Nateo segun hardware
-
Estimados.
Tengo instalados algunos Firewalls en mi organización usando computadores de escritorio, he detectado un problema con el Nateo que no puedo acceder a traves de la IP publica a la pagina del pfSense de algunas sucursales.
Esta la misma configuración que las otras sucursales, pero a pesar de so es imposible acceder a la pagina Web del servidor. He optado por reinstalar desde cero pero no funciona.
Se solucionó cuando cambie de equipo y con la misma configuración si puedo acceder.
Lo novedoso es que si Nateo a un servidor dentro de la sucursal usando cualquier puerto, este si funciona, pero no funciona si lo redirecciono a la IP interna del servidor.
Pienso que es alguna incompatibilidad de la tarjeta de red o del mainboard del equipo utilizado. Si pueden darme aportes sobre este tema les agradezco, ya que no tengo mas equipos disponibles para usar y es indispensable hacer uso de estos equipos. Gracias
-
Hola
No aconsejan que sea accesible desde Inet, ya sea en la WAN o mediante NAT (rediririgiendo desde la WAN a la LAN) la administración de pfSense (http, https, ssh).
Para administrar en remoto pfSense, se aconseja usar VPN (IPsec, openVPN)
https://doc.pfsense.org/index.php/Remote_firewall_Administration
Several ways exist to remotely administer a pfSense firewall that come with varying levels of recommendation. They all work, but their use may vary for any number of reasons (Client restrictions, corporate policies, etc.)
Use a VPNThe safest way to accomplish the task is to setup a VPN that will allow access to the pfSense firewall and the network it protects. There are several VPN options available in pfSense, such as OpenVPN or IPsec. SSH tunneling to the GUI is also possible. Once a VPN is in place, the GUI may be reached safely by using a local address such as the LAN IP address. The exact details will vary depending on the VPN configuration.
Restricted Firewall AccessIf the WebGUI port must be to the Internet, restrict it by IP address/range as much as possible. Ideally, if there is a static IP address at the location to manage from, allow traffic from that IP or subnet and nowhere else. Aliases are good to use, and they may include fully qualified domain names as well. If the remote management clients have a dynamic DNS address, add it to a management alias.
Use HTTPSHTTPS should always be used to encrypt access to the WebGUI port. Modern browsers may complain about the certificate, but an exception can usually be stored so it will only complain the first time. To use HTTPS then it will be necessary to enable it under System > Advanced, Admin Access tab, using the Protocol option in the webConfigurator section.
Salu2