Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allowing all ports opened to certain port/vlan

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 872 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leprejohn
      last edited by

      Hello everyone how are you doing?

      I'm looking at testing PFSense 2.5 and also how VPN performs with an aes-ni cpu installed.

      My current setup goes like this modem > pfsense physical host > switch > everything else. I'm thinking of building a VM on my hyper-v server to run a test pfsense VM so I was wondering if it was possible to have my physical PFSense allow everything to my 2.5 PFSense VM.

      As my modem will only allow 1 port being active so at the minute I don't really want to take down my network just for some testing so I was hoping someone on here may know.

      As I was planning on allowing all ports etc to the PFSense VM so then I can have that act as a completely different network so to speak.

      I really hope this makes sense on what I plan to do and achieve.

      Thanks, Leprejohn

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        You will end up with a double-NAT config which makes it trickier to forward ports in.

        Since you're virtualizing it to test, why not set it up so that pfsense WAN is on your LAN, and its LAN is private? That way, you could configure the VPN and then go in from LAN as if it were WAN.

        L 1 Reply Last reply Reply Quote 0
        • L
          leprejohn @KOM
          last edited by

          @KOM said in Allowing all ports opened to certain port/vlan:

          You will end up with a double-NAT config which makes it trickier to forward ports in.

          Since you're virtualizing it to test, why not set it up so that pfsense WAN is on your LAN, and its LAN is private? That way, you could configure the VPN and then go in from LAN as if it were WAN.

          So the way I have it set up is WAN = link to switch (which connects to physical PFSense box) the LAN = private virtual switch to a windows VM.

          I was thinking that if for example I wanted to open say openvpn port I would have to do that on both pfsense physical host and also on the pfsense VM which was something I was looking to avoid doing as for me it would need to take 2x as much time/rules to setup

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            Yes, that's called double-NAT, since you have two routers in series, each of which is doing network address translation from LAN to WAN. Using my method, you can still test OpenVPN but from LAN into OPT1 (for instance) instead of WAN into LAN.

            L 1 Reply Last reply Reply Quote 0
            • L
              leprejohn @KOM
              last edited by

              @KOM said in Allowing all ports opened to certain port/vlan:

              Yes, that's called double-NAT, since you have two routers in series, each of which is doing network address translation from LAN to WAN. Using my method, you can still test OpenVPN but from LAN into OPT1 (for instance) instead of WAN into LAN.

              I thought that would be the case, the issue I have is my physical host is an I3 so it doesn't have aes-ni so I'll be unable to test VPN on this.

              Would there be a way to setup HA between the physical host and say the VM so I can take down the physical host and the VM will take over?

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                That's a lot of work. You're already running 2.4.4. Why not export your config.xml, import it into 2.5 VM and test it that way? Take your physical pf out of the mix. Create vSwitches for WAN and LAN, Plug your modem cable into the NIC you have defined as WAN. Create pfSense VM with WAN on vSwitch0 and LAN on vSwitch1. Put all LAN VMs on vSwitch1.

                L 1 Reply Last reply Reply Quote 0
                • L
                  leprejohn @KOM
                  last edited by

                  @KOM said in Allowing all ports opened to certain port/vlan:

                  That's a lot of work. You're already running 2.4.4. Why not export your config.xml, import it into 2.5 VM and test it that way? Take your physical pf out of the mix. Create vSwitches for WAN and LAN, Plug your modem cable into the NIC you have defined as WAN. Create pfSense VM with WAN on vSwitch0 and LAN on vSwitch1. Put all LAN VMs on vSwitch1.

                  Ideally I would want to have a HA setup encase my physical host goes down but I'll spin up a VM using my config.xml file

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    The 2.5 dev build is pretty solid from what I have heard. Plus, you can always plug your physical unit back in if it all goes sideways.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If you just want to test OpenVPN just setup a port forward to it on the edge firewall.

                      You can use 1:1 NAT to forward all traffic to the test VM if you really need to. Apart from any other port forwards you might already have that is.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.