Sync server firewalls with pfsense?



  • Hi,

    I'm not sure where to put this post, here or in NAT so I'll try here first.

    The setup is that I use pfsense as the main firewall and every server in the LAN also has their own firewalls running because there are multiple lan segments that I don't want traffic between.

    The problem is that I have remote people whos IPs are constantly changing so I maintain aliases on the pfsense but then still have to change the IPs on every server they use. VPN is not an option.

    I was wondering if there is some way to sync the servers up with the aliases on pfsense.

    For example, a way to export the aliases every hour, so a script could parse it and send a file to the server where it also has a script which it uses to update it's local firewall. Very messy, not very safe at all.

    Or, if there are some other ways that the servers could get that information from the firewall and again, update their local firewalls with the changes. Not as messy, not terribly safe to give a script access to the firewall local or remote.

    Or, maybe there is already a solution for this kind of problem and my searching the Internet for days now has not revealed it. Maybe I don't know the key words for something that already exists or some method.

    Thanks kindly for any help you can provide.



  • @lewis It seems to me that a road warrior VPN setup on the pfSense machine would work perfectly since there are unknown IPs. Then from pfSense you could firewall route each IP to the respected server.


  • LAYER 8 Global Moderator

    @lewis said in Sync server firewalls with pfsense?:

    also has their own firewalls running because there are multiple lan segments that I don't want traffic between.

    You mean you have devices on on the same segment that you don't want talking to each other.. Does pfsense route between the different segments or do you have some downstream L3 switch or something routing.. Pfsense is easy to firewall between network segments/vlans

    VPN is not an option.

    Why??? This is exactly the sort of scenario where vpn shines..



  • Yes, I know VPN would work perfectly but I'm simply now allowed to use VPN which is why I am trying to find out what other way I could do this.

    I've never used VPN on the pfsense however. Could it be set up so that when someone VPNs in, they only have access to the servers they are allowed to and not that whole segment?


  • Netgate Administrator

    I would do two things, at least.

    Get your remote clients to use DynDNS so you only have to maintain a list of fqdns and they will update automatically.

    Use a url alias in pfSense and point it to somewhere local where you are hosting that list. Not on the firewall itself.

    Then the local servers can also access that list by whatever means might be available.

    You could potentially do something like source NAT incoming connections to some other local IP as they leave the pfSense LAN and then have the servers allow that IP. It would never change. That would allow all remote clients to access all servers, I don't know if that would be a problem.

    Steve


  • Netgate Administrator

    @lewis said in Sync server firewalls with pfsense?:

    Could it be set up so that when someone VPNs in, they only have access to the servers they are allowed to and not that whole segment?

    Yes. If you used OpenVPN and set client specific overrides for each client to get the same unique tunnel IP. You can then use firewall rules to allow access to only specific internal IPs.

    Steve



  • Great input, I'll look into each of these and learn about them.

    Thanks very much again.


Log in to reply