Hosting servers (VM's) behind pfSense

easy-hostingnz

Hey all,

First time posting.

So, I decided I would go forward with a pfSense firewall while doing a server rebuild.

We currently use XenServer, but the new build will be on XCP-ng.

Current setup just uses the firewall that comes with the control panels (Plesk and cPanel) which seem to be sufficient.

I have spent the last few days trying to just get the networking going on a test network at home, but using the actual server that will go into the data centre. I've only setup pfSense a couple of times, so it turns out (I guess with 2 class C addresses - 192.168.1.x and 192.168.100.x) you need to allow the DNS port in the WAN rules (had this issue with the Wireless setup at home) through to the Gateway for the internet.

We use pfSense for our Fibre Router and then have the Server plugged in to a Switch. A brief breakdown...

1. Home Router
2. Switch
3. Port one on Server
4. Port two to a second Switch
5. Second Switch to port three on Server

I have now been able to get both Static and DHCP VM's to access the internet and 192.168.100.x VM's to accept connections from 192.168.1.x Computers (so acting as external network). I kept wondering why pinging FQDN's appear to resolve (showed the IP Address) but wasn't receiving a reply... just because DNS traffic was blocked? Then why did it appear to resolve the IP Address in the first place?

Now, after waffling on about the background... on to the main points.

I am trying to setup a 1:1 NAT, as we have a few IP Addresses. What I have found is that even with 1:1 NAT, you either can do a rule on WAN and allow all traffic to pass through, setup a rule for each port you need to go through (pretty much like Port Forwarding) or Port Forwarding.

If you have to effectively pass through all traffic with a blanket WAN rule, pass traffic per port or Port Forwarding, what then are the advantages of using pfSense? Does it still filter/inspect packets?

I would also like to have XCP-ng behind pfSense too. Possibly even only accessible locally (so via a VPN connection).

Any help/feedback on what I need to do would be greatly appreciated. Otherwise, I guess I would just have to set things up like they currently are, with Plesk and cPanel being fully public and relying on their Firewalls.

SteveITS

@easy-hostingnz said in Hosting servers (VM's) behind pfSense:

you need to allow the DNS port in the WAN rules (had this issue with the Wireless setup at home) through to the Gateway for the internet

Not sure I follow, but the default LAN config is to allow all traffic to any. A rule on WAN would allow inbound on WAN.

@easy-hostingnz said in Hosting servers (VM's) behind pfSense:

192.168.100.x VM's to accept connections from 192.168.1.x Computers

The interface for 192.168.1.x has to allow traffic to 192.168.100.x. Also any firewall on the VM has to allow inbound.

@easy-hostingnz said in Hosting servers (VM's) behind pfSense:

pinging FQDN's appear to resolve (showed the IP Address) but wasn't receiving a reply... just because DNS traffic was blocked

Hmm, pinging uses the ICMP protocol, was that allowed?

Rules are inbound on the interface. If the two LANs are using private IPs and therefore NAT then one needs to set up NAT port forwarding to direct the packets to the desired destination.

easy-hostingnz

Hey Steve,

Thanks for the reply.

@steveits said in Hosting servers (VM's) behind pfSense:

Not sure I follow, but the default LAN config is to allow all traffic to any. A rule on WAN would allow inbound on WAN.

Because the WiFi setup on my home one is as a separate interface it needed its own set of rules... so I just added them from the easy add option as they came up in the logs. It's probably messy, but it worked and never bothered to clean it up. WiFi is on 192.168.2.x.

The interface for 192.168.1.x has to allow traffic to 192.168.100.x. Also any firewall on the VM has to allow inbound.

As I am doing it as an External IP (Virtual IP) for the WAN I am trying to limit it as much as possible. I will try to now setup on the live Server using the extra IP Addresses and just a test VM behind pfSense.

Hmm, pinging uses the ICMP protocol, was that allowed?

Rules are inbound on the interface. If the two LANs are using private IPs and therefore NAT then one needs to set up NAT port forwarding to direct the packets to the desired destination.

Unsure if ICMP was allowed, but outbound traffic started working once I allowed port 53 (DNS). Inbound was fine, once I had the Virtual IP setup.

I currently have 192.168.1.60 going to 192.168.100.9 and it all appears to be working. I can install packages using dnf now.

But I would still like to know if there is then any advantage of forwarding all traffic through using a rule or should I go to Port Forwaring?

Is there still any filtering done with a blanket rule or does it then rely on the Firewall on the VM?

SteveITS

@easy-hostingnz said in Hosting servers (VM's) behind pfSense:

advantage of forwarding all traffic through using a rule or should I go to Port Forwaring

NAT port forwarding is used to translate the incoming packet to a different IP address (ask for WAN:80, get sent to LANSERVER:80).

Rules allow traffic. Our data center uses public IPs on its LAN so on the WAN interface we can allow or block traffic to a LAN IP.

If your LAN (or other internal interface) uses private IPs the Internet can't get to them without NAT forwarding.

@easy-hostingnz said in Hosting servers (VM's) behind pfSense:

Is there still any filtering done with a blanket rule or does it then rely on the Firewall on the VM?

You can set a Source on a NAT rule. Or, you can not have pfSense create a linked firewall rule and create your own firewall rule(s). Otherwise all packets are forwarded through NAT if the source is */any.

easy-hostingnz

@steveits

Hey Steve,

Despite having a mixed setup (network setup on the virtualised physical ports and Internal Private Network) on our live server that seems to be working seamlessly, things didn't seem to want to work on the exact same server with test machines.

LAN seemed to be working on the physical port and the External connection on the Internal Private Network port. It seems like a pretty hatchet job, but it is all working. I tried setting up the LAN on the physical port for the test machine and it didn't like it. So I ended up with the pfSense WAN on the physical port and the LAN on the IPN. Then I switched the network on the test machine from the physical port to the IPN. It now appears to work (logically it should) and I am happy. It has been quite a headache and has set me back and entire week. I was hoping to be dropping the server into the DC about 4 hours ago and confirming everything was working before finalising the swap and turning the other server off.

I did expect that using the physical port should work, as it's an active connection on the switch. It is however a managed switch, so I am unsure of their setup. But the current LAN connections did seem to work when using the physical port.

Oh well, I guess don't look a gift horse in the mouth... it works and I will just go with it.

Just had another thought... maybe openvswitch is installed on the live Server (I think it may have been by default on that version) and not on the new Server.

But thanks for throwing some ideas out there to help :)