Two pfsense for shaper and squid at the same time? how?
-
Only the box that faces the subnet with the clients directly can do the dhcp server (unless you configure dhcp relay but that makes things just unneccesarily difficult). pfSense1 should act as DHCP Server for the lan clients. the subnet between pfsense1 and pfsense2 should be configured statically as you have to add the route back from pfsense2 to pfsense1 as you shutdown NAT at pfsense1
-
ok Hoba, and adding that static route on pfsense2 does means this:
interface: LAN
Destination network: 10.0.0.0/8
Gateway: 10.0.0.2 (wan of pfsense1)is it that right??
if I can use pfsense1 (shaper) to collect network data with ntop, instead of using pfsense2 (distribute disk space between the two box), can I do that? Am I wrong or the traffic will be passing throught two boxes and I can collect network statistics from both?
placing the dhcp server on pfsense1 means that my network clients gateway will be pfsense1, instead of pfsense2? then pfsense1 route the packages to pfsense2 that sends them to the net. would be that?
thanks a lot again!
-
You should use something else for the subnet between pfsense1 and pfsense2 or you will have an adress conflict. Use someting that is not used anywhere like a 172.16.1.1 / .2 for example. Besides that your route would be correct. Trafficstats can be collected on both nodes and should be nearly identical. As you shutdown NAT at pfSense1 you will see the original clients at pfSense2 as well.
-
so this is correct that my lan gateway will be pfsense1 now?
can I use 172.1.1.1/30 even being public address(this gives me 2 hosts, exactally what I need)??
the question about adress conflict, I thoght it could be fine, because I'm using non used ips on all the lans and wans nics…
thanks again.
-
you can't have 10.0.0.0/8 on the LAN and have IPs of that network on your "transfernet" between the pfSense's as well. That is a conflict. 172.16.x.x are private IPs. Use some of that range or some 192.168.ish network, just something that you do not use anywhere at LAN or maybe remote VPN subnets.
Example:
pfSense1:
LAN 10.0.0.1/8 (do you really need such a big network?)
WAN 172.16.0.1/24
Firewall>NAT, outbound: enable manual outbound nat and delete the autocreated rules.pfSense2:
LAN 172.16.0.2/24
WAN 200.x.x.x
system>static routes: Interface LAN 10.0.0.0/8(LAN subnet of pfSense1) via gateway 172.16.0.1(WAN IP of pfSense1) -
I really do not need a such big network ;)
currently I'm separating this network in different subnets for departments, labs, as 10.1.x, 10.2.x, only for trying to 'organize' things.
well, and as I asked, if dhcp will be running on pfsense1, so my lans gateway will be 10.0.0.1 (pfsense1)?? right?
thanks again!
-
Correct.
-
I installed the 2nd pfsense box, manufactured a crossover cable, configured as said before and at least I can surf the net, rss; but have not tested shaper yet; I'll do this tests tomorrow morning.
But one strange thing that i've noticed is that I cannot logon into msn anymore; trafic shapping on both pfsense is enabled with low priority to msn (enabled on both but how I use squid in one, so in this pfsense shaper do not act), but we never had any problem to log into msn or anyother messenger kind.. any idea?
thanks
-
are you by any chance using the imspector package?
-
no, I'm not using it; I discovered now (other users discovered ;D) that gmail isnt working (I think that is some problem with https), and other services that require special ports opened; do I have to do any kind of other config in nat or firewall?
I also cannot access simple sites as http://mail.yahoo.com/ or www.hotmail.com, that isnt in any black list or acl
thanks
-
Can you make sure dns is working correctly? Maybe some hosts are not resolved properly?
-
I configured second pfsense with the same dns servers I used in the first one; I have found something: when I disable transparent proxy everything (the sites that are working) stops work; I think the problem with the sites that are not working is that they have some part in https and cant contact this or it cant retorn to the client… it seems that only proxy is accessing internet; when I turn it off everything stops... what do you think?
thanks
-
One thing that comes to mind is that you have to do some more magic at the pfSense that is facing the internet (pfSense2):
firewall>nat, outbound:
enable manual outbound nat. It will create a rule for you automatically. Edit that rule and change the source from "network" to "any". Otherwise it won't nat the traffic for clients that are not in the LAN of pfSense2.firewall>rules, lan tab:
edit the default lan to any rule. Make it read source "any" too instead of "lan subnet". We are not natting so the clients from the network behind pfSense1 are not allowed yet.That's why only things that go through the proxy work currently, but not ports or protocols that don't use it. Guess that should get it working.
-
Hoba, it seems eveything is ok, as you said ;D ;D ;D ;D
I will make tests with the other applications but it seems fine;
one more question: in default configuration pfsense has ports closed or opened? lets say I want to access some oracle db in internet (200.x.x.x), I must to open oracle ports in pfsense, in order that I could use some oracle based app or in pfsense this ports will be opened untill I close it??
thanks a lot!
-
Default configuration is LAN to WAN everything allowed (the default lan to any rule) and wan to lan everything is blocked silently. Basically everything that is not explicitly allowed at any interface is blocked. There is an invisible block all rule at the bottom of the firewallscreen.
-
Default configuration is LAN-subnet to WAN everything allowed (the default lan to any rule) and wan to lan everything is blocked silently. Basically everything that is not explicitly allowed at any interface is blocked. There is an invisible block all rule at the bottom of the firewallscreen.
ftfy
If you have a subnet behind another router behind pfSense it wont be able to get out per default.
–> The default rule has to be changed from "source: lan-subnet" to "source: any" -
One thing that comes to mind is that you have to do some more magic at the pfSense that is facing the internet (pfSense2):
firewall>nat, outbound:
enable manual outbound nat. It will create a rule for you automatically. Edit that rule and change the source from "network" to "any". Otherwise it won't nat the traffic for clients that are not in the LAN of pfSense2.firewall>rules, lan tab:
edit the default lan to any rule. Make it read source "any" too instead of "lan subnet". We are not natting so the clients from the network behind pfSense1 are not allowed yet.That's why only things that go through the proxy work currently, but not ports or protocols that don't use it. Guess that should get it working.
Yep, that was something that I initially forgot about to tell him ::)
-
well guys, now everything is working fine! thanks for your help. The next step is installing some cool software, as ntop, snort, to monitor network and help to make it secure and prevent risk security issues. Does this software can be installed in any box, would make any difference??
Thanks
-
I would install it at the pfSense facing the internet.
-
I'm learning a lot of new things, :), and need to solve some questions:
about vlans, I've reading about it and think that it would be usefull to me to separate my info labs (destinated to students) from the rest of the lan, thats right? now comes the questions: as I've seen in forum, each vlan needs an exclusive NIC to be assigned to. adding two nics, for example, to my pfsense facing the LAN, could I configure this two vlans even that the lan has only one phisical layer, I mean, all working in switches that are connected to themselves. This also means that those two vlans cables would be in the same switch.
Lets say that the answear is yes, and I can configure the vlans to labs (10.0.3.0) and all the rest (10.0.0.0), I would add the respective macs to the vlan, is it?
in my case, the pfsense that is facing the LAN is my shaping box; can shaping work with vlans???
RRD would generate graphics for the new VLANs??
Does this would work??
thanks one more time!
