Noob needs assistance vL2TP Passthrough | Interface/VLAN rules | DMZ | etc.
-
Just revamped my home network from the ground up and decided to use pfSense instead of the Airport Extreme I was using. I have 64 bit pfSense installed on a Jetway booksize system. I just received the daughtercard that gives me 3 more NICs. Here's my config right now..
WAN - em0
LAN - em1
VLAN10 - em1
EMPTY - em2, em3, em4I currently have an Airport Extreme in bridge mode for my wireless access point setup on the LAN. Works great. Now that I have the extra NICs, I wanted to put the Airport on it's own interface on the pfSense box. I created a WIFI interface on em2 (10.17.80.1), firewall rules that allow WIFI, LAN, and VLAN10 to talk to each other, and setup DHCP server to pass out IPs. I get a WIFI IP and can talk to anything internally, but no internet access. Nothing resolves in DNS. DHCP is passing over the WIFI interface gateway IP (10.17.80.1) but it's not resolving anything. I created a rule that would pass all traffic to the WAN interface but that didn't resolve the issue. Any ideas what I'm missing?
Next– I connect to my work VPN from time to time. Tried earlier today but L2TP traffic isn't being passed through pfSense, so it can never connect. Been Googling for a resolution for a couple hours now but I haven't found anything that has worked. I found some things mentioning to turn off automatic NAT creation and setting it to manual, but that just sounds like it would break the network until I manually entered whatever NAT rules I need. Maybe I'm misunderstanding. Anyone know how to allow L2TP to passthrough? Need it badly!
Next-- I want to create a DMZ VLAN. I have an AT&T Microcell that I've read works better outside of any firewall, and I wouldn't mind having a couple ports on my managed switch setup as DMZ if it's ever needed. Would be interesting if I could setup some wireless IP addresses that would be DMZ'd that I could easily use if needed. I've read a few tutorials on how to setup a DMZ in pfSense, but my problem is that each article is different. None of them are really setup exactly the same. I'd just want the correct, best practice way of setting up a DMZ area or VLAN.
Last-- are there any threads that teach the best practices of using pfSense? I'm a huge noob when it comes to this. I understand a lot of the basic setup and principles of networking, but executing them in pfSense is another story. I'd like to learn about what tweaks and changes all the pfSense veterans do on a brand new installation. Things to get pfSense working as best as it can and how to setup firewall rules the wrong way and the right way.
I'm sure most of this has been covered in the forums, but as I searched I either found incomplete, very old, or conflicting information. Any help on with these questions is appreciated!
Thanks for reading.
-
Welcome to pfSense.
Look at your original WAN interface and note that it has a rule taking all traffic to the default gateway. You need to add this type of rule to your newly created interface that you are using for your airport. Why did you want to put your airport on a sep network but then make the sep networks talk?
Pfsense needs to know what do with the traffic coming in. That is it needs to know that you want it to route the traffic to the default interface.
I do not have experience with that type VPN. Usually when you set NAT to manual pfsense creates manual NAT rules that you can edit. http://www.tomshardware.com/forum/8844-43-what-router-doing-enable-l2tp-pass may help and
https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
. I know if it was me I would be looking at the firewall logs to see if it is blocking something. Does the server try and establish a connection back?A DMZ is just like any other network. It just that it cannot connect to the rest of the networks and you cannot connect to it from those networks. You just forward/allow what you want to the boxes on the network. Or just internet out. "ould be interesting if I could setup some wireless IP addresses that would be DMZ'd" what?
I use the form and the wiki but pfsense can be confusing. http://forum.pfsense.org/index.php?topic=28541.0 , http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=pfsense , This is for an old version of pfsense: http://www.tdeig.ch/Manuel_pfSense.pdf
-
I get a WIFI IP and can talk to anything internally, but no internet access. Nothing resolves in DNS.
What response do you get if you ping 8.8.8.8?
What are you expecting to use as DNS? Have you enabled DNS forwarder on pfSense? What does your client think is the IP address of the name server?
-
Look at your original WAN interface and note that it has a rule taking all traffic to the default gateway. You need to add this type of rule to your newly created interface that you are using for your airport. Why did you want to put your airport on a sep network but then make the sep networks talk?
Pfsense needs to know what do with the traffic coming in. That is it needs to know that you want it to route the traffic to the default interface.
My WAN interface only has two rules– block private networks and block bogon networks. My LAN interface has two also-- anti-lockout rule and 'default allow LAN to any rule.' I'm assuming you're referring to the 'default allow LAN to any rule.' That's the only one that could be passing WAN traffic.
I do not have experience with that type VPN. Usually when you set NAT to manual pfsense creates manual NAT rules that you can edit. http://www.tomshardware.com/forum/8844-43-what-router-doing-enable-l2tp-pass may help and
https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
. I know if it was me I would be looking at the firewall logs to see if it is blocking something. Does the server try and establish a connection back?My work VPN uses the L2TP protocol and my firewall isn't letting it go through. I'll have to check the logs to see if there is more info. Pretty sure I just need to allow the traffic to passthrough but I have no idea what the right way is.
A DMZ is just like any other network. It just that it cannot connect to the rest of the networks and you cannot connect to it from those networks. You just forward/allow what you want to the boxes on the network. Or just internet out. "ould be interesting if I could setup some wireless IP addresses that would be DMZ'd" what?
I use the form and the wiki but pfsense can be confusing. http://forum.pfsense.org/index.php?topic=28541.0 , http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=pfsense , This is for an old version of pfsense: http://www.tdeig.ch/Manuel_pfSense.pdf
I just want to create a DMZ network for some devices I have. It would be cool if I'm able to put some wireless clients in the DMZ easily if it's ever needed for whatever reason.
I get a WIFI IP and can talk to anything internally, but no internet access. Nothing resolves in DNS.
What response do you get if you ping 8.8.8.8?
What are you expecting to use as DNS? Have you enabled DNS forwarder on pfSense? What does your client think is the IP address of the name server?
WAN is setup as DHCP since Comcast changes my IP address sometimes. It's using my ISP's DNS and it works fine for me.
WIFI VLAN was going to be 10.17.80.1. WIFI clients were getting 10.17.80.1 for the gateway and DNS.
-
http://www.digitalphotomac.com/PFsense/DMZ/
Regarding the DMZ part of my question, I found this on setting up a DMZ interface and rules and it makes the most sense out of all the how to's I've found. Except one part…
Next, we'll need to create a new rule to allow all traffic from the DMZ to the internet:
Action: select Pass
Disabled: leave unchecked
Interface: select DMZ
Protocol: select any
Source: select DMZ subnet
Destination: click the not box and select LAN Subnet in the Type: field
Gateway: set to default
Description: type a description for your rule. Then save.Here is a screenshot of mine:
Figure c. Allow from DMZ to WANThis rule is to allow traffic from the DMZ to go to the WAN (Internet). Shouldn't the destination be set to the WAN subnet? Setting the destination as NOT LAN would allow any DMZ traffic to go to the WAN subnet but also any other subnets you might have and only restrict traffic to the LAN subnet. Setting the destination as the WAN subnet would only allow DMZ traffic to go to the Internet and block it from any internal networks. Is there something I'm missing?
-
I get a WIFI IP and can talk to anything internally, but no internet access. Nothing resolves in DNS.
What response do you get if you ping 8.8.8.8?
What are you expecting to use as DNS? Have you enabled DNS forwarder on pfSense? What does your client think is the IP address of the name server?
WAN is setup as DHCP since Comcast changes my IP address sometimes. It's using my ISP's DNS and it works fine for me.
WIFI VLAN was going to be 10.17.80.1. WIFI clients were getting 10.17.80.1 for the gateway and DNS.
Maybe I missed something. I don't think you answered the two questions:
-
What response do you get if you ping 8.8.8.8?
-
Have you enabled DNS forwarder on pfSense?
-
-
This rule is to allow traffic from the DMZ to go to the WAN (Internet). Shouldn't the destination be set to the WAN subnet? Setting the destination as NOT LAN would allow any DMZ traffic to go to the WAN subnet but also any other subnets you might have and only restrict traffic to the LAN subnet. Setting the destination as the WAN subnet would only allow DMZ traffic to go to the Internet and block it from any internal networks. Is there something I'm missing?
Just in answer to this query, the traffic from DMZ needs to be allowed to anywhere outside in internet-land, that is "Destination all except LAN Subnet".
If your WAN is a real public IP from your ISP, then you want to allow packets from DMZ to addresses in your WAN subnet, just in case that WAN subnet happens to also have something else on it (at your ISP, at your neighbour's house, in the neighbour's DMZ…?) that is going to connect to/from your DMZ machines (yes, this is unlikely in most scenarios).
If your WAN is a private subnet that then leads to your real internet modem/router/gateway then your DMZ probably doesn't need to talk to it directly. In that case WAN could be included in the "not" rule.
And yes, if you have other LANs on your pfSense, then they need to be included in the "not" of this rule. To do that, make an alias that is a list of your LAN networks (LAN1, LAN2, LAN3... subnet numbers). Then use the alias in the "destination not" part of the rule. -
Maybe I missed something. I don't think you answered the two questions:
-
What response do you get if you ping 8.8.8.8?
-
Have you enabled DNS forwarder on pfSense?
I didn't try pinging Google's DNS.
DNS forwarder is enabled in pfSense. If it wasn't I wouldn't get DNS resolution on any of the interfaces.This rule is to allow traffic from the DMZ to go to the WAN (Internet). Shouldn't the destination be set to the WAN subnet? Setting the destination as NOT LAN would allow any DMZ traffic to go to the WAN subnet but also any other subnets you might have and only restrict traffic to the LAN subnet. Setting the destination as the WAN subnet would only allow DMZ traffic to go to the Internet and block it from any internal networks. Is there something I'm missing?
Just in answer to this query, the traffic from DMZ needs to be allowed to anywhere outside in internet-land, that is "Destination all except LAN Subnet".
If your WAN is a real public IP from your ISP, then you want to allow packets from DMZ to addresses in your WAN subnet, just in case that WAN subnet happens to also have something else on it (at your ISP, at your neighbour's house, in the neighbour's DMZ…?) that is going to connect to/from your DMZ machines (yes, this is unlikely in most scenarios).
If your WAN is a private subnet that then leads to your real internet modem/router/gateway then your DMZ probably doesn't need to talk to it directly. In that case WAN could be included in the "not" rule.
And yes, if you have other LANs on your pfSense, then they need to be included in the "not" of this rule. To do that, make an alias that is a list of your LAN networks (LAN1, LAN2, LAN3... subnet numbers). Then use the alias in the "destination not" part of the rule.That's why I'm confused about his setup– why make the rule a NOT command and specify an internal subnet when a rule allowing traffic to the WAN only makes more sense? Also, the rule wouldn't have to be modified later if you add more networks/pfSense interfaces. Just seems like it makes more sense, which is why I'm wondering what I'm missing with his way.
The WAN on my pfSense is directly plugged into my cable modem, which receives a DHCP public IP from Comcast.
-
-
That's why I'm confused about his setup– why make the rule a NOT command and specify an internal subnet when a rule allowing traffic to the WAN only makes more sense?
The WAN on my pfSense is directly plugged into my cable modem, which receives a DHCP public IP from Comcast.
Your WAN subnet is only a small portion of the public internet (check your current public IP address AND network mask). If you want to allow traffic to the internet you can't do so by allowing traffic to your WAN subnet only. Allowing traffic to NOT LAN subnet is a convenient way of allowing traffic traffic to ALL public IP addresses (AND lots of private IP addresses which you don't currently use).
Last time I looked at pfSense firewall rules I don't recall seeing an option to specify "ALL public IP addresses" so you either have to make up an alias for "all public IP addresses" or adopt some cunning such as define an alias for private IP addresses and use "NOT private IP addresses" when you mean "public IP addresses". But that is probably a "more advanced" topic than is suitable for the current discussion.