Transparent Firewall Only



  • Hello,

    I'm sorry if this is in the wrong place, but hardly ever write in forums, although I read a lot of them, and again, I'm sorry if this has already been answered, but I have been looking for about two weeks, in here, and all over the web and I have got absolutely nowhere with getting this working.

    The scenario:
    I am a home enthusiast who is just starting to get into the rather murky waters of proper networking. Up to this point I have been playing with hosting my own domain, and email server and configuring network monitoring for my home network among other things.

    My current setup can be viewed live on the link below:

    https://urbankennel.co.uk/public/mapshow.htm?id=2652&mapid=C6C9C915-125D-4931-A470-8F613507756A

    What I'm trying to achieve:
    A few months ago I set up my own mail server for the first time, and now it has been discovered by the spammers who are trying relentlessness to gain access. I currently host on a dynamic ip address, but will be moving over to 5 static in 4 - 6 weeks.

    I have a lot of inbound rules setup on my router, and also a lot of DHCP reservations configured so that most of the devices on my network do not have static IPs but always remain in the same place. I find this more convenient when I make changes to the network and move things around.

    In an attempt to stop the would-be spammers gaining access to my mailserver, I have an auto block rule setup that automatically blocks any ip that has 2 failed attempts in 1 minute and currently have a block list of several hundred IPs.

    When ever I check one of the IPs on Whois it comes back from China.

    I read that pfsense has a nice little add on, pfblocker, that will allow me to block entire countries with a simple click of the mouse which would be a very convenient way for me to secure my network, as I do not know, and do not have any dealings with anyone in China, Russia, Taiwan ect.

    I have purchased an Alix 2d3 (500MHz CPU & 256Mb RAM) and have installed psSense countless times as every time I try and configure it I fail.

    I am trying to keep everything on my network exactly the same as in the diagram above and retain the WAN ip address on the Airport Extreme, as it makes life very convenient for services such as 'Back To My Mac' and other things, but would like to have the pf sense firewall sit between the virgin media superhub (which is in 'modem only mode') and the Apple Airport Extreme. I am trying to do it this way as when I get the Block of 5 static IPs I plan to add a few additional devices on them, but would like to keep them separate from my home LAN and I would like the pfsense firewall to protect all the devices behind it, but possibly use the third NIC for the 4 static WAN IPs that are not related to my current LAN. If this is a weird way of setting up a network I wouldn't be surprised - as i mentioned earlier, I'm very new to this side of networking.

    I would like the pfsense firewall simply to reject/deny traffic from ip addresses originating from countries as defined in pfblocker and nothing else. No NATing, No DHCP ect.

    I have tried many of the configurations and steps detailed on the forum and other sites on the web, but have had no luck for various reasons, but the most common one is that after I cannot access the web gui after setting the bridge ip address and the wan and lan interfaces to none, (this is from the pfsense forum section: http://forum.pfsense.org/index.php?topic=50711.0 ).

    I have also tried, as-well-as others, the guides here:
    http://www.osnet.eu/sites/www.osnet.eu/files/appliances/transparent_firewall.pdf
    http://forum.pfsense.org/index.php/topic,36562.0.html
    http://people.pharmacy.purdue.edu/~tarrh/Transparent Firewall - Filtering Bridge - William Tarrh.pdf

    But I cant get any of them to work, probably because there are elements in there that I don't understand. #embarrassed…

    Please, please, please could some very kind person help me to accomplish this by writing a guide for someone who has no idea about what they are doing  - I would be very grateful and you could help me save what little hair I have left.

    Thanks in advance...

    Ridgeback



  • You should simply setup pfblocker to download the list your are interested in and then apply the blocking rule to your WAN (from pfSense PoV).



  • @Ridgeback:

    the most common one is that after I cannot access the web gui after setting the bridge ip address and the wan and lan interfaces to none, (this is from the pfsense forum section: http://forum.pfsense.org/index.php?topic=50711.0 ).

    What IP were you setting on the bridge interface? You said that you get the public IP directly on the WAN of the Airport Extreme right? What about the Virgin modem IP address (192.168.100.1)? Can you access it directly from your LAN on your current setup?

    Bear in mind that the firewall might require a restart after the bridge is set before you can access the webGUI (has happened to me a couple of times while bridging wireless interfaces)



  • @gregober:

    You should simply setup pfblocker to download the list your are interested in and then apply the blocking rule to your WAN (from pfSense PoV).

    Hi Gregober,

    The PFBlocker part is pretty straightforward, but Im trying to get the PFSense part to pass the WAN IP through to the LAN Router (Airport Extreme). The reason for this is currently I have one dynamic IP but will be getting 5 Static WAN IPs in a few weeks, on which I will be adding some WAN Facing devices and I want to protect all the devices with the one firewall, but want all the devices to be WAN facing with no NATing.

    @georgeman:

    @Ridgeback:

    the most common one is that after I cannot access the web gui after setting the bridge ip address and the wan and lan interfaces to none, (this is from the pfsense forum section: http://forum.pfsense.org/index.php?topic=50711.0 ).

    What IP were you setting on the bridge interface? You said that you get the public IP directly on the WAN of the Airport Extreme right? What about the Virgin modem IP address (192.168.100.1)? Can you access it directly from your LAN on your current setup?

    Bear in mind that the firewall might require a restart after the bridge is set before you can access the webGUI (has happened to me a couple of times while bridging wireless interfaces)

    Hi Gerogeman,

    Thanks for your post and help. Honestly I can't remember what I was setting the IP for the Bridge Interface, I have been trying a lot of configurations since then. I was/am able to get to the Virgin Modem on 192.168.100.1 from my LAN (Behind the Airport Extreme).

    I have been experimenting with the setup and will detail in a separate post below what I have done.

    Thanks again for your advice :)

    RB



  • Through a lot of trial and error, I have managed to get some success.

    I used Badgdk's post from http://forum.pfsense.org/index.php/topic,50711.0.html as a road map, but did things slightly differently.

    This is what I did:

    Set the IP Address of the configuring computer to 192.168.1.100 with Subnet of 255.0.0.0

    From a fresh install I browsed to 192.168.1.1 and logged in with the default credentials. I bypassed the configuration wizard by clicking on the PFSense Logo.

    Disable DHCP Server:

    • Navigate to: Services/DHCP Server
    • Un-tick the box marked ‘Enable DHCP server on LAN interface’
    • Click [SAVE]
    • Click [CLOSE]

    Configuring the LAN IP address:

    • Navigate to: Interfaces/LAN
    • Under ‘IPv4 Address’ Enter ‘192.168.100.10’ /24
    • Click [SAVE]
    • Click [APPLY CHANGES]

    Set the IP Address of the configuring computer to 192.168.100.100 with Subnet of 255.0.0.0

    In the browser URL bar, enter 192.168.100.10 and log bank into PFSense

    Disable NAT:
    -Navigate to: Firewall/NAT

    • Select the ‘Outbound’ Tab
    • Select ‘Manual Outbound NAT Rule Generation’
    • Click [SAVE]
    • Click [APPLY CHANGES]
    • Click [CLOSE]

                              - Confirm the dialogue box that pops up
                              - Click [APPLY CHANGES]
                              - Click [CLOSE]

    Ensuring Firewall Rules Apply to Bridge:

    • Navigate to: System/Advanced
    • Select the ‘System Tunables’ Tab
    • Find the ‘net.link.bridge.pfil_bridge’ and click the [e] to edit.
    • Change the Value from ‘default’ to ‘1’
    • Click [SAVE]
    • Click [APPLY CHANGES]
    • Click [CLOSE]

    Creating the Bridge:

    • Navigate to: Interfaces/(assign)
    • Select the ‘Bridges’ Tab
    • Click the ‘+’ to add a new Bridge
    • From ‘Member Interfaces’ select both ‘WAN’ and ‘LAN’
    • In ‘Description’ enter ‘WAN to LAN Bridge’
    • Click [SAVE]
    • Select the ‘Interface Assignments’ Tab
    • Click the ‘+’ to add a new Interface
    • Click [CLOSE]
                              - For the ‘OPT1’ interface, Select ‘BRIDGE0 (WANto LAN Bridge)’ from the dropdown menu under ‘Network Port’
                              - Click [SAVE]
                              - Under ‘Interface’ click on ‘OPT1’
                              - Click on ‘Enable Interface’
                              - Under ‘Description’ Rename ‘OPT1’ to ‘BRI’
                                      - Under ‘IPv4 Configuration Type’ Select ‘Static IPv4’ from the dropdown menu
                                      - Under ‘IPv4 Address’ enter ‘192.168.100.11’ /24
                                      - Click [SAVE]
    • Click [APPLY CHANGES]

    Creating Firewall Allow All Rules:

    • Navigate to: Firewall/Rules
    • Select ‘Floating’ Tab
    • Click ‘+’
    • Under ‘Interface’ select ‘WAN’, ‘LAN’ and ‘BRI’
    • Under ‘Protocol’ select ‘any’ from the dropdown menu
    • Under ‘Description’ enter ‘Allow All’
    • Click [SAVE]
    • Click [APPLY CHANGES]
    • Click [CLOSE]

    Passing the WAN IP Address Through to LAN Router:

    • Navigate to: Interfaces/WAN
    • Under ‘IPv4 Configuration Type’ Select ‘None’ from the dropdown menu
      -Click [SAVE]
      -Click [APPLY CHANGES]

    Installing PFBlocker:

    • Navigate to: System/Packages
    • Select the ‘Available Packages’ Tab
    • Find ‘PFBlocker’ from the list
    • Click the ‘+’ next to the Package description.

    Configuring PFBlocker:

    • Navigate to: Firewall/PFBlocker

    • Under ‘Enable PFBlocker’ Tick the box

    • Under ‘Enable Logging’ Tick the box

    • Under ‘Inbound Interfaces’ Select ‘OPT1’

    • Under ‘Inbound Deny Action’ Select ‘Block’ from the dropdown menu

    • Under ‘Outbound Interfaces’ ensure no interfaces are highlighted

    • Click [SAVE]

    • Select the ‘Asia’ Tab
                      - Highlight ‘CHINA-CN’ in the list of countries
                      - Under ‘Action’ select ‘Deny Inbound’ from the dropdown menu.
                      - Click [SAVE]

    What I could not get working was the part where Dabgdk mentions setting the LAN interface 'IP Configuration type' to 'None' as every time I did, I lost connectivity to the Firewall.

    I'm asking the advice of the experts out there to make sure that what I have done will work and If anyone has any ideas on how I can still gain access to the Web GUI after changing the IP Configuration Type of the LAN interface to None.

    Thanks,

    RB



  • After setting LAN to "None", you should be able to access the webGUI on the address you set for the bridge interface. Make sure that you don't have the "block private networks" checked on the bridge interface

    As I mentioned before, a system restart sometimes help after messing around with the interface assignment



  • @georgeman:

    After setting LAN to "None", you should be able to access the webGUI on the address you set for the bridge interface. Make sure that you don't have the "block private networks" checked on the bridge interface

    As I mentioned before, a system restart sometimes help after messing around with the interface assignment

    I checked that I could access the Web GUI on the Bridge IP Address and found that I could, and it does seem that even leaving the LAN IPV4 Configuration set to Static IPv4 the WAN IP Address is passed through the Firewall and sits on the WAN NIC of the Airport Extreme - so things are looking pretty rosy there.

    So with the LAN IPv4 Configuration Type set to Static IPv4 I can get access to the Web GUI on both the LAN IP Address (192.168.100.10) and the Bridge IP Address (192.168.100.11) but when I change the IPv4 Configuration Type of the LAN Interface to None I still loose access to the Web GUI even after several reboots of the Alix.

    After another wipe of the CF card and reconfiguration of the setup, but this time leaving the LAN PIv4 Configuration Type of the LAN Interface set to Static IPv4 (192.168.100.10) and placing the Alix in situ between the Modem and Airport Extreme Router, I was able to resolve the WAN IP Address on the Airport Extreme. Awesome!

    BUT…

    Even though I am able to gain access to the Web GUI of the Modem (192.168.100.1) Which is connected to the WAN NIC of the Alix PFSense Firewall (192.168.100.10), I cannot access the PFSense Web GUI.
    Checking both of these devices was done from my laptop which was behind the Airport Extreme. My Laptop has IP Address (192.168.1.42) and Subnet Mask of (255.255.255.0). Am I right in thinking that it is a setting that I missed on PFSense to allow access to the Web GUI from a different IP Range or is it to do with the Subnet Mask of my computer (255.255.255.0)?

    If I connect my computer directly to the LAN port of PFSense and set the static IP of 192.168.100.100 & Subnet Mask 255.0.0.0 I can get into the Web GUI.

    I checked the Allow All Rule of of the LAN Interface and changed the LAN Net to Any but that made no difference.

    Any Ideas?

    Thanks,

    RB



  • You have a routing problem there. The Airport Extreme doesn't know where the IP 192.168.100.10 (pfSense) lies.

    How does this work? Do you get the public IP directly on the WAN of the Airport via a static assignment, PPPoE or something like that? Or do you get a private IP close to 192.168.100.1? What netmask?

    If you can access the Virgin modem from LAN, that means that the Airport knows how to route the 192.168.100.1 IP. Now we have to figure out why it doesn't route 192.168.100.10 (probably outside of the subnet)



  • Hi Georgeman,

    Thanks again for your help with this.

    I have been doing lots of reading in the lapsed time, and have realized how much better using pfSense as the firewall/dhcp server/etc is than using the airport extreme.

    After re-evaluating and some trial and error, I have removed the airport extreme and just use the Alix/pfSense box instead, and it's great.

    Thanks again for your help!

    RB



  • Good to hear!

    Regards!


Log in to reply