PF Sense Configuration question

rollin1 · Dec 10, 2021, 10:23 PM

I have pfsense running as a VM in Hyper-V. The vm has 4 interfaces on it WAN, A, B, C. The main management interface is on interface A. We have an

Interfaces - WAN, A, B, C

WAN - 5 static ip's
Network A - 192.168.5.0/24
Network B - 192.168.200.0/24
Network C - 172.16.16.0/24

FW rules for WAN
NAT for our RDS Gateway server
Firewall has a port forward for the public ip for this are tcp https and UDP 3391 to 192.168.5.28 Firewall has a port forward for 2nd public ip for this using HTTP and HTTPS to 192.168.5.24

FW Rules for Network A
Deny access to network B
Deny access to network C
Allow outbound traffic out of WAN

FW Rules for Network B
Deny traffice to management interface on network B
Deny access to network A
Deny access to network C
Allow outbound trafic out of WAN

Clients are unable to get to NAT for website NAT on Network A
Clients are also unable to get to the RD Gateway NAT on Network A

FW Rules for Network C
Network C has access on 443/3391 to get access to RD Gateway on Network A
Deny traffice to management interface on network C
Deny access to network B
Deny access to network A
Allow outbound trafic out of WAN

Clients are unable to get to NAT for website NAT on Network A
Clients are also unable to get to the RD Gateway NAT on Network A

PF Sense has a outbound static nat to leave the network as proper public IP

How am I going to be be able to have Network B and Network C be able to traverse the NAT for our RD Gateway server and website? Does each network need to be on its own vlan?

I have played around with changing firewall policies and changing static routes but I was curious if anyone could provide advice.

rollin1 · Dec 11, 2021, 6:49 PM

I enabled Pure NAT and now I can get to the RD Gateway webpage and the companies webpage.

I also have Enable NAT reflection 1:1 Nat checked and Enable automatic outbound NAT for Reflection checked too.

rollin1 · Dec 11, 2021, 6:49 PM

I left these settings and everything worked at the end of the day and I ran into services not starting from a reboot that happened last night.

Any ideas for my other question above?

viragomann · Dec 11, 2021, 7:06 PM

@rollin1 said in PF Sense Configuration question:

How am I going to be be able to have Network B and Network C be able to traverse the NAT for our RD Gateway server and website? Does each network need to be on its own vlan?

If you're accessing the servers by host names add host overrides to your DNS and add proper firewall rules.
Otherwise use the internal IP for accessing.

rollin1 · Dec 13, 2021, 10:36 PM

@viragomann Pure NAT helped with the NAT problems we were having and I had to hit our RD Gateway server from the other networks was to hit the RD Gateway by its private IP.

I had to then replicate the same firewall rules we had going from WAN to Network A
Network B is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389
Network C is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389

Thanks