cyberstudent with basic questions about interface configurations
-
@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:
What happens if i enable OPT1 interface and set the IPv4 configuration type to "none" and plug into it an ubiquity edge router x with a network already attached to it? will it act as a straight through from my modem?
No. It will do nothing at all if you just set it to 'none' and do not bridge it.
Is your 'modem' actually a router? Is the pfSense WAN receiving a public IP address from the ISP directly or a private IP address from the 'modem'?
If pfSense is receiving a public IP from the ISP it's likely you would need to add the OPT interface as a new subnet and route to it because the ISP probably won't give you more than one IP address.
If it's coming from the modem then that restriction won't exist so you could bridge OPT to WAN. Generally it's better to avoid bridges if you can. But as a learning exercise it could be useful.
20.20.17.10 is a public IP address that you should not use internally like that. You should choose a subnet from one of the private IP address ranges available.
https://docs.netgate.com/pfsense/en/latest/network/addresses.htmlSteve
-
@stephenw10
the modem is just a plain old cable modem. i wanted to learn component to component.
i think the wan is recieving a public address from the modem as my public address is listed on the pfsense console next to "wan". this pic is of my vm but where it says 10.0.2.15 it has my public ip address. See pic
So in order to "bridge OPT1 to WAN" what setting do do i put in the ipv4 configuration) ?
-
@cyberstudentnewbie
sorry i got it reversed...
I am getting it directly from the ISP which means i would need to create a new subnet and route to it.
So that means i just set up a static ip adress for the OPT and set that address in my ubiquity edge router x as my gateway? -
Yes exactly just create a new subnet for the OPT interface and use that for the Ubiquity gateway.
Note there are no firewall rules added automatically on a new interface so you have to add appropriate rules yourself before you will see any connectivity.
-
@stephenw10
thanks for the help!
When you say connectivity...do you mean internet connectivity? -
I mean any connectivity. There will be no pass rules on the OPT interface by default so all traffic coming into it will be dropped.
-
You probably want rules something like:
That would still alllow hosts on OPT1 to access the firewall itself (webgui, ssh, ntp, dns etc) so you might want to also block or reject that.
-
@stephenw10
Oh great.. okay ill try to figure out how to write rules...
So two more questions to confirm....
On the ubiquity router i can keep the dhcp enabled on it since it will be a different broadcast subnet ?
Is the config on the picture below correct for OPT1?
And i use the gateway ip 168.45.19.20 for the ubuiquity or the static ip 192.168.50.20?
-
You should not have a gateway set on the pfSense OPT1 interface. You would normally only ever set a gateway on WAN interfaces.
The ubiquity should use the pfSense OPT1 interface IP address as it's gateway, so
192.168.50.20. -
@stephenw10
thank you for the rules!!!
havent wrote any yet ever...
Firewall class next semester.
Thanks!
awesome..ill fix it and try it out! -
Ah also you'll need to uncheck 'Block private networks' there. All traffic entering OPT1 will come from a private subnet. That's also a setting you' only use on a WAN.
-
-
The server or the client?
The ubiquity would still need to run a DHCP server for the client devices behind it. The pfSense DHCP server is not in the same layer2 segment so it would not see any requests from those clients.
The ubiquity WAN can be configured statically so no dhcp client needs to be run there.
-
@stephenw10
okay ill give it a shot...
a thousand thanks.. -
When I was doing my AA in cyber security and our Professor fully covered pfSense, plus Palo Alto have you done your firewall class yet? I would recommend you take that class next semester
-
@JonathanLee
Oh that's great to hear! I just registered for it.
Maybe with my limited experience so far with Pfsense and my experimenting will make it a little easier for me to understand.
I pray my professor will be capable of answering specific questions as my current ones are not. I like researching things on my own, but why cant they answer simple questions that i ask? If they knew the answers they would happily explain as have professors i had a couple semesters ago. It doesn't help that they have their Doctorates in education instead of computer science. :( -
If you have somewhere "60" minutes left : Sending digital information over a wire.
When finish watching the 13 episodes, let it sink in for a while. Then, when needed, get back to each of them (this is called the learning phase).
In the nineties, last century, knowing all that, it would have brought you close to a "network engineering degree". These days : it's just "network basics" but as it is used by one of world's most widely used infrastructures, known as the Internet, it should be made mandatory knowledge - IMHO. After all, all it takes is is just a couple of hours .....edit : if you can follow the Eater guy, look at his other other videos : he made a fully working "micro" (maxi ?!) processor using just off the shelves old school TTL chips (each less the a $). You can even make your own ! "Look, Mam, I execute my own micro code !"
Now you have enough knowledge to start to understand what's going on in a I9Intel core. And yes, things are as easy as he showed it. -
@cyberstudentnewbie The class I took they covered many different topics. We covered different vendor firewalls and we also covered base Linux topics like iptables all the way to Windows Server firewall settings, as well as pfSense all the way to PaloAlto major releases. Or school had student versions that PaloAlto had for us. After that we used pen testing software within the ethical hacking class to break into the equipment (I took both classes at the same time). Those classes will really help you get your foundational knowledge built. After I purchased an official pfSense firewall just to learn more with it is a puzzle. I am sure you know not many firewall tools are available for cyber security students to learn and work with like this. pfSense fits that need as it's opensource and it comes with an enterprise class web cache proxy if you really want to push yourself. Again, its proxy configuration is really complex, it's no joke with the need for certificate use and everything that needs to be configured for it to work. I purchased my official Netgate appliance while taking the ethical hacking class so I could really learn with it we even we used pfSense in the finals the instructor had it all set up for us to configure with. I was really happy that I got a grant that paid for my 2100-MAX, I thought it's what's needed for me to advance my knowledge. Keep in mind, because it is open source, I am still learning stuff with it, I am a computer science student, so I am now playing with the code on it. I cannot wait until I get my C+ class done, I have only learned Python, Java and Assembly code so far. I really need to take that C+ class so I can really get into the code for it. The tools really advance the direction of cyber security.
When I was younger, back in the 2000's taking classes Cisco Mars and Cisco Pix products where the major player in cyber security. Again, not many tools were available to study with, you could never take an appliance home with to research and study on with unless you had thousands and thousands of dollars. So Netgate really fits the need today, it was my cyber security go to tool.
This community also is so helpful if you get stuck.
I recommend you start off with ports and access control lists on it and after start learning about packages as you gain more knowledge. The TPC/UDP ports IP Classes and address with access control lists were what firewalls were back in the 2000s. We didn't even have a GUI back then just Cisco's global config mode command line.
Don't give up and do not be afraid to use office hours, the professors want to help you they are paid to help you, so use the office hours they set aside when you get stuck also.
-
Awesome and great info from both of you guys. Ill definitely be checking out the eater guy, looks very cool.
Im saving up for an official netgate appliance as we speak. I already have an older appliance which seems to work great with pfsense but have been hesitant to really play with it as of yet.i'm used to the configurations on the ubiquity and tp links, its just a little harder to get used to pfsense but i'm definitely all about learning it specifically because it has all the capabilities to run the separate packages. I'm especially interested in the HIDS tools i can run with.
But first i have to learn the basics. I'm really confused on using secondary routers and secondary firewalls to use for setting up a web server in a dmz zone (or separate from the internal network)Okay here is a couple of totally basic questions for you guys.
1.) The serial port option to connect the appliance to a device (which it seems is not used to often, i think at least in home lab setups) Is that cable that will connect to and old computer with a serial input, does it just run the web browser gui? just another way to connect to it like with an Ethernet cable?
and 2.) In my original post, i was instructed to create another sub-net on OPT1 and route my ubiquity to it by setting the gateway on the ubiquity
secondary router. does that second LAN i create on OPT1 considered a VLAN and is separate and isolated from the network coming off my LAN output port? I'm just confused on the difference between a VLAN and a subnet.and 3.) its pointless to purchase an 1100 instead of a 2100 to really maximize the software capabilities?
-
@cyberstudentnewbie said in cyberstudent with basic questions about interface configurations:
1.) The serial port option to connect the appliance to a device (which it seems is not used to often, i think at least in home lab setups) Is that cable that will connect to and old computer with a serial input, does it just run the web browser gui? just another way to connect to it like with an Ethernet cable?
The only way to run a browser over a serial cable is if PPP is run over it. This sort of thing is covered in the CCNA about things like frame relay or T1 lines, where you have to use PPP.
