Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to replace shorewall with pfSense with 3 NICs?

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zenny
      last edited by

      I am so far using shorewall with 3 NICs  (net or WAN, loc or LAN, and dmz or OPT1) in two locations. I am thinking of migrate to pfsense with site-to-site vpn tunnel with advanced threat detection for the services behind pfsense. I found some tutorials on pfsense site-to-site openVPN and IPSec tunneling with WAN and LAN but not with the third OPT1 or say dmz that connects to web-services.

      my scheme is:

      Public IPs provided by ISP in two locations –> WAN
      Private IPs --> LAN and OPT1 (behind NAT)

      LAN and OPT1 passes through WAN interface behind NAT while site-to-site tunneling betweeen two WANs so that the services appears to be in the same subnet.

      So far I checked the following official documentations:
      http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
      http://www.youtube.com/watch?v=bhfNbQ_bzu4
      http://doc.pfsense.org/index.php/VPN_Capability_IPsec
      http://serverfault.com/questions/495248/ipsec-site-to-site-tunnel-config

      Appreciate if experts here can share their advice the best practices for a three interface pfsense with openvpn/IPsec. I tend to be a bit exhausted with the webguis rather than command lines, so please share the screenshots if possible. Thanks in advance!

      My current shorewall rules-configuration looks like as follows:

      #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK

      PORT PORT(S) DEST LIMIT GROUP

      Accept DNS connections from the firewall to the Internet

      DNS(ACCEPT) $FW net

      Accept SSH connections from the local network to the firewall and DMZ

      SSH(ACCEPT)     loc             $FW
      SSH(ACCEPT)     loc             dmz

      DMZ DNS access to the Internet

      DNS(ACCEPT) dmz net
      DNS(ACCEPT) all dmz

      Drop Ping from the "bad" net zone.

      Ping(DROP)   net             $FW

      Make ping work bi-directionally between the dmz, net, Firewall and local zone

      (assumes that the loc-> net policy is ACCEPT).

      Ping(ACCEPT)    loc             $FW
      Ping(ACCEPT)    dmz             $FW
      Ping(ACCEPT)    loc             dmz
      Ping(ACCEPT)    dmz             loc
      Ping(ACCEPT)    dmz             net

      ACCEPT $FW net icmp
      ACCEPT $FW loc icmp
      ACCEPT $FW dmz icmp

      #ACCEPT net $FW udp 3478,4569,5060:5088,10001:20000
      ACCEPT net $FW tcp 10000
      ACCEPT loc dmz udp 4569

      Uncomment this if using Proxy ARP and static NAT and you want to allow ping from

      the net zone to the dmz and loc

      #Ping(ACCEPT)    net             dmz
      #Ping(ACCEPT)    net             loc

      #Accept ssh connection to the firewall machine from outside the network
      #i.e from internet

      SSH/ACCEPT net $FW
      #SSH/ACCEPT $FW dmz

      #Accept the connection from the net to the trixbox voip server
      DNAT net dmz:192.168.1.250 udp 5000:5100
      DNAT net dmz:192.168.1.250 udp 10001:20000
      #DNAT net dmz:192.168.1.250 udp 1720
      DNAT net dmz:192.168.1.250 udp 3478
      #DNAT net dmz:192.168.1.250 udp 3478:3479
      DNAT net dmz:192.168.1.250 udp 4569
      DNAT net dmz:192.168.1.250 tcp 25
      DNAT net dmz:192.168.1.250 tcp 110
      DNAT            net     dmz:192.168.1.250:7000  tcp     7000
      #Following ports are DNATted to allow the http/s conenctions to dmz machines
      DNAT net dmz:192.168.1.250:80 tcp 8080
      DNAT net dmz:192.168.1.250:81 tcp 8081
      DNAT            net     dmz:192.168.1.250:443   tcp     8443
      DNAT net dmz:192.168.1.250:22 tcp 33022
      DNAT loc dmz:192.168.1.250 udp 4569

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.