How do i do this..
-
ok, i am setting up a firewall/VPN, using an old celeron machine and a few NICs. now, my question is, what is the best way to go about this:
i have 1 DSL ethernet coming in, (RED, im guessing) and two networks, for simplicity we will call it net1 and net2. basically, i want to share the DSL, and a large networked printer across both net1 and net2. net2 is just workstations, while net1 is a few workstations, and a server or two. i do not want net2 accessing machines on net1, nor does net1 need access to net2, but both need to share the printer and internet connection. the internet will most likely have static addresses, but could end up with dynamic. i also want to throttle the bandwidth so that net1 will take priority over net2. there will also be a VPN, possibly a VPN to each net1 and net2, but i dont think thats possible. what is the best, easiest, and most secure way to do this? thanks in advance -
The access restrictions / allowing (printer) is based on how you setup your rules.
No problem with pfSense.Sharing Internet to multiple interfaces/subnets
No problem with pfSense (you might need Advanced outbound NAT)VPN: You can use openVPN but then you cannot setup firewall rules –> a openVPN client will have access to everything. But you could restrict communication with rules on the way back. so a request gets into your network but the answer not back to the client.
With IPsec you can setup rules on ther interface. But if you have running multiple servers (for different clients) then all will use the same rule-set.
So VPN is possible with restrictions.Trafficshaping is possible between 2 interfaces ATM. not multiple.
You might be interrested in this bounty (if it's still active)
http://forum.pfsense.org/index.php/topic,2718.0.html -
ok, this is good, finally a distro that does this stuff. now, i have 3 interfaces, wan, lan, and opt1. i want both lan and opt1 to access wan, but not lan and opt1 to access each other. there will also be a printer, on either lan or opt1, but this must be able to be shared across opt1 and lan. i will be setting the static ip for wan on this router, but i want servers on lan to be able to hold static IP addresses so they can be directly accessed from the net. question now is, how do i specifically set all this up to do this? ive tried the docs, im more confused by them than helped. thanks
-
OK, so where do you get stuck?
Rules on the interfaces are always seen as entering traffic.
Basically, on WAN tab don't allow incoming traffic.
On LAN tab permit traffic from LAN subnet to WAN and finally
on OPT1 tab allow subnet traffic to WAN and your network printer on LAN.Assigning the network printer a static IP or giving it a fixed DHCP entry will help with the access rule. ;)
-
but, if i block oncoming traffic, how will my servers work? im guessing i have to put my servers before my routers…unless theres a way to forward the static IP from my modem to the servers on lan1?
-
If you have multiple static public IP's you can create a virtual IP for every public IP you have on your WAN interface and 1:1 NAT this virtual IP to your Server.
If you have only one public IP just NAT them normally (on your normal WAN) -
If you have servers that need to be accessed from WAN it is best practice to move them to a DMZ which means another interface or at least a virtual one if your switch supports VLANs.
Depending on how secure your LAN1 and LAN2 have to be it might be necessary to put the network printer in a DMZ as well. Or into a separate DMZ2. VLANs, if supported, might help here as well.
But that depends on your network and the ability to change the printer's IP and the user's settings. The latter can be done by logon scripts or policies if you already use them.