How to replace shorewall with pfSense with 3 NICs?
-
I am so far using shorewall with 3 NICs (net or WAN, loc or LAN, and dmz or OPT1) in two locations. I am thinking of migrate to pfsense with site-to-site vpn tunnel with advanced threat detection for the services behind pfsense. I found some tutorials on pfsense site-to-site openVPN and IPSec tunneling with WAN and LAN but not with the third OPT1 or say dmz that connects to web-services.
my scheme is:
Public IPs provided by ISP in two locations –> WAN
Private IPs --> LAN and OPT1 (behind NAT)LAN and OPT1 passes through WAN interface behind NAT while site-to-site tunneling betweeen two WANs so that the services appears to be in the same subnet.
So far I checked the following official documentations:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29
http://www.youtube.com/watch?v=bhfNbQ_bzu4
http://doc.pfsense.org/index.php/VPN_Capability_IPsec
http://serverfault.com/questions/495248/ipsec-site-to-site-tunnel-configAppreciate if experts here can share their advice the best practices for a three interface pfsense with openvpn/IPsec. I tend to be a bit exhausted with the webguis rather than command lines, so please share the screenshots if possible. Thanks in advance!
My current shorewall rules-configuration looks like as follows:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
PORT PORT(S) DEST LIMIT GROUP
Accept DNS connections from the firewall to the Internet
DNS(ACCEPT) $FW net
Accept SSH connections from the local network to the firewall and DMZ
SSH(ACCEPT) loc $FW
SSH(ACCEPT) loc dmzDMZ DNS access to the Internet
DNS(ACCEPT) dmz net
DNS(ACCEPT) all dmzDrop Ping from the "bad" net zone.
Ping(DROP) net $FW
Make ping work bi-directionally between the dmz, net, Firewall and local zone
(assumes that the loc-> net policy is ACCEPT).
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz netACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp#ACCEPT net $FW udp 3478,4569,5060:5088,10001:20000
ACCEPT net $FW tcp 10000
ACCEPT loc dmz udp 4569Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
the net zone to the dmz and loc
#Ping(ACCEPT) net dmz
#Ping(ACCEPT) net loc#Accept ssh connection to the firewall machine from outside the network
#i.e from internetSSH/ACCEPT net $FW
#SSH/ACCEPT $FW dmz#Accept the connection from the net to the trixbox voip server
DNAT net dmz:192.168.1.250 udp 5000:5100
DNAT net dmz:192.168.1.250 udp 10001:20000
#DNAT net dmz:192.168.1.250 udp 1720
DNAT net dmz:192.168.1.250 udp 3478
#DNAT net dmz:192.168.1.250 udp 3478:3479
DNAT net dmz:192.168.1.250 udp 4569
DNAT net dmz:192.168.1.250 tcp 25
DNAT net dmz:192.168.1.250 tcp 110
DNAT net dmz:192.168.1.250:7000 tcp 7000
#Following ports are DNATted to allow the http/s conenctions to dmz machines
DNAT net dmz:192.168.1.250:80 tcp 8080
DNAT net dmz:192.168.1.250:81 tcp 8081
DNAT net dmz:192.168.1.250:443 tcp 8443
DNAT net dmz:192.168.1.250:22 tcp 33022
DNAT loc dmz:192.168.1.250 udp 4569