Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall question

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vburshteyn
      last edited by

      hi folks,
      i know this is a stupid setup but i have no choice atm.
      I have my pfsense which for now will run only as a proxy, web filter, behind a cisco ASA.

      Since the asa is the front firewall, and to let all the traffic through, do all i simply need to do is two rulles that basically go like this

      lan * * * *
      wan * * * *

      i might have not put enough stars in there but you get the general idea?

      the reason i am asking is cause with this set up i can reach out and ping our remote office, yet then cant ping our side.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Do you have a routable subnet behind the pfSense?
        Have all the other routers relevant static/dynamic routes pointing to the pfSense for this subnet?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • V Offline
          vburshteyn
          last edited by

          ok to be into more details

          from outside
          ASA -> pfsense acting as proxy -> catalyst swithc

          pfsense is replacing bluecoat device (which was horrendous)

          i can reach the web and the remote office network with out any problems.  the issue is that they cant get to us.  or i should say they can get to the ASA but thats it.

          i have the rules i mentioned above in place thinking that if the both lan/wan are totally open they should let everything through.

          I also ran some tests as in:
          i remove the LAN rule and i cant reach the outside world.  I am just wandering why the same does not apply for the WAN side.

          1 Reply Last reply Reply Quote 0
          • J Offline
            Jahntassa
            last edited by

            @vburshteyn:

            i remove the LAN rule and i cant reach the outside world.  I am just wandering why the same does not apply for the WAN side.

            Quite simply: NAT.

            By default there is a NAT rule forwarding traffic from the LAN to the WAN. There is no such thing in reverse.

            I believe if you want to setup pfsense as a 'transparent' filtering proxy, you need to create two internal networks and 'bridge' them, disregarding the WAN entirely. Hopefully someone will have experience in doing so and chime in.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG Offline
              GruensFroeschli
              last edited by

              There doesn't have to be inbound NAT.
              As long as the firewall on the WAN allows traffic destined for the LAN-subnet it will work.
              NAT is just the reason why it works outbound. You don't need inbound NAT.

              You have to create on the ASA a static route pointing to the pfSense for the LAN subnet behind the pfSense.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.