VLAN Questions
-
"I've enabled DHCP on each VLANS however didn't specify the dns on the dhcp"
How exactly would thy find anything then?? They just going to broadcast for names? Might work for something like smb on the local layer 2. But how are they getting to anything on the internet? Are you handing them a proxy via auto discovery (wpad)?
if you handed them external dns, how would they find your local servers it seems your running?
You kind of need dns.. So you have local servers but no local dns?? Pfsense can be your local dns.. Once you enable dhcp on pfsense it would default to handing out its IP on that interface dhcp is running as dns to all dhcp clients. If you need to resolve some fqdn locally just put in a host override.
-
"I've enabled DHCP on each VLANS however didn't specify the dns on the dhcp"
How exactly would thy find anything then?? They just going to broadcast for names? Might work for something like smb on the local layer 2. But how are they getting to anything on the internet? Are you handing them a proxy via auto discovery (wpad)?
if you handed them external dns, how would they find your local servers it seems your running?
You kind of need dns.. So you have local servers but no local dns?? Pfsense can be your local dns.. Once you enable dhcp on pfsense it would default to handing out its IP on that interface dhcp is running as dns to all dhcp clients. If you need to resolve some fqdn locally just put in a host override.
Thank you John,
Yes I've enable the dhcp and left it as default so of sense is providing them gateway and dns as it self on each VLANS. I believe its fine now .
So specify dns or leave it to pfsense to decide is gonna be the same.
About the mobile users , how can we force the openvpn to send the whole traffic over the WAN ?
When we are in China want our users to user internet using our VPN to the office in Holland. Is this even possible with openvpn or we have to create a L2tp tunnel ? -
GFW will probably block whatever you try to do. Probably want to take that up with the Chinese government.
-
GFW will probably block whatever you try to do. Probably want to take that up with the Chinese government.
Last month my colleagues were in China, and everything works fine with the Cisco ASA firewall,
Cisco force the whole traffic over the VPN.
I don't know if this even possible with the openvpn .
I've seen the options on openvpn to send all traffic over the tunnel but don't know if it does it really.
So when I am connected with the VPN to the office, i get the office public ip and not the local. -
Yes, it does it.
Redirect Gateway
Force all client generated traffic through the tunnel.Then re-export your client config.
Cisco ASAs are IPsec, not OpenVPN. Not sure why you're making that comparison. If IPsec was working for you on the ASA, why not use IPsec on pfSense?
-
Yes, it does it.
Redirect Gateway
Force all client generated traffic through the tunnel.Then re-export your client config.
Cisco ASAs are IPsec, not OpenVPN. Not sure why you're making that comparison. If IPsec was working for you on the ASA, why not use IPsec on pfSense?
Thank you, had reconfigured the OPENVPN to send all traffic over the tunnel and everything is working now.
Much appreciate it .The management believes the openvpn is using ssl which makes it secure to use than the IPsec.
Right now I need to restrict the access between one VLAN and the rest of the VLANS.
Is creating a group of interfaces and apply the firewall rules between those two group would be the easy way of managing the stuff ? -
while ipsec has its own issues, not sure I would consider it less secure than openvpn. I am a bit surprised that ipsec works through the 防火长城 (The Great Firewall of China) let me know if the Chinese comes through ;)
It is much easier to spot and stop ipsec traffic then openvpn that can run on any port. If your doing a deep packet inspection you would know its not normal ssl traffic.. But like I said its much easier to block ipsec so it funny that is not blocked..
Blocking traffic between vlans on pfsense is quite simple. I would assume all your vlans are rfc1918 so just make an alias that contains those networks and use a not rule so only if traffic is NOT rfc1918 is it allowed. Of course putting the stuff you want to allow above that rule.
-
while ipsec has its own issues, not sure I would consider it less secure than openvpn. I am a bit surprised that ipsec works through the 防火长城 (The Great Firewall of China) let me know if the Chinese comes through ;)
It is much easier to spot and stop ipsec traffic then openvpn that can run on any port. If your doing a deep packet inspection you would know its not normal ssl traffic.. But like I said its much easier to block ipsec so it funny that is not blocked..
Blocking traffic between vlans on pfsense is quite simple. I would assume all your vlans are rfc1918 so just make an alias that contains those networks and use a not rule so only if traffic is NOT rfc1918 is it allowed. Of course putting the stuff you want to allow above that rule.
The IPsec has always worked from China to Europe. Last month too
I don't know about IPsec to USA or there are some other policies than the one to Europe.
The VLANS are rfc1918 24 bit-block .I will create the rules and report back.
A big thank you sir for your continu support -
if you have questions post up your rules and we can go over them.
-
if you have questions post up your rules and we can go over them.
Thank you so much John,
Our first Pfsense Firewall Hardware is up and running.
