Connect Two Private LANs from Different Companies Using Netgate 2100
-
Hi:
Hopefully this will be straightforward. It's not a common configuration that is discussed in the forums. So hopefully, someone has seen this before and has a straightforward way to handle this situation.
I have a comms room that is shared by different companies. For some reason the previous contractor that we had looking after our network decided it was OK to use the 2nd Ethernet interface (NIC) on our server and connect directly (nothing in between, basically connected directly to their switch) to another company's private LAN subnet that is also in the same comms closet.
We allow them to access our server as a customer, but I realized no firewall was ever set up between the two private subnets.
I have a Netgate 2100 that and want to install it as a firewall/router between the two private subnets. I have a few questions/confirmations. Hopefully someone can offer a secure solution using the Netgate pfSense 2100
-
Would I connect the WAN port on my 2100 to their switch (same cable as before) and assign (reuse) the private IP address that they used for my server to the WAN interface on the 2100? This is the thing I'm most wondering about. Same subnet info and default gateway info as always.
-
Then use one of the LAN ports on the 2100 and just assign an IP address of my local VLAN.
If 1) and 2) above make sense, then move onto #3 below.
- Should I set up NAT (they would use their local IP on their LAN, which comes through the 2100 WAN port) from the WAN on the 2100 to the private IP address of my server on my local VLAN? I'm see some mention this might be the easier thing to do.
Or should I simply give them the local private IP of my server and let them route to it through the 2100? I would prefer not to do this, but if it's easier for them, I can do that for this company only.
- Would they need to add a static route on their main (default) router to get to the 2100 I've added? Or will the routing tables update to handle that situation using dynamic routing?
I just want to do what easiest for everyone and ensure my local subnet is not open via another companies private LAN.
Thanks for your help and time. Appreciated.
-
-
@jtd
Not clear, what's the status quo here and what you're trying to accomplish.Can you provide a network map please with true IPs?
The other company only need to access services on your server?
If so, to lock down the server port is not a adequate option? -
@viragomann said in Connect Two Private LANs from Different Companies Using Netgate 2100:
lock down the server port is not a adequate option
That's my first thought too, just set up firewall rules. Presumably this other subnet needs to get to the server for something. If a router is put in the middle then one gets into questions of NATting ports or whatnot to allow that access. Unless the server is only connecting out to the subnet and there is no inbound. If there is no gateway on that second NIC then there's no path to the Internet on that NIC.
-
@jtd
Not my area of expertise but depending on what resources on your network they are accessing (always one physical computer, a HA computer network, multiple resources on your network).-
It maybe appropriate to connect them to a separate LAN/VLAN on your network then use your normal firewall to control access.
-
The 2100 could be used I suppose with 2 LAN interfaces and no WAN but I suspect using your normal firewall infrastructure would be more maintainable.
-
-
This post is deleted! -
@jtd sounds like a Lan router. Not sure if than means pfsense should be in "Appliance" mode (no gateway / WAN defined).
-
Hi all, thanks for the responses.
I should have stated (I forgot people would assume my perimeter firewall router is close by), my main perimeter firewall is not in the same comms room as this one server (the rooms are not close/reachable easily without a bunch of conduit work).
Just this one server is the only host on my private subnet in that shared comms room.... The other company has access to my server in that room via their private subnet (because my server's 2nd NIC is on their private subnet, which is not proper).
Right now (long story) someone previous set things up as:
Other company subnet IP (NIC2) - Server - My subnet IP (NIC1)
I don't like my server being directly connected to a private subnet I do not control. Never should have been done like this.
All I want to do to hopefully fix this strange situation is the following with the 2100:
Other company private subnet IP (WAN or LAN 2100 ??) - 2100 Firewall/Router - My private subnet IP (LAN 2100)
I have no control over the other company's subnet. I know their private subnet (VLAN) number, the subnet mask, and their default gateway on their VLAN (which I assume would enable them to get to their public Internet access).
I plan to re-use their same static private IP address on the 2100 WAN port (or should I use one of the 2100 LAN ports, this situation is not covered anywhere in the documentation) connecting to the other company's private subnet.
I hoping that if I can get the 2100 firewall/router connected properly between the two private subnets and not cause any issues on those existing subnets, then I either NAT their private IP on the interface of the 2100 to my server no my subnet.... The firewall rules will get created automatically when I set up the NAT (only allowing incoming connections for a specific TCP application port they use on my server - also limited to incoming connections originating from their private subnet). That NAT would be supported by the only incoming "pass" rule/rules the on the 2100 interface to the other company's subnet.
I would block any originating traffic on my subnet from using that 2100 LAN interface on my subnet (just to be safe).
You all think this would work out and not mess up the existing subnet and perimeter firewall setups?
I am specifically asking about the 2100 port assignments and the use of NAT.
Remember, I do not have any control of the other company's private subnet, so this is not like a normal company would do LAN segmentation (between departments), etc.
Thanks for the information.
-
@jtd lan and wan ports on pfsense is just a name. You can use them as you like.
For your case, the solution is simple.
Put the two segments (your server and foregin lan) on two interfaces and bridge them, with firewall rules.
Case closed
Anything else will require intervention to the foreign network -
Hi: @netblues
Thanks. I was looking at this bridging feature previously. It's a bit confusing as sometimes I see a terminology called "transparent bridge".
https://www.provya.com/blog/pfsense-bridging-interfaces/
I just want to confirm exact configuration of the Bridge. It makes me a bit nervous if I'm interpreting what it a bridge is. I'm assuming all incoming and outgoing to a bridge is blocked by default and you have to enable "pass" rules. But I'm not seeing that stated anywhere.
When you say bridge the two segments, I am not sure what you mean (a segment to me is a LAN segment, not just an Ethernet port), .
I just want to make sure you are saying leave my server directly on the other company's private subnet via NIC2 as it is right now? But put the 2100 between the server port (NIC2) and the other company's private VLAN using the cable that comes from their LAN into the comms room?
Other company's subnet (LAN port1 2100)- Bridge - My server's NIC2 port on other company's LAN (LAN port2 2100)
The above may not be ideal in that my server sits on another company's private LAN, but maybe it's the best that can be done.
If I any interpreting your note correctly, I bridge the NIC2 on my server with the other company's VLAN through the 2100 using the cable that comes into the comes room. But what IP address would I give the bridge interface? Can I give it any private IP address, or does it have to be an IP address from their private subnet? Then the other company can access the my server via the IP address of the bridge?
I'm not sure I'm keen on the below in bridging my VLAN with another company's VLAN, if I'm interpreting what a bridge is in pfSense is:
Bridge the other company's private VLAN with my private VLAN? Again, I'm assuming all incoming and outgoing is blocked by default (according to the examples I've seen a bridge would treat to the two interface used as on VLAN segment and that's not what we want). I have to create pass rules either on the interface to the bridge or the bridge itself to allow the other company to reach my server via the bridge.
-
Remove the cable connected to my server on NIC2. My server would just sit on my LAN via the one NIC1 as is usually the case in a normal situation.
-
Create the bridge between the other companies private subnet VLAN and my private VLAN subnet using two LAN ports on the 2100?
Other company's private subnet VLAN (2100 LAN port1) - Bridge - My private subnet VLAN (2100 LAN port2)
Set each member of the interface as IPv4 only, "none".
Then I would create the interface assignments using this defined bridge with these members, and assign a private IP address to the interface of the bridge as shown in the example.
When this is done, set up NAT using the private IP address of the bridge interface and my server? I would tell the other company to use the IP address of the bridge interface and that would NAT them to my server?
Thanks for the information.
-
-
@jtd Ok either I am missing something or your going way overboard thinking you need some transparent bridge setup for 1 server?
Does this server not have host firewall?
Your goal his is to allow this access to some service or services running on this server right? But you want to prevent them from accessing other services on this one server.
In such a setup why is the host firewall running on this server not "enough" ?
I would of never set it up this way in the first place - but since it already is, going through all this to setup a transparent bridge for just this 1 server seems a bit over the top when the host firewall of the server should already be able to provide filtering..
This pfsense is not already in place for the rest of your network, etc. Your just wanting to use this 2100 to do this one thing?
-
Hi @johnpoz
Maybe I'm not describing my interpretation of the bridge suggestion properly.
I asking for confirmation of the physical connections first (that is the most important thing to get right, as I ready bridges if not properly connected can cause loops and take an entire network down), and then where to set up the firewall rules. On the bridge itself or on the LAN interface used for the cable coming in from the other company.
I would really like to get my server off an outside company's private subnet. I have no control over the other company's private subnet.
But from what I've studied, that may not be possible to set up a traditional internal firewall/router set-up between the two subnets without changing things on the main perimeter firewalls/routers on the two private subnets. That will just create a bunch of hassle between the companies..... I'm looking for something I can quietly do myself and no one will notice. And I'm the only one that can control the 2100. I can shut the other company off completely from my server if some happens (virus, etc.), even if the cable is still connected to the 2100.
I had looked at a bridge before. I had dismissed the bridge idea previously because from what I know of bridges, it's essentially joining of two networks and treating them at the IP level as the same network. That is not a go.
From what @netblues mentioned, probably the least complex and least intrusive solution (though it does not get my server off the other company's subnet) is to use two LAN ports on the 2100. Connect NIC2 on my server to one LAN port on the 2100. Connect the cable coming in from the other company to another LAN port on the 2100. Create a bridge between the two LAN ports.
Though it's not clear if this is considered a transparent bridge or not. And it's not clear to me what IP address I should use for the bridge. It seems bridges can not use NAT, so I have to create the pass rule(s) to allow only incoming traffic from the other company's subnet on TCP port XX through the bridge to reach my server on their subnet IP address denoted on NIC2 on my server.
That is what I'm asking to confirm if I'm interpreting @netblues suggestion on the bridge application correctly.
-
@jtd again putting in a pfsense box is way over the top for what you have described..
You have this right?
What do you think setting up pfsense with a transparent firewall, etc.. gets you vs what can already be done via simple firewall rules on that server?
I agree should of prob never been setup like this in the first place. But setting up a pfsense box as just a transparent firewall just seems like overkill for something that can already be done via just the firewall on the server..
You clearly still want to allow access from this other company to this server, So other than filtering access to other services on this server, smb, ftp, AD, whatever - which can just be done in the servers host firewall. I am not understanding what putting in a pfsense box just for this server gets you other than cost complexity and time?
If you were replacing your current edge firewall with pfsense, and wanted to allow this other company network into this server via your shiny new pfsense box for you whole network that would be different. But sounds like your going to put this in to just be firewall between this 1 server connection and this other network..
-
@jtd Obviously, as johnpoz said, using the built in firewall of the server will do the same as the pf.
However since we dont know if you have the necessary admin rights on your server for this, or maybe there is a chance someone else is also fiddling with the server firewall, an external firewall is maybe something to consider.
Yes, it IS an overkill for just one host, but still.Routing is a no go. Way too many things to change.
A bridge doesn't need an ip, since it operates at layer 2.
So filtering at layer two, is also called a transaparent firewall.
And no, there is no loop to be created if you bridge your servers second lan with the foreign network.
Think of pfsense as a plain l2 lan switch, just with rules. -
Thank you both for the information. Greatly appreciated. I am slowly getting what you are saying on the bridge setup.
Yes all your comments are correct and valid... Without saying too much, when I say server, really this was not the most professional job. It's a Mac Mini, and I would love to replace it with a proper hardened Linux server one day given the value of the data it handles.
For the price, I'm OK using the 2100 as a secure firewall in this case, setting it up once and leaving it. That way I know the network is protected and only I can control what comes into the network. All I need is for something to happen and you know how that goes. Not worth the risk.
@johnpoz your diagram is correct.
Yes, so we're agreed on the physical connections and that a transparent firewall is what I set up using the 2100 (2 LAN ports) between the 2nd NIC on my server and LAN1 port on the 2100, then the cable coming into the comms room which will connect the LAN2 port, which is the interface to the other company's private subnet.
I'm assuming I would leave the static IP information in my 2nd NIC the same, and it would still sit on the other company's subnet and be visible to them on their network based on the firewall rule I set up.
I'll set this 2100 up in the lab this evening as a transparent firewall and test it before connecting it to the live network.
@netblues When you use the term Layer 2 filtering, are you saying set up the firewall rules the same way I normally would after setting up the transparent firewall? Do I do this on the transparent bridge interface or on the LAN2 port interface? Do I not need an IP address on the bridge interface for management?
Thanks, I think my questions are coming to and end and I'll set this up in the lab over the next couple days and get back to you all. Appreciated.
-
@jtd said in Connect Two Private LANs from Different Companies Using Netgate 2100:
That way I know the network is protected and only I can control what comes into the network.
Its not coming into the "network" its coming into this one "server" (mac mini).. Did you setup this box to route traffic. Now true it could be exploited and then from that a jump off point into your network. But any services allowed to this box could be used to exploit it and do that - firewall or not.. This is true for any box exposed to any outside access at all.. This is why normally you put servers that are serving public in a "dmz" where it is isolated from the rest of your network.
macOS comes with a firewall.. You can limit the access to just the services you want, etc.
If I was worried about their access to this box, in any way. I would isolate this box from the rest of your network.. And limit its access to stuff in your network it might need and that is it, etc.
Yes the 2100 can be used as a transparent firewall with no changes being needed on this servers IP or the other companies network or access, they wouldn't really even know the 2100 is there, etc. I just don't see how it really gets you anything that couldn't just be done on the boxes own firewall.
-
@johnpoz I hear all your points. I've looked at the DMZ, etc before. Understand about the software firewall in MacOS.
All that will take time. I've tried and succeeded in hardening the perimeter network over time. This 2100 is the last bit, and then I need to leave things for a while before moving the public servers to a DMZ, etc. I can not say too much on a public forum.
I'll let you all know how it goes in a couple days. Appreciate all your help and solid input.
-
@jtd Sounds sensible to me.
What you are doing is creating a perimeter firewall system you can maintain. It provides you with the flexibility to change the physical hardware behind it, and monitor what is actually happening in a more uniform way across you business. -
As usual, the "enemy" is much closer than we think :)
So yes, a perimeter is nice to have.
Have a look here
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.htmlRegarding firewall rules and firewalling.
-
I got the setup configured with the bridge using two of the LAN ports.
I set it up in the lab first and observed the behaviour for a day (I just let everything pass on the bridge in the lab test).
Based on that behaviour, and the applications needing to get through the bridge, I created pass rules for the specific application needed. There's a lot of communications going on I noticed that had nothing to do with the needed application. Blocking those at the bridge has no impact on the application.
It's in production now running the final firewall rules I came up with, and all looks good so far.
Yes, not ideal (which I confirmed with a couple proven Tier 1 Internet network carrier level IP guru colleagues), but this gives us a hardened, dedicated firewall on this backdoor under our total control.
Thanks for this. Greatly appreciated.
-
@jtd said in Connect Two Private LANs from Different Companies Using Netgate 2100:
There's a lot of communications going on I noticed that had nothing to do with the needed application
:)
pfsense is more than pf
A dedicated firewall gives you visibility and monitoring
Well done