My network confuses me.
-
Here is my simple setup.
ISP to Wireless router to pfsense box.
My question is:
If my desktop pc is the only thing connected to pfsense, why does the pfsense box affect other pc's in the house that are connected to the wireless router that to me are totally separated or maybe they are not? For instance when I set up the ipguard thing, my desktop was fine but everything that was wireless lost connection. Does pfsense firewalling and things like that have the power to firewall things that are not getting an IP from it? I found it to be strange. Maybe someone can clear up my ignorance. Thank you.
-
Who is your ISP?
I ask, because ideally you will want to go ISp > Modem (not router or wireless anything) > pfsense WAN port > Switch plugged into pfsense LAN port > Computers plugged into switch.
For wireless, get a wireless AP and plug that into the switch… Make sure its in AP mode or you will end up with DHCP issues.
As far as your setup now, if your wireless ISP router is on on 192.168.1.1 and you also assigned pfsense LAN interface as 192.168.1.1, you can get issues.
Even if you reassign pfsense LAN to a new, better unused domain like 10.23.45.1 you are still having 2 layers of NAT which makes things work not so well. -
It's Verizon, you know the Actiontec routers that are so easy to get into. Well that's according to a Blackhat conference that I watched. I kind of believe them. I watched them exploit the same exact router that I had and they were able to use metasploit to set up a shell and then magically, they got the user name/password for the router which was very basic because I think the password was password. Now every router is shipped with a default unique password. Anyways, He went in to the Actiontec configurator using backtrack+metasploit, got the password and logged in to the router. I was like omg. He then goes to the remote settings and sets himself up with telnet. you can guess where it went from there. He was just trying to prove a point.
Anyways, my Verizon is on the basic router ip of 192.168.x.x etc…. and Pfsense is on the 10.0.x.x route. So connectivity is not a problem really. however, I do fear that some things can slip through. For instance, I'll see a connection like this. 192.168.1.3 to 10.0.x.x to 94.xx.xx.xx.xx:3544. Which is teredo tunneling according to speedguide. So whatever it is, if it's blocked on my pfsense router which is on the 10.0.x.x range. It seems like they can get through by using teredo port 3544. Strangely enough I notice Microsoft ip's doing this more than anything. Since it's internal network traffic it's just letting it through even if I block the port on the pfsense side. If I block it on the Verizon side everything seems to be okay. I still have an overwhelmingly amount of information to learn.
My main plan is to eventually have all of our computers running with pfsense. I just need to get a wireless card.
One other question. With my Network set up this way through no control of my own. I don't think they will let me use just a modem. Am I vulnerable like this? Having the router from my isp and pfsense is getting it's internet from it. Would shutting off the firewall on the main router fix things? Or is it the fact that it's routing that is the problem? I am doing network+ and security+ training so perhaps that will turn on a light in this very dark tunnel that I have chosen to go down. After I get certified in both of those, I will then buy the Pfsense book because right now I am not at the level where I would understand it. Are there any tricks that I can do to this actiontec mi424wr router to ease the situation? Thank you for any assistance.
-
Hmmm - Lots of topics.
Well, for teredo to make it passed your PFsense router, you would have to turn on the uPNP feature of pfsense and if you are going for absolute security here, you would not use uPNP. Teredo can't just magically create a tunnel through your firewall, it has to set up a port forward rule so if you leave off uPNP thats one problem solved.
Next is your ports. If you have no port forwards set up on your WAN pfsense defaults to "go away no body home mode" as far as intruders are concerned. So, ports closed and drops packets of any port scan.
As far as your actioncrap modem goes, you can put that into mocha-modem only mode. It will grab an IP from your ONT and drop it out on LAN port 1. From there you would go into your pfsense WAN port and the IP you will pick up will be the public IP from Verizon, not a 192.168.1.1 or some other private IP. At this point you wouldn't be behind any NAT other than your PFsense.
The downside of this is that your STBs will cease to function. You will have better internet and a better router, but no TV through verizon.
You can also call verizon and have them run CAT5 ethernet directly from the ONT which is in theory capable of Gigabit Internet. Of course you will still only get whatever speed you are signed up for. The big advantage of coming straight off the ONT box into your pfsense is much lower latency. MOCA coax introduces lots of latency even when compared to a normal cable internet drop. Like 10ms-20ms and up to 50ms-80ms if you are saturating the MOCA drop with lots of bandwidth usage.
Not sure what you use verizon for, so I can't say whats in your interest.
-
Next is your ports. If you have no port forwards set up on your WAN pfsense defaults to "go away no body home mode" as far as intruders are concerned. So, ports closed and drops packets of any port scan.
So this applies to my current situation? I like your idea about the ONT box and running CAT5E directly from there. So this means that if they could set that up, then I would have only the set top boxes on the wireless router and then, the internet would be kept separate, giving me a direct IP from my ISP, which I would then connect to the WAN side of my pfsense box and then attach the LAN side to my desktop pc.
I never thought about the latency of coax cable. I can see why why it might be inferior though since the first cable box we had was in the late 80's.
-
No - This means you would have great internet and no set top boxes. No TV.
Its not actually the coax its self that introduces latency. Its MOCA, which just happens to use coax.
-
"Well, for teredo to make it passed your PFsense router, you would have to turn on the uPNP feature of pfsense"
I do not believe this is true - if UDP is open outbound, then traffic would get out - then the return would be "solicited" traffic - and firewall should allow the return via state table.
This is the whole purpose of this protocol - to allow ipv6 connectivity through a ipv4 nat.. UPnP would not be required for this to function. The default lan rule on pfsense that allows lan net out any any would allow this to function.
I do believe it defaults to going to teredo.ipv6.microsoft.com, so you could just block any traffic to that fqdn. Or you could block udp 3544 to block teredo tunnels.
host Ipv6 tunnels over ipv4 through your ipv4 firewall are bad from a security point of view.
-
Yes - If you have a hosts inside the LAN requesting connections, all bets are off.
I was only referencing unsolicited connections.
Its a little disconcerting to go into your router and see a whole heap of persistent port forwards that just keep piling up that you didn't put there. -
I just wanted to say thank you to kejianshi and John for your time.
Now I'm off to tackle Spamd. I like hilarious programs and this one sounds like it was made just for me.
-
Spamd huh? Give me your server address and I'll email you every 30 seconds to say hello when you get it installed (-:
Sounds like you are getting ready to join chaosVPN.
