Router setup for weirdos like me

netblues

@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?

Nat is the last of your worries in any case.

stephenw10

@fireix said in Router setup for weirdos like me:

Ask my host on backup-site for a dedicated /29 transport network

Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.

Steve

Derelict

@fireix said in Router setup for weirdos like me:

I always have to "fight" different router and firewall vendors and can't use such a simple setup out of the box. Why is this?

Because you have an interface subnet not a proper transport network with the subnet routed to you there.

fireix

@netblues said in Router setup for weirdos like me:

@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?

Nat is the last of your worries in any case.

Sorry to confuse you :) No, it is not the exact same services, it has different purpose - but it is similar in setup to what I have been doing for years (similar in the way that I mostly have public servers and not having private-ip-space). I have a OK setup today, but I would like an easier solution for this new site since I need to setup this site from scratch. I would like to simplify it compared to the Fortinet/pfSense-solution I have been running so far.

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

Ask my host on backup-site for a dedicated /29 transport network

Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.

Steve

Yeah, that's what I basically have now, they publish the IP to the two network ports they have made available. So I can plug that cable into a switch and live well. But I do want a firewall (filter on IP-address and ports). In most cases, they seem to want me to have different network on each side (except "transparent" fortigate appliances - and even pfsense when configured with bridge and by disabling nat, just a bit more complicated for me) .

SteveITS

@fireix Why do you think you can’t have firewall rules? Allow from any to LANIP:443 etc.

Routers need different networks on interfaces so they know where to route. :) Bridges don’t route.

stephenw10

@fireix said in Router setup for weirdos like me:

they publish the IP to the two network ports they have made available.

That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

they publish the IP to the two network ports they have made available.

That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.

Ok, so you mean that it is the best solution? It is what I have at my original place. Just wondered if there is an way to do it without asking for more IP-ranges. And why do only devices like Fortigate provide this kind of mode.. Seems like Sopheus also have it documented. I have this limited separation need, would love to just put the device into the WAN->LAN and having it behave as a fw instead of having to do hacks and tricks ;) Just power on, choose the firewall rules on IP and tcp/udp-ports and run. Right now, I have tried for hours to put in a Unify USGX Pro into a line just to add some protection, but instead having to learn so much. It is always a detail I miss, like sometimes hidden nat-rules are added - or special things needed for each different vendor.

stephenw10

@fireix said in Router setup for weirdos like me:

Ok, so you mean that it is the best solution?

That's what I would choose over anything else if it's available.

You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.

Steve

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

Ok, so you mean that it is the best solution?

That's what I would choose over anything else if it's available.

You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.

Steve

Having a seperate IPMI-network comes in handy in those situations :)

For not-that-technical users, I would think it would be a very welcoming thing to have an easy method to enable transparent fw. But having tons of public webservers maybe not the exact average users do.

Thanks for your help and advice :)