General Setup Questions
-
Hello, we have been using a paid firewall solution for several years and as of last week we decided to try the firewalling ourselves.
Since the " out of the box"
firewall solutions are pretty expensive I wanted to find a opensource solution with the same functionality.After reading several forums and testing a various amount of firewalls, pfsense had the most features and was easiest to use.
Since I don't have allot of linux experience I'm very happy with the web interface.
Anyway, the reason why I'm posting here is that I obviously need to " migrate" our current firewall and it's settings to the pfsense.
The old firewall was a GNAT box (anybody know these devices?) and it has the following features and settings which I need to put in the pfsense as wel :
Alias settings, this settings can be found in pfsense, which type do I select to get the same functionality as the above screenshot? Do I need to use separate hosts? Because I wouldn't want to include all network addresses, just one of them in a certain rule.
On our current firewall these are " inbound nat tunnels". I found the nat settings on the pfsense, but I do not know which tab to use and how to get the above functionality (see screenshot above). Also you can see the IP103, IP101 aliases being used here. Can I do this with the pfsense?
Do I need a virtual ip??
We block all smtp (port 25) access for all our clients in the LAN except the exchange/mail servers. I assume this can be set up under Firewall Rules on the pfsense? Since it has three tabs, do I need to set the rules for each network interface seperatly?
Last but not least, I can find the interface settings on the websense. But can somebody tell me if the ip setting : 10.10.1.1/8 is the right setting for a network with hosts in the 10.10.1.1 range AND 10.0.0.1 - 10.0.1.150 range.
Also, there is a option to bridge the network with the DMZ. Do I need to do this? Or is it sufficient to create a rule to allow all traffic from LAn –> DMZ?
-
Another quick question.
Does the firewall block all connections for all interface if there is no pass rule set-up?
In other words do I need to create a pass rule for each port?
For example, I would like to permit our exchange server to send and recieve on port 25. To do this I created :
TCP Source IP (lan ip) port 25 destination any port 25 gateway *
I added this rule for each interface (DMZ + LAN and WAN).
Is there no general firewall rule option? Or do I need to add each rule for each interface (copy the rule to all the interfaces)
-
I think you should look at the paid support from http://www.pfsense.com/needsupport , because imho if you don't know what is NATing you should not bother with pfsense in a production environment, even more when its your workplace. I would suggest you to read the whole documentation combined with wikipedia so you can feel more familiar with general networking, basic firewall operation and especially CIDR notation as this is networking 101 stuff.
Also pfSense is NOT linux ffs.
-
I will read the neccesary info regarding subnetting, that's not a real issue.
Although I find it kind of disapointing that you're reply is so negative, there are plenty of beginners asking questions here and they get a reply.
I've taken the time to take screenshots of our current setup (which i understand) al i'm asking on how to use the pfsene and it's menu functions to get the same functionality as on the screenshots..
-
Alias settings, this settings can be found in pfsense, which type do I select to get the same functionality as the above screenshot? Do I need to use separate hosts? Because I wouldn't want to include all network addresses, just one of them in a certain rule.
Just look at the alias config page and play around with it.
It's self explaining.
A single IP can be displayed as x.x.x.x/32On our current firewall these are " inbound nat tunnels". I found the nat settings on the pfsense, but I do not know which tab to use and how to get the above functionality (see screenshot above). Also you can see the IP103, IP101 aliases being used here. Can I do this with the pfsense?
Do I need a virtual ip??
From what i see: yes you need VIP's, since you use multiple different public IP's on the WAN.
The NAT rules go to the interface on which you want traffic NATedWe block all smtp (port 25) access for all our clients in the LAN except the exchange/mail servers. I assume this can be set up under Firewall Rules on the pfsense? Since it has three tabs, do I need to set the rules for each network interface seperatly?
http://forum.pfsense.org/index.php/topic,7001.0.html
Last but not least, I can find the interface settings on the websense. But can somebody tell me if the ip setting : 10.10.1.1/8 is the right setting for a network with hosts in the 10.10.1.1 range AND 10.0.0.1 - 10.0.1.150 range.
You should familiarize yourself with CIDR notation.
a 10.0.0.0/8 subnet is everything from 10.0.0.0 to 10.255.255.255i suppose you only want the ranges
10.0.0.1 - 10.0.0.255
10.10.1.1 - 10.10.1.255.255These are displayed as
10.0.0.0/24
10.10.1.0/24So i assume you want more than one subnet on one interface.
This is currently not doable via the GUI.
But CMB wrote a nice pdf how to add (kind of unsupported) alias type VIP's.
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdfAlso, there is a option to bridge the network with the DMZ. Do I need to do this? Or is it sufficient to create a rule to allow all traffic from LAn –> DMZ?
What exactly do you mean with that?
Which network with what DMZ? -
I will read the neccesary info regarding subnetting, that's not a real issue.
Although I find it kind of disapointing that you're reply is so negative, there are plenty of beginners asking questions here and they get a reply.
I've taken the time to take screenshots of our current setup (which i understand) al i'm asking on how to use the pfsene and it's menu functions to get the same functionality as on the screenshots..
Im not being negative, I am just telling you that before trying to do advanced routing in a company environment you should first get informations and experience with pf and networking in general. I don't mind helping people about networking in general but I will not just guide you from A to Z for a production setup that is supposed to be extremely stable and versatile if you don't know yourself what you are doing, because just ask yourself what will you do if its not working or if it needs maintenance.
Helping people with home projects is not in the same bag as helping people setting up company networks and as stated many times here, with the pf documentation, pfsense wiki, m0n0wall documentation and wikipedia you should be able to do everything by yourself and actually understand what you are doing.
-
I've got everything up and running, dmz, lan and wan.
I've also setup a transparant proxy (awesome stuff!, I love the log feature).
The only thing which I haven't got working is :
I have 20 ip's from my provider 146-166. I've set the firewall to 146 and NAT is working fine for the clients. When checking there external ip they all get .146.
The previous firewall had the option to create NAT tunnels to different internal machines in both the LAN and the DMZ zone.
This feature could be setup in the aliasses screen on the old firewall. The alias feature on this firewall is somewhat different.
Am I going in the right direction when I add the 20 external ip's as separate virtual ip -> hosts? And then create the specific NAT rules/mappings for these ip's?
-
I believe you can't do this using aliased pool but have to do 1:1 NAT with CARP VIPs for each of the host, be sure to check the corresponding rules that are added by the NAT.
-
Good news, proxy arp, virtual ip and a simple nat rule and it works like a charm!!
I do have to point out that all my firewall rules are set to allow all traffic from and between each interface.
(this is still in a lab!!) I'm not sure if the above settings will still work if I disallow certain traffic.
Obviously now I have to start slowly closing and locking down the firewall as much as possible.
What's the best method? Block all rule? and above that create the allow rules for specific ports and protocols only?
Also I'm missing the ability to set a LOCAL dns server and a external dns (I have them separate for security/maintanaince reasons).
general setup gives me the option to add two. The option below that is only for dhcp wan, I have a static wan..
-
There are 2 solutions to what you want:
You create VIP's and 1:1 NAT each VIP to a server.
Outbound traffic from the 1:1 NATed server will now appear as if from the VIP.
The downside is you cannot use this VIP for something else.The second solution and in my opinion the better one is:
You create normal NAT forwardings from the VIP's to your servers.
After that enable advanced outbound NAT and you can specify which source should be NATed to what IP.
Like this you can define that server x,y, and z should appear from VIP a and all the rest from VIP bYou might be interrested in reading http://forum.pfsense.org/index.php/topic,7001.0.html about how firewall rules work.
-
There are 2 solutions to what you want:
You create VIP's and 1:1 NAT each VIP to a server.
Outbound traffic from the 1:1 NATed server will now appear as if from the VIP.
The downside is you cannot use this VIP for something else.The second solution and in my opinion the better one is:
You create normal NAT forwardings from the VIP's to your servers.
After that enable advanced outbound NAT and you can specify which source should be NATed to what IP.
Like this you can define that server x,y, and z should appear from VIP a and all the rest from VIP bI assume you didn't read my post before replying with this info :)
To be safe, what I did now is the following :
Create a virtual ip : 80.x.x.10 (WAN / Single address and Proxy Arp)
Go to NAT and create a ordinary Port Forward from external address : (the virtual ip i created above) to the NAT/Internal IP.
This works perfectly for two clients which are in the lab with the 3389 port (remote desktop).
Is the above procedure ok? Or would you advise to use advanced NAT instead of auto? I assume advanced nat requires allot more maintanaince?
Or is it more of a security risk to have auto nat on?
-
Yes i just wrote while you posted.
What you did works.
But like this traffic originating FROM the server will still appear as if from your main WAN.Advanced outbound NAT is not more or less secure than autogenerated NAT.
It just gives you the possibility to create your own rules. -
NAT has nothing to do with your network security because the NATed routes are firewalled anyway, only your rules matter. (could be a good catch phrase for pfsense)
-
Yes i just wrote while you posted.
What you did works.
But like this traffic originating FROM the server will still appear as if from your main WAN.Our current firewall solution does the same. I've not had any issue's with that really, but certain software did have to connect to our gateway/fw ip and not the specific server to communicate properly (our zabbix server monitoring package for example).
Is it possible to have the server not appear to be communicating from it's wan but from it's own ip? just for several servers (like our mail?) i would assume it to be better to have our mail server not communicate to the outside with the gateway ip and not it's own.
Would I have to turn on advanced NAT just for these two servers? Others don't really matter.
-
Im just guessing here as I never needed this before but I think you can achieve this by tweaking the outbound NAT and the corresponding rules. If not then another interface is the lazy way.
-
Also I'm missing the ability to set a LOCAL dns server and a external dns (I have them separate for security/maintanaince reasons).
general setup gives me the option to add two. The option below that is only for dhcp wan, I have a static wan..
Anybody know if this is possible? Set a different external dns server for the WAN when a static ip is selected?
See the above quote..Obviously now I have to start slowly closing and locking down the firewall as much as possible.
What's the best method? Block all rule? and above that create the allow rules for specific ports and protocols only?
Anybody have any suggestions on the above question?
-
Also I'm missing the ability to set a LOCAL dns server and a external dns (I have them separate for security/maintanaince reasons).
general setup gives me the option to add two. The option below that is only for dhcp wan, I have a static wan..
Anybody know if this is possible? Set a different external dns server for the WAN when a static ip is selected?
See the above quote..I dont really understand what you mean with setting a different dns server for the WAN when a static IP is selected.
You mean you want to set the DNS server manually when you set a static IP on the WAN?The option on the general setup field is exactly that.
Static DNS entries for a static WAN IP.The checkbox below only allows these static entries to be overridden IF your WAN is dynamic.
Obviously now I have to start slowly closing and locking down the firewall as much as possible.
What's the best method? Block all rule? and above that create the allow rules for specific ports and protocols only?
Anybody have any suggestions on the above question?
http://forum.pfsense.org/index.php/topic,7001.0.html
Read the rules part -
Our other firewall allows me to configure a internal dns server for our domain/lan and a DNS server for the wan connection.
This way clients (internaly) can resolve hostnames and websites through the local dns server (active directory intergrated) and all other traffic outside is resolved and setup by our external dns server (not active directory intergrated).
If I set the internal dns server in those dns boxes, it wouldn't be able to resolve websites anymore would it? Or would it just use the root hints and settings from our internal server instead?
Would be better to have separate dns server sfor internaly and externaly, but not sure if this is possible with the pfsense
-
Just set the DNS in your DHCP settings as usual, you never set the internal DNS on a gateway for your local clients but on the client themselves.
-
Good point. What do you suggest to use the internal dns server or the wan dns server from the isp (even though it's static)
Obviously the dns servers from the wan don't allow me to edit stuff so it would be better to use the internal dns here I suppose?
