PFSense & DMZ
-
Why a /8 on W/L? I'd use something random like 172.29.240.0/24
Why a /16 on DMZ? I'd use something random like 172.29.241.0/24
Why a /32 on LAN? That's a nonsensical netmask. Something like 172.29.242.0/24 ?Note that you can then refer to the entire site using 172.29.240.0/22
Your rules look like a reasonable place to start. Also block access to This Firewall on your restricted networks.
Add some port forwards to Email and VPN and probably set a gateway to your VPN server and a static route to your tunnel and client IP addresses.
-
Why a /8 on W/L? I'd use something random like 172.29.240.0/24
Why a /16 on DMZ? I'd use something random like 172.29.241.0/24
Why a /32 on LAN? That's a nonsensical netmask. Something like 172.29.242.0/24 ?I wanted the WLAN, DMZ and LAN to have separate networks so I could identify the traffic easier. The WL has a /24, the DMZ has a /24 and the LAN has a /24.
block access to This Firewall on your restricted networks.
Thanks, that's been done.
Add some port forwards to Email and VPN
thanks, done.
set a gateway to your VPN server and a static route to your tunnel and client IP addresses.
How?
-
Why a /8 on W/L? I'd use something random like 172.29.240.0/24
Why a /16 on DMZ? I'd use something random like 172.29.241.0/24
Why a /32 on LAN? That's a nonsensical netmask. Something like 172.29.242.0/24 ?I wanted the WLAN, DMZ and LAN to have separate networks so I could identify the traffic easier. The WL has a /24, the DMZ has a /16 and the LAN has a /24.
Uuuuuuuuuh… Networking 101 desperately needed?! :o
-
Uuuuuuuuuh… Networking 101 desperately needed?! :o
Thanks for the help! The original diagram I screwed up with typos… 'twas late!
-
On pfSense in System > Routing > Gateways Tab you create a gateway, give it a name (VPN_SERVER) and the IP address 172.16.0.8. Then on the Routes tab you create routes for all the networks pfSense doesn't know about (tunnel networks, Client networks, remote networks) with that gateway set.
Why a /16 on DMZ? You going to have more than 252 IP addresses on it?
The bigger (and more common) your private subnets the more likely you will have collisions when you try to VPN.
Your LAN is 192.168.1.0/24. You're at a coffee shop trying to VPN in. Their LAN is also 192.168.1.0/24. Your network is now broken through nobody's fault but your own.
-
On pfSense in System > Routing > Gateways Tab you create a gateway, give it a name (VPN_SERVER) and the IP address 172.16.0.8. Then on the Routes tab you create routes for all the networks pfSense doesn't know about (tunnel networks, Client networks, remote networks) with that gateway set.
Cheers buddy, I'll give that a shot.
The bigger (and more common) your private subnets the more likely you will have collisions when you try to VPN. Your LAN is 192.168.1.0/24. You're at a coffee shop trying to VPN in. Their LAN is also 192.168.1.0/24. Your network is now broken through nobody's fault but your own.
Good point… But I will never VPN in from a network using the same private subnets.. My phone carrier uses a different range as does my work, as does my wifes work, which are the majority of where I would need to access it and is subsequentally why I chose to use the private ranges I did. Yes, its is a valid point, i accept that and can see the difficulty if it happened. cheers
-
Oh well. I tried.
-
Oh well. I tried.
And I appreciate you doing so… Genuine advice vs asshattery is hard to find nowerdays!
-
Sometimes the real trick is getting people to take the good advice you are giving them.
-
Derelict where are you seeing these /8 /16 and /32 masks. I don't see that anywhere in the OP pics or comments?
What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?
And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject. And those rules are all pointless putting a source of wan net on the WL interface.
-
Derelict where are you seeing these /8 /16 and /32 masks. I don't see that anywhere in the OP pics or comments?
What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?
And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject. And those rules are all pointless putting a source of wan net on the WL interface.
It was in the original image which has now been updated. I'm sure there are plenty of things to change. I deal with these starting at the bottom. Until people understand this https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting it's all pretty pointless.
-
Derelict where are you seeing these /8 /16 and /32 masks. I don't see that anywhere in the OP pics or comments?
I updated them when I realized I made the typo.
What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?
Yep I saw that too and fixed that myself. facepalm
And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject. And those rules are all pointless putting a source of wan net on the WL interface.
Agreed..
but in the end its working how i need it, so all is well in the world!
