pfsense disabling firewall for one specific ip

viragomann

If you want to keep it behind pfSense why don't you want to go with NAT?
If the machine should get a public IP and bypass the firewall, why don't you connect it to WAN?

Do you have multiple public IPs or a public subnet?

sbwcws

I am using vmware, and my concern is if I setup dedicated machine to go on with WAN, it's another hardware I've to worry about, instead just use vmware and setup the VM to just bypass the firewall, as I dont like firewall on VOIP, it will work fine one day next day there's some voice issue or some other crap.

viragomann

And your pfSense is also a VM or is it dedicated?

sbwcws

pfsense is dedicated machine, as I dont like vm firewall just my thing

KOM

You're making life difficult for yourself with some of your choices. If you had pfSense virtualized, this would be simple.

As far as I know, you can enable or disable pf entirely, but not selectively.

viragomann

So you want to make an internal machine accessible from the internet and bypassing all firewall rules?
Consider that this is a potentially security risk.

A bit more secure is to set up vLAN between pfSense and ESXi and connect that VM exclusively to that vLAN. However, I don't know, how to set this up in ESXi. I had it already done on Linux with KVM, that's working fine.

johnpoz

@viragomann said in pfsense disabling firewall for one specific ip:

Do you have multiple public IPs or a public subnet?

You have not answered the most important question asked!! If you do not have more than 1 public IP what your asking is just not possible.

If you want to to expose some box to the internet, then just use 1:1 nat and there you go - done!

KOM

At this point, we're not even clear on what problem he's really trying to solve. No big picture.

johnpoz

I doubt he even knows what he is trying to do - make no sense.. and is utterly pointless in the big picture. Unless some public netblock is routed to you. trying to expose box A to the public internet with a public IP.

Exposing any host in any situation to the public internet is a mistake anyway. Atleast if "routed" you could still firewall it behind pfsense, etc. 1:1 nat you can firewall it as well..

But unless he can explain the reasoning behind this - just put it on a rfc1918 address and port forward the traffic you need = DONE!

sbwcws

@johnpoz I've a block of 50

KOM

OK good. That's a start. Now what are you trying to accomplish that requires what you are describing?

johnpoz

You have a block of 50 IPs?? so part of a /26? Seems ODD number to give someone... And with such an odd number its not actually routed to you... So your just attached.

If that is the case then the solution of a switch and putting the box in front of pfsense is your best solution.

I would just use the IPs you want out of your 50 as VIPs and do 1:1 NAT to boxes behind that you want all traffic to go to.

sbwcws

@johnpoz I've multiple public IP's, I just need one local ip which I setup as ONE TO ONE NAT to bypass my firewall, I appreciate all your quick responses but it seems like it's a joke to some people, I am switching from FortiGate 900D

KOM

It's not a joke but we can't figure out why you insist on doing it that way, and you refuse to explain what you're trying to do despite several requests.

johnpoz

@sbwcws said in pfsense disabling firewall for one specific ip:

ONE TO ONE NAT to bypass my firewall,

Then create an any any firewall rule - its that simple.. there will be nothing blocked.. Just natted.

If you don't want it natted at all - then connect the device in front of your pfsense and give it your public IP..

But I am with KOM here - you have not provide any info at all to why anyone would want/need to do such a thing. So to be honest it doesn't even peak my interest enough to think through how could be possible, if at all.. You could always get support direct from netgate/pfsense - with such a large deployment and moving away from fortigate sounds like enterprise level shit, have to assume you have a support contract with netgate ;)

You might be able to do some hackery shit with a bridge, etc. But yeah it would be messy!

sbwcws

Thanks consider this resolved.

KOM

20 replies later and we still don't know what the original problem was, nor the solution used.

sbwcws

@KOM You might need to scroll up..

sbwcws

@johnpoz said in pfsense disabling firewall for one specific ip:

@sbwcws said in pfsense disabling firewall for one specific ip:

ONE TO ONE NAT to bypass my firewall,

Then create an any any firewall rule - its that simple.. there will be nothing blocked.. Just natted.

If you don't want it natted at all - then connect the device in front of your pfsense and give it your public IP..

But I am with KOM here - you have not provide any info at all to why anyone would want/need to do such a thing. So to be honest it doesn't even peak my interest enough to think through how could be possible, if at all.. You could always get support direct from netgate/pfsense - with such a large deployment and moving away from fortigate sounds like enterprise level shit, have to assume you have a support contract with netgate ;)

You might be able to do some hackery shit with a bridge, etc. But yeah it would be messy!

Thanks

sbwcws

@viragomann said in pfsense disabling firewall for one specific ip:

If you want to keep it behind pfSense why don't you want to go with NAT?
If the machine should get a public IP and bypass the firewall, why don't you connect it to WAN?

Do you have multiple public IPs or a public subnet?

Thanks