Help me fill in the dots - Advanced Home Network with FQDN via DynDNS
-
Ok I will try and keep this brief. I've attached a diagram of the equipment I have at my disposal and want to set up the network properly.
I want to be able to access the FQDN from within my LAN(s). I am a little bit in the dark as to how to utilize the OPT1 and OPT2 of the pfsense SG2440 box.
I'd like some insight to connecting it all together with proper firewall (simple but effective that is) settings. Not sure this would fall in the realm of official pfSense support of which I have 2 incidents to spend :D
My FQDN sites are Oracle VirtualBoxes, however one of them should not be accessible from the internet but serve data to the web server. Now I have had this working just fine before I added the SG2440 box but didn't like the pfSense VirtualBox being chained behind the Linksys box which was where the SG2440 is now.
Suggestions and insights to any literature resources. I have the pfSense book but it doesn't really cover tutorial style set ups.
Thanks in advance
-
Well if your going to want to run multiple segments, I see 192.168.1, 10.1.10 and a 192.168.3 with also 192.168.2 mentioned your going to need a swith that supports vlans or multiple switches.
you could leverage the switch ports on your old wifi router for 1 of the segments and your other switch for another one of them, etc.
So the different networks you want to have would be on the different interfaces of pfsense
so lets say lan would be 192.168.1.0/24
opt1 would be 10.1.10.0/24
and opt2 would be 192.168.3.0/24if you wanting to use 192.168.2.0/24 as well then you would need to do that via vlan or get another nic on pfsense.
I can draw this out for you if you need.
-
Drawing it out would be nice. I am just wondering though if I need the VirtualBox version of pfSense now, I guess it just adds too much complexity.
The 192.168.2.0 is not necessary, it seems the mac OS automatically gives my wifi card that IP if I set it up to share internet connection. I'll probably just turn the wifi off on that machine since it is rather redundant and quite possibly overkill.But the important thing is to get my Ubuntu FQDN web server facing the internet accepting incoming traffic.
Thanks for the reply
Oh and that is why I didn't connect the X marks :D hoping someone would show me an option.
-
I didn't notice that you want to run pfsense in virtual as well as hardware - that is kind of overkill.
Here is a simple breakdown.. Again you need switch ports to connect to the different networks.
to use your wireless router as just AP and switch ports, disable its dhcp server connect it to pfsense via lan port, then you can connect other devices to the other lan ports and they will be on that segment.
Pfsense will provide dns and dhcp for your network. So all clients can resolve all other clients via dns. As to your server being available to the public - that is simple port forward to the IP your web server is on.
-
Yes much more simplified and easier to set up the firewall rules too.
However my thoughts on using a virtual box pfsense was that the main pfsense would send all ports open to it and that the virtual box would manage the web server stuff.
Thanks for your information.
-
Why?? And why would you send ALL Ports to another firewall? When you have a firewall already that could send just the ports you want..
-
You are right, it is illogical. So I have moved off of that idea.
However, I am trying to figure out how OPT1 and OPT2 can reach the internet, right now I am stuck on that notion.
I have 2 NICs en3 and en5 assigned from the mac mini to Opt1 and Opt2, when I turn off the main NIC en0 on LAN, internet access is lost.
Trying out the firewall options for OPT1 and OPT2 in order for them to provide internet access.
Seems if I duplicate the LAN default rules it works, but not sure if this is correct method. Currently connected via wifi from my workstation to the mac mini wifi which is sharing the internet connection through En3 that is connected to OPT1.
Of course the wifi connection is temporary. Just using it to test connections without having to get up off my bum and move wires around :D
-
Yeah you need to have rules - there is nothing wrong with a default any any if that is what you want to allow. You can be as open and or as restrictive as you want. But you have to have something or the default deny is blocking everything.
-
Yep. Agreed. Something for me to experiment with now and create a proper DMZ.