Allowing all ports opened to certain port/vlan



  • Hello everyone how are you doing?

    I'm looking at testing PFSense 2.5 and also how VPN performs with an aes-ni cpu installed.

    My current setup goes like this modem > pfsense physical host > switch > everything else. I'm thinking of building a VM on my hyper-v server to run a test pfsense VM so I was wondering if it was possible to have my physical PFSense allow everything to my 2.5 PFSense VM.

    As my modem will only allow 1 port being active so at the minute I don't really want to take down my network just for some testing so I was hoping someone on here may know.

    As I was planning on allowing all ports etc to the PFSense VM so then I can have that act as a completely different network so to speak.

    I really hope this makes sense on what I plan to do and achieve.

    Thanks, Leprejohn



  • You will end up with a double-NAT config which makes it trickier to forward ports in.

    Since you're virtualizing it to test, why not set it up so that pfsense WAN is on your LAN, and its LAN is private? That way, you could configure the VPN and then go in from LAN as if it were WAN.



  • @KOM said in Allowing all ports opened to certain port/vlan:

    You will end up with a double-NAT config which makes it trickier to forward ports in.

    Since you're virtualizing it to test, why not set it up so that pfsense WAN is on your LAN, and its LAN is private? That way, you could configure the VPN and then go in from LAN as if it were WAN.

    So the way I have it set up is WAN = link to switch (which connects to physical PFSense box) the LAN = private virtual switch to a windows VM.

    I was thinking that if for example I wanted to open say openvpn port I would have to do that on both pfsense physical host and also on the pfsense VM which was something I was looking to avoid doing as for me it would need to take 2x as much time/rules to setup



  • Yes, that's called double-NAT, since you have two routers in series, each of which is doing network address translation from LAN to WAN. Using my method, you can still test OpenVPN but from LAN into OPT1 (for instance) instead of WAN into LAN.



  • @KOM said in Allowing all ports opened to certain port/vlan:

    Yes, that's called double-NAT, since you have two routers in series, each of which is doing network address translation from LAN to WAN. Using my method, you can still test OpenVPN but from LAN into OPT1 (for instance) instead of WAN into LAN.

    I thought that would be the case, the issue I have is my physical host is an I3 so it doesn't have aes-ni so I'll be unable to test VPN on this.

    Would there be a way to setup HA between the physical host and say the VM so I can take down the physical host and the VM will take over?



  • That's a lot of work. You're already running 2.4.4. Why not export your config.xml, import it into 2.5 VM and test it that way? Take your physical pf out of the mix. Create vSwitches for WAN and LAN, Plug your modem cable into the NIC you have defined as WAN. Create pfSense VM with WAN on vSwitch0 and LAN on vSwitch1. Put all LAN VMs on vSwitch1.



  • @KOM said in Allowing all ports opened to certain port/vlan:

    That's a lot of work. You're already running 2.4.4. Why not export your config.xml, import it into 2.5 VM and test it that way? Take your physical pf out of the mix. Create vSwitches for WAN and LAN, Plug your modem cable into the NIC you have defined as WAN. Create pfSense VM with WAN on vSwitch0 and LAN on vSwitch1. Put all LAN VMs on vSwitch1.

    Ideally I would want to have a HA setup encase my physical host goes down but I'll spin up a VM using my config.xml file



  • The 2.5 dev build is pretty solid from what I have heard. Plus, you can always plug your physical unit back in if it all goes sideways.


  • Netgate Administrator

    If you just want to test OpenVPN just setup a port forward to it on the edge firewall.

    You can use 1:1 NAT to forward all traffic to the test VM if you really need to. Apart from any other port forwards you might already have that is.

    Steve


Log in to reply