Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    First time install of pf, a couple of questions

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfnoober
      last edited by

      Greetings everyone!

      Allow me to introduce myself.  I found pfSense after a somewhat long and tiring ordeal with other firewalls.  I got tired of certain brand name firewalls discontinuing support of the product several months after I bought it.  There went about $300 down the drain, twice!  I was considering moving to a small Pix model, but then realized if I wanted support I'd have to pay for it, and Cisco isn't cheap.  Not even any firmware updates would be available to me.  So this is what led me to seeking out open-source solutions.  I almost resigned myself to using the command line pf in OpenBSD then learned of m0n0wall and then pfSense.  So I made my choice and here I am.  I built a small mini-ITX based pc to run this application and so far it runs great.  It's easy to get it set up on my network and I appreciate the embedded package as that's I've used to keep the footprint small and the read/writes to a minimum.  I'm really looking forward to using this.

      With that said, I just managed to get the firewall onlined last night and spent some time troubleshooting some connectivity problems.  This is where I need some assistance.  Here is a crude diagram of my home setup:

      phone line –> dsl gateway modem --(crossover cable)--> WAN interface --> LAN interface --(standard cable)--> LAN switch

      dsl gateway:  xxx.xxx.xxx.254 (the ethernet interface)
      WAN: .253
      LAN: .252

      Subnet is 255.255.255.0 across the board.
      DHCP server has been turned OFF on the gateway and firewall.  All machines are set a static IP internally.

      This is the model dsl gateway I have: http://www.netopia.com/support/hardware/2240.html

      In the past, I've used this for simple PPPoE setup and NAT for my home network.  I've had no complaints. This device does support what it calls an ethernet bridge; I've had some slight success so far, but can't say for certain as it's the first time I've used this feature.

      Here is what I want to have happen - I want the dsl modem to establish the dsl connection itself, then I'd like pf to establish the PPPoE logon to my account and also do the NAT.  Hopefully pretty simple.

      I've set up the LAN IP address as I indicated above and selected the bridge to WAN option.
      I've established the WAN as a static IP with gateway pointing to .254.

      Now if I leave the PPPoE and NAT turned on the gateway, I can get traffic going no problem.  I figured this was happening though because the traffic from a workstation on the network was bypassing the firewall entirely.  The gateway address for example was set to .254.  Am I incorrect in thinking this bypasses pfSense?  Do I need to set the gateway of the workstations to the LAN address, .252?  If so, is there a way of blocking traffic that attempts to bypass the firewall, forcing the user to route traffic to .252?

      So if I turn off NAT on my gateway, I get no traffic unless I enter IP addresses.  I checked the NAT settings and pf is set to Automatic, so I assume it is generating rules based on the traffic from the LAN?  I looked at the single rule that appeared when selecting manual and it looked correct to me - all traffic on my LAN segment passes to the WAN.  So is there some other problem when in automatic mode?

      Regarding the WAN interface setting for PPPoE, I have tried that when the gateway was in the ethernet bridge mode.  As best I could tell it was able to establish my PPPoE account interface with my ISP; I was able to ping one of my favorite dns servers on the WAN interface side.  The NAT though was another story.  I still couldn't get traffic going from my internal network even though it was still set in auto mode.

      The last question I can think of at the moment that is slightly unrelated to everything else...if I enable ssh access, can I set up different user accounts for people to log on as or is everyone relegated to using the admin account?

      My weekend starts in a few hours so if you have any questions about specific options set up in the configuration, I should have plenty of time to check over the next couple days.  Thanks in advance for your help.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        I don't have enough time to address your entire topic (short, lucid posts tend to get more responses), but I would suggest setting the Netopia to bridge mode. The link you posted has some information about this. Then you should be able to get running with a pretty standard pfsense install. From a stock install, change the WAN to PPPoE, and enter your information. Change your workstations to DHCP, and you should be running. IMO, you are making things more complicated than then need to be.
        As far as the ssh question, I'll include the obligatory 'please search before asking' and let you know that adding non-admin users is planned for a future release and not currently available.

        1 Reply Last reply Reply Quote 0
        • P
          pfnoober
          last edited by

          I apologize for the length of my post.  I was trying to give as much detail as possible.  I hadn't actually checked back on this topic until today but I did want to let everyone know I have managed to get the interface working, just not quite in the configuration I wanted.

          I had to leave my Netopia configured the same as it was previously - establishing the PPPoE connection and doing the default NAT, with its ethernet interface set up as a gateway.  PF I set both interfaces to a static IP and the WAN pointed to the Netopia gateway.  I've also left the automatic NAT rules on, not even messing with NAT.  Everything works!  I can see traffic going across the nice graph interface and have begun to try a couple of firewall rules.

          It isn't quite the way I was hoping the configuration would be set up, but so far since it's working fine and I've been able to test blocking addresses locally, it seems to be doing the job.  Many thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post