Encrypted connection between Gateway and "double NAT" pfSense?
-
(first post - have never used pfSense before)
Hi,
My setup is like this:
ISP
|
|
|(wan)
Router#1 (192.168.1.1) - DHCP, wired and wifi
|(lan)
|
(passive coaxial extenders)
|
|(lan)
Router#2 (192.168.1.2) - wired and wifi (same SSID)
|(lan)
|
|
|(wan - static 192.168.1.200)
pfSense
|(lan - static 10.0.0.1)
|
|
|(lan - static 10.0.0.2)
IMPORTANT COMPUTERI want to insulate completely the "IMPORTANT COMPUTER" from all others on the network with pfSense. Yet, it has to be able to access the internet through Router#1.
Both Router#1 and Router#2 run DD-WRT v24-sp2 and under Services-->VPN have Server/Client sections for both PPTP and OpenVPN.I am new to all this. How can I setup pfSense such that all the traffic from the IMPORTANT COMPUTER to Router#1 is encrypted and inaccessible by anyone on the intermediary network. (I am not asking for detailed instructions, just to point me in the right direction and point out gotchas.)
Thanks!
-
A proper setup with segmentation would look like this
WAN / Internet : : DialUp-/PPPoE-/Cable-/whatever-Provider : .-----+-----. | Gateway | (or Router, CableModem, whatever) '-----+-----' | WAN | IP or Protocol | .-----+-----. LAN2 .-------------. | pfSense +----------------+ LAN2-Switch | '-----+-----' 192.168.1.0/24 '-------------' | LAN | 10.0.0.1/24 | .-----+------. | LAN-Switch | '------------'
-Rico
-
Thanks Rico, I knew this, but is does not help me. I do not want to really segment the network.
From the point of view of the network I want pfSense to be just another computer attached to it.
From the point of view of "IMPORTANT COMPUTER" I want pfSense to appear as a router connected to some "ISP" on the other side. This "ISP" should be my Router#1 (DD-WRT) and the traffic between pfSense and Router#1 should be somehow encrypted.
Am I wrong in assuming that pfSense can accomplish that? -
huh?? So you want your connection between pfsense and your ddwrt router to be encrypted? For what Possible reason would that make sense??
What exactly do you think that gets you?
Rico gave you the correct way to setup a network where you want to isolate something from something else. Take your dd-wrt and use it as just an AP for your wireless
-
Please note that Router#2 (192.168.1.2) acts only as an extender - it is still setup on the same net - 192.168.1.x/24
DHCP is turned off and there is nothing connected to its WAN port. -
johnpoz,
If some other computer on the 192.168.1.x/24 net is compromised, I don't want it snooping on the traffic between pfSense and Router#1.
Thanks! -
Dude makes NO sense... Why would you need another router in the mix? WTF is a passive coaxial extender? You have a MOCA network?
-
Yes, that what I meant - MOCA extenders between Router#1 and Router#2.
By passive I meant there is no configuration - just plug and play. -
Think of it as how pfSense is used with VPN Providers - it cuts out the middleman (in this case the ISP) from seeing the traffic.
I want to cut out the rest of my network from seeing the traffic between "IMPORTANT COMPUTER" and the internet.pfSense is pfSense
Router#1 is the VPN providerI will try to muddle through this one, but some help would be appreciated.
Thanks! -
Some client connected to one of your switch ports can't just sniff any network traffic.
That worked back in the old days with anything connected to hub.
But if you can sleep better...setup OpenVPN server on your DD-WRT gateway and setup pfSense as OpenVPN client forcing any traffic through it.
Of course this will have huge nagative performance impact tho.-Rico
-
@petreza said in Encrypted connection between Gateway and "double NAT" pfSense?:
I want to cut out the rest of my network from seeing the traffic between
Why do you think that traffic will be visible? With switches, the only thing you'd see is broadcasts & multicasts. To snoop, you'd need a managed switch, with port mirroring available.
-
If you set it up like rico stated the clients on the other network wouldn't even see broadcast..
-
Thank you all!
With my concern about the big things I ignored the small things - it's not so easy to snoop on a network with modern hardware. I'll see what I'll do.
Thanks again! -
Who exactly would be sniffing on your own freaking network anyway? I mean really?
And lets say they did - what exactly do you think they would see.. Pretty much all traffic these days is encrypted anyway.
-
@johnpoz said in Encrypted connection between Gateway and "double NAT" pfSense?:
Who exactly would be sniffing on your own freaking network anyway? I mean really?
And lets say they did - what exactly do you think they would see.. Pretty much all traffic these days is encrypted anyway.
You are right. I am sorry I asked.
I'll see if I can get a moderator to delete this thread - it's stupid. -
Segmentation is not stupid, but do it the right way. ;-)
-Rico