Public VLAN routing via pfSense with limited FW rules for selected VLANs?
-
I don't think bridging would be the best option here. Do you have multiple /29 external address ranges? Once you setup each VLAN and add its default rule, you will also need to check NAT to make sure that if you are using manual outbound NAT that your new subnet is included. Once that is setup, you can setup 1:1 or port forward NAT. If your goal is to use 1 /29 for each subnet, you will need to switch to MON so that you can set each subnet to a different address.
Thanks podilarius
We have a full public /24 routed to us by our ISP. Then from there we break down network segments and we need 4 VLANs that will be /29 from the parent /24 which will be completely public.
From what you stated, you are suggesting the following for completely "pass-thru" access:
- Create VLAN in pf and assign interface to LAN (LAN port is trunk enabled and vlan tagging is enabled)
- Create rule to pass source * to destination * "any to any"
- Disable automatic NAT and use manual outbound NAT (do I delete all rules that are created automatically? pf added /29 rules in there, any example rules I shall manually create?)
- Setup port forwarding? (I was trying to allow all traffic to these public IPs to be passing thru - shouldn't the "any to any" * source * destination I created in step 2 take care of this?
I got confused when you said this "If your goal is to use 1 /29 for each subnet, you will need to switch to MON so that you can set each subnet to a different address." – what is "MON" can't seem to find a definition of what it is and google seems to think I refer to "Monday" and all results are from pfsense mailing list.
Many thanks...
-
MON=Manual Outbound NAT. He's just saying if you want traffic from each vlan to use different public IPs outbound, you have to do that manually.
-
MON=Manual Outbound NAT. He's just saying if you want traffic from each vlan to use different public IPs outbound, you have to do that manually.
Got it! Thanks. I will try tonight again
Also I own the pfSense Definitive guide book (for old 1.2.3) and in there it says on page 148 that FTP proxy will be needed even on NAT 1:1 to public ips. is this statement is still accurate or should pfsense just pass traffic for destination public /29 to the right VLAN without any intervention or FTP proxy needed based on IP destination header? Trying to understand the logic of FTP proxy (makes sense if pf is the outbound NAT but since public IPs are the outbound NAT I don't see why FTP proxy is still needed on the WAN interface?)
-
FTP proxy should probably not used. I am not for my FTP server. But I guess it really depends on the FTP server that you are using. Mine is vsftpd and I have just configured NAT address and a small port range for passive ftp.
-
What I have tried so far:
- Disabling Packet Filtering (so that I can find out if its a routing issue or FW)
- Enabled Manual NAT (deleted all automatically created routes)
– Windows host under VLAN won't get a response from its gateway after that
it looks like pfSense is not forwarding ip packets? (if its only a router with a default gateway set shouldn't it allow IP forwarding??)
Thanks in advance. I can't get these hosts to be completely accessible from the internet (even with Packet filtering disabled) any quick and dirty guides to setup pfsense as router only with vlans? I could use that to setup a basic router then move on to packet filtering.
-
I wonder if the reason why I can't get 1:1 outbound NAT to work is because I haven't clicked this checkbox in System > Advanced
Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.
Currently only applies to 1:1 NAT rules. Required for full functionality of NAT Reflection for 1:1 NAT. -
Reflection is for bouncing the public IP back to the private IP. eg- If I'm at 192.168.1.100 and the webserver for www.company.com is at 192.168.1.50, but I'm trying to go the the public IP, it will bounce the traffic back to 192.168.1.50.
Your goal is to take the /24 and break off four /29's, assigning each to a separate vlan, then use public IPs on the machines? -
Your goal is to take the /24 and break off four /29's, assigning each to a separate vlan, then use public IPs on the machines?
This is exactly what I am trying to achieve.
I am also unsure if I should turn off "LAN" interface since I am doing VLANs for everything. Not sure if this is one of the reasons I'm having trouble achieving what I want. LAN is setup as 172.16.0.1 and /24 DHCP server is on, all untagged traffic (other ports on switch) can get IP from the DHCP scope. VLANs are working as expected though I use STATIC IPs on VLANs no DHCP FYI
-
Let me give you guys some more information about the setup. I will use random public IPs as example to get the idea accross, but same subnet and IP just masking the first 3 octets of my range.
WAN IP
- Gateway IP (default route) 199.10.20.97
- WAN IP config set to static with IP 199.10.20.98 255.255.255.252
LAN IP em0
- Static IP 172.16.0.1 /24
- DHCP server is running on this
VLAN10 (off em0)
- Static IP 200.44.32.129 - gateway 200.44.32.129 - netmask 255.255.255.248 (/29)
VLAN10 client
- Windows server 2003 - static IP 200.44.32.130 - gateway 200.44.32.129 netmask 255.255.255.248
-
I was redirected to this topic from http://forum.pfsense.org/index.php/topic,61013.msg328872.html
Actual ping responses are far more informative than "cannot ping". So I don't have to go hunting through other topics on the same problem please provide the output of pfSense shell commands```
/etc/rc.banner
ifconfig -a
netstat -r -n
ping -c 5 199.10.20.97 # wan gateway
ping -c 5 8.8.8.8And please provide output of following ping commands (after any necessary IP address correction) run on the VLAN10 client:``` ping 200.44.32.129 ping 199.10.20.98 ping 199.10.20.97 ping 8.8.8.8 -
Screenshot pack 1
 -
Screenshot pack 2.
Please see my settings - as you can see Packet filtering is on, gateway appears to be setup properly and routes appear to be there. Problem is without any kind of filtering my VLAN with my public /29 should be able to freely have full network access inbound and outbound, this is not working.
 -
If you haven't rebooted the pfSense box since you disabled the firewall I suggest you do so. It has been my experience that some major changes eemed to need a reboot to correctly take effect.
The configuration information you posted looks OK. How about the ping output I requested. I want to see what is reported by ping at each stage: nearest pfSense interface, pfSense WAN interface, upstream gateway, google DNS.
-
I noticed that you have the FW off, so no rules are going to apply anyway. This means no NAT, FW, nothing, only routing. Since that is the case, it would seem that you probably have a basic routing problem. Can machines on your VLAN ping the WAN ip of pfSense, then, can they ping the WAN Gateway?
