NETWORK"
create vlan GUEST tag 99 description "GUEST NETWORK"
lets start by confuring the ap ports
Code:
configure vlan 1 add ports 16-17 untagged
configure vlan 10 add ports 16-17 tagged
configure vlan 99 add ports 16-17 tagged
Code:
configure vlan 10 add ports 1-10 untagged
configure vlan 99 add ports 11-15 untagged
configure vlan 20 add ports 1-17 tagged
now we're going to configure our mangement ip address and ospf
Code:
configure vlan 1 ip address 10.0.0.10/24
enable ipforwarding vlan 1
configure ospf routerid 10.0.0.10
configure ospf add vlan Default area 0.0.0.0 link-type broadcast
enable ospf
Staff
Code:
configure vlan STAFF ipaddress 10.10.0.1/24
enable dhcp ports 1-10,16-17 vlan STAFF
configure vlan STAFF dhcp-address-range 10.10.0.50 - 10.10.0.254
configure vlan STAFF dhcp-options default-gateway 10.10.0.1
configure vlan STAFF dhcp-options dns-server primary 208.67.222.222
configure vlan STAFF dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 10
configure ospf add STAFF area 0.0.0.0 link-type broadcast
VOICE
Code:
configure vlan VOICE ipaddress 10.20.0.1/24
enable dhcp ports 1-17 vlan VOICE
configure vlan VOICE dhcp-address-range 10.20.0.50 - 10.20.0.254
configure vlan VOICE dhcp-options default-gateway 10.20.0.1
configure vlan VOICE dhcp-options dns-server primary 208.67.222.222
configure vlan VOICE dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 20
configure ospf add VOICE area 0.0.0.0 link-type broadcast
GUEST
Code:
configure vlan GUEST ipaddress 10.99.0.1/24
enable dhcp ports 11-17 vlan GUEST
configure vlan GUEST dhcp-address-range 10.99.0.2 - 10.99.0.254
configure vlan GUEST dhcp-options default-gateway 10.99.0.1
configure vlan GUEST dhcp-options dns-server primary 208.67.222.222
configure vlan GUEST dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 99
configure ospf add GUEST area 0.0.0.0 link-type broadcast
Building 2
Switch building-2a
Again we're going to create our vlans
Code:
configure snmp sysName building-2a
create vlan STAFF tag 10 description "STAFF NETWORK"
create vlan VOICE tag 20 description "VOICE NETWORK"
create vlan GUEST tag 99 description "GUEST NETWORK"
lets start by confuring the ap ports
Code:
configure vlan 1 add ports 16-17 untagged
configure vlan 10 add ports 16-17 tagged
configure vlan 99 add ports 16-17 tagged
Code:
configure vlan 10 add ports 1-10 untagged
configure vlan 99 add ports 11-15 untagged
configure vlan 20 add ports 1-17 tagged
now we're going to configure our mangement ip address and ospf
Code:
configure vlan 1 ip address 10.0.0.20/24
enable ipforwarding vlan 1
configure ospf routerid 10.0.0.20
configure ospf add vlan Default area 0.0.0.0 link-type broadcast
enable ospf
Staff
Code:
configure vlan STAFF ipaddress 10.10.20.1/24
enable dhcp ports 1-10,16-17 vlan STAFF
configure vlan STAFF dhcp-address-range 10.10.20.50 - 10.10.20.254
configure vlan STAFF dhcp-options default-gateway 10.10.20.1
configure vlan STAFF dhcp-options dns-server primary 208.67.222.222
configure vlan STAFF dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 10
configure ospf add STAFF area 0.0.0.0 link-type broadcast
Code:
configure vlan VOICE ipaddress 10.20.20.1/24
enable dhcp ports 1-17 vlan VOICE
configure vlan VOICE dhcp-address-range 10.20.20.50 - 10.20.20.254
configure vlan VOICE dhcp-options default-gateway 10.20.20.1
configure vlan VOICE dhcp-options dns-server primary 208.67.222.222
configure vlan VOICE dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 20
configure ospf add VOICE area 0.0.0.0 link-type broadcast
Code:
configure vlan GUEST ipaddress 10.99.20.1/24
enable dhcp ports 11-15 vlan GUEST
configure vlan GUEST dhcp-address-range 10.99.20.2 - 10.99.20.254
configure vlan GUEST dhcp-options default-gateway 10.99.20.1
configure vlan GUEST dhcp-options dns-server primary 208.67.222.222
configure vlan GUEST dhcp-options dns-server secondary 208.67.220.220
enable ipforwarding vlan 99
configure ospf add GUEST area 0.0.0.0 link-type broadcast