PfSense questions with MS ISA server
-
I have been building out a network with pfSense as my front lines, I've had different errors here and there and have been trying to change things around and get everything working, but my knowledge of routing and TCP is not as vast as I would like it to be and I've run into problems. Has anyone put pfSense infront of ISA and had luck? here's my current setup
Internet -> pfSense -> ISA (VM on ESX server) -> Internal network
Previously I had it configured as this
pfSense : WAN 192.168.0.1
pfSense : LAN 192.168.0.254LAN -> Bridged to WAN + Filtering Bridge
pfSense : DNS servers (tried one internal and one external DNS server)
pfSense : Gateway 10.0.1.1 (also tried my ISP's gateway)ISA : WAN XXX.XXX.XXX.XXX (external IP, from ISP)
ISA : LAN 10.0.1.1
I had configured an addition "external" NIC on ISA and gave it an address of 192.168.0.10, in this configuration I could access pfSense via 192.168.0.1 and manage the box etc, yet pfSense could not access the internet for Snort updates, package adds etc.
one issue I had (aside from no internet connectivity on pfSense) was PPTP VPN clients would fail to conenct, they'd reach ISA and fail with NOT TCP SYN PACKET.
I then decided to change over the pfSense IP scheme to match my internal "prod" network to ease trouble shooting..
now pfSense has WAN as 10.0.1.8 and LAN as 10.0.1.9
I've removed the additional "external" nic from ISA so the scheme is nowpfSense : WAN 10.0.1.8
pfSense : LAN 10.0.1.9pfSense : Gateway (tried both 10.0.1.1 and ISPs gateway)
pfSense : DNS (likewise)ISA : WAN XXX.XXX.XXX.XXX (external IP)
ISA : LAN 10.0.1.1
I can no longer access the pfSense management webpage, I have built a new vm with an external adapter and a 10.0.1.7 IP and I can access the management page, but if I give the ISA box it's second external adapter and give it a private IP, it screws the routing up on my box and no clients can acess the internet behind ISA.
The problem I'm seeing now, is FTP and SMTP no longer works coming into my network. in the tinkering steps, I've seen where first SMTP connections did reach my ISA server through pfSense (I have a rule set up of course in pfSense and ISA) but when they did I would get TCP NOT SYN PACKET and it would fail, I rebooted pfSense for the heck of it, now I see when the connection into 25 comes in via pfSense, but never see anything come across ISA's connection/logs, also I now see where FTP traffic comes in via pfSense, hit's ISA, but ISA is dropping the connection as bad traffic.
Has anyone had experience with this? or have any assistance they can offer up?
I'll be more then happy to give more details.
Thanks!
-
did you tell pfsense that it has a wan on a prived network
if not then pfsense will drop all trafic to or from the wan port
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
172.16.0.0 255.255.0.0are not allowd to get on the internet
so a good firewall like pfsense will drop these ip's on the wan site
but you can tell pfsense on the wan interface to not do that -
Per the transparent firewall doc, and per my set up, I do not have block private networks enabled.
I've reverted my pfSense ips from the same subnet as my private internal network behind ISA. here's the current traffic path, I'm assuming this may be more of an ISA issue and I'll have to look elsewhere =/[]Cablemodem–-------->[10.0.0.1pfsenseWAN]=[10.0.0.2pfsenseLAN]–-------->[64.176.xxx.xxx public ip ISA]=[10.0.1.1]–------->internal network (10.0.1.0/24 subnet)
I guess my question would be, how can I configure pfSense to route it's own internet access directly out, rather then having to go into ISA, and back out... ie
Current default gateway on pfSense WAN is 10.0.1.1 the internal adapter/address on my ISA server, so traffic has to go into ISA, be routed back out thru ISA for pfSense to get internet, aswell as the DNS servers (per the doc) are my internal DNS servers, thus it tries to go into my network thru ISA and back out to pfSense.
I've tried setting up the default gateway to my public IPs gateway I get on the public address of my ISA box, same with the DNS servers, but of course it fails as the adapters are IPed with a 10.0.0.0/24 subnet.
Again, I'm pretty new to routing and the like, so maybe what I'm wanting to do isn't possible how I'm trying to do it, just basically get pfSense to have internet access with out having to go into my private network, then back out.