Detailed description of RIP V2 setup enclosed seeking advice
I'm working on improving a network at a small adult education center. They are working on almost no budget, junk gear and want the moon. I'm doing my best….
I have one perimeter firewall running PF sense to a single PPOE wan provider and NAT is running on that system of course.
I have two other pfsense installations with 3 ethernet interfaces each.
There are 5 network segments total within my design.
I have attached a very simplified VISIO diagram saved as JPG so that you can see what I've cooked up.
I don't have the proper chipsets on my interfaces to support jumbo frames or I'd VLAN. I've done the following:
I unblocked private networks and unblocked bogon networks on the two routers I want to run as 'Pure Routers'.
Then I implemented RIPv2 on all interfaces on all devices except the WAN interface of the perimeter firewall.
I applied a rule on 10.0.0.2 and 10.0.0.3 addresses that says 'Pass any traffic anywhere'.
10.0.0.1 has the standard 'LAN to net' rule applied.
I created ruleset #1~ On the 10.0.1.1/24, 10.0.2.1/24, 10.0.3.1/24, and 10.0.4.1/24 interfaces. This rule permits UDP:520 from anywhere to single host 184.108.40.206 in order to pass RIPv2 Protocol and this works fine. This maybe could use some tightening up.. suggestions would be appreciated.
Second, I wanted to allow PING everywhere.
I wrote my rule #2 to allow ICMP 'any type of ICMP' anywhere. I'm on the fence about that. I'm Thinking ping type of ICMP is sufficient. I'm not sure. This rule works and passes ping traffic everywhere. Applied to:10.0.1.1, 2.1, 3.1, 4.1
We have a bunch of network capable printers around the school.
Rule #3 pass ports 9100,721:731, and one other one (can't remember) from LAN subnet > destination anywhere I packed all the ports into a "printing" alias and then wrote the rule. Applied to:10.0.1.1, 2.1, 3.1, 4.1
I always wrote these types of rules so that the traffic had to originate from the subnet that the interface is on and the ports are scrutinized against the destination portion of the packet. This works. I realized why later.. I'll explain later.
I wanted RDP and VNC to traverse from Faculty sides to any other segment so I wrote a rule next that does that Permits this. I packed the appropriate ports into an alias, applied the ports filtering against the destination side of the packet and applied this rule to 10.0.1.1 and 10.0.3.1.
Finally I wanted the rest of the traffic to only be allowed access to the two subnets belonging to thier respective designations of faculty or student.
I grouped the respective networks into aliases and applied those allow rules last.
Of course the final rule is an implied "deny" so no other traffic is passing.
While playing with this mess I noticed in my states table that I'm seeing non standard ports on the origination side of RDP sessions that I initiate from my client laptop to a host on a remote subnet. I do understand the concept of NAT so it took me like 1 second to realize that NAT was enabled on my Pure Router appliances and I then went to turn it off.
This is where i need help. I'm not sure how to go about turning off the NAT settings so that my Pure Routers are just passing traffic and filtering based on the rulesets I gave them. And will this mess up the way I currently have things configured.. This is my first rodeo on this type of implementation of PfSense and I did buy the book. It only scratched the surface on this. I hadn't found any really detailed documentation on what I'm trying to set up. If anyone knows where I can read up more I'd like to do so.
Additionally if anyone could stomache reading the rest of my explanation above and has made it this far, any other suggestions based on my diagram of ways I could improve this routing/rulesets setup would be appreciated.
I guess when you call them 'pure routers' they are still functioning as firewalls as you still want to block certain traffic between segments?
There is an option under System | Advanced to disable the Firewall which also has the effect of turning off NAT, but you still need the firewall rules so scratch that idea.
How about switching to 'Manual Outbound NAT rule generation' (AON)?
If you don't set up any manual outbound rules and don't create and port forwarding NAT rules then surely you won't have any NAT?
It's worth a try if you haven't tried it already.
Thanks, I'll try that. I have been playing with this config in a lab scenario for about 2 weeks. It took me awhile to figure out what it would take to permit RIPv2 traffic. Once I got that throught my thick head, the rules were pretty easy. If all that is required to turn off NAT is setting the device to AON that's great. I was obviously over thinking the situation. I assumed it would be more complicated than that. Thanks for the input.
it might auto-gwnerate some manual NAT rules so make sure you delete those if they appear.
Thanks, I'll have a chance to test later this week. In the interim, I was thinking that it's a little surprising that no one else has done this sort of thing with PfSense in the past. Even the most basic CISCO 2500 series can filter by IP and TCP rules. I'll post back as to whether or not I was successful.