Newbie question
-
Hi to all community contributors & Experts :)
I am pretty confused regarding Firewalls, and I hope someone help me clarify my actual needs.
I have 3 Servers, all running as webservers with global IP addresse (100.15.15.X,100.15.15.Y,100.15.15.Z).
My current setup is
Gateway (100.15.15.A)
Layer 2 Switch
Webservers (100.15.15.X,100.15.15.Y,100.15.15.Z)If i want to have firewall, where is it recommended practices to have a firewall and what kind of threats am i protecting against ?
-
If your upstream gateway and your web servers are all in the same subnet, then you would need a transparent/bridged setup. It's a bit more complicated in some ways than a traditional routed or NAT setup, but protects the same from a firewall perspective. There are other posts/discussions/documents here on the forum that cover setting that up.
It's recommended to have a firewall at the edge of your network, between your ISP and anything else that you run (that isn't another firewall). There are numerous ways to design a secure network so it's difficult to generalize that too much. How complex and where the firewall(s) go in your network depends on how your systems are designed.
The kind of threats that a firewall can prevent are covered elsewhere around the web in vast detail. Far too much to go into here. It also depends on what packages/add-ons you have configured.
-
I have a similar setup to yours. I am trying to implement pfsense as "transparent" but have not been successful. Here's what I have done.
- Setup WAN link with public /30 provided by ISP, next hop router "ISP" lets call it 200.1.0.97 and WAN IP is .98
- Setup LAN link as 172.16.0.1 /24
- Created VLANs with ID 10, 20, 30
- Disabled Packet Filtering
- Disabled outbound NAT (Manual mode) since I want my public IPs (I setup each VLAN within pfsense with their IPs for that vlan lets call them 200.10.20.128/29
However, client on 200.10.20.128/29 is able to ping its own gateway 200.10.20.129 and has IP 200.10.20.130 which should be publicly accessible if Packet Filtering is disabled.
Problem is: 200.10.20.130 is
- unable to Ping external WAN IP 200.1.0.97
- unable to Ping external DNS 8.8.8.8 (google dns) ^this is a duh since step 1 fails but just wanted u to know I am testing this
- able to ping its gateway 200.10.20.129
- unable to get anything forwarded
Seems like pfsense will work nice with vlans but doesn't know where or how to route my vlan. Any help? Packet filtering is disabled and so is NAT. I don't want (for now) to use NAT for these hosts. They will be DMZ… I also would love to stay away from port-forwarding and 1:1 NAT until I can get basic network routing working which seems to be failing since I can't ping WAN and external sites.
-
@Gio:
I am trying to implement pfsense as "transparent" but have not been successful.
Have you configured default gateway in client?
Have you configured default gateway in pfSense?
You seem to have posted pretty much the same problem report in at least two topics. In which topic do you want to continue the conversation?
-
@Gio:
I am trying to implement pfsense as "transparent" but have not been successful.
Have you configured default gateway in client?
Have you configured default gateway in pfSense?
You seem to have posted pretty much the same problem report in at least two topics. In which topic do you want to continue the conversation?
– To answer your questions:
Client VLAN lets assume is 200.10.20.128/29 - with a 200.10.20.129 IP gateway (accessible from client IP 200.10.20.130)
Default gateway in PFsense is also setup, shows up in gateway and "Routes" show default 0.0.0.0 using WAN next hop.
Let's continue the conversation in this thread http://forum.pfsense.org/index.php/topic,60980.0.html
