Configuration of pfSense: what about a WAN of ONE system?
-
If you also have some other routing box that connects your LAN to the internet, then putting a 2nd router on the LAN to connect LAN and "InvaderNet" will be a small hassle, because LAN clients will effectively have 2 gateways out of LAN for different destination IP subnets. The LAN to internet router would be the default gateway, and would need a static route across the the pfSense router going to InvaderNet. And then replies back from InvaderNet will be delivered directly back to the LAN clients, making asymmetric routing.
If you need public Internet, ordinary LAN and InvaderNet with appropriate firewalling between, then it is much more straightforward to put pfSense as the only router, with WAN to public internet, LAN for your ordinary machines and OPT1 for Invader Net. Then there are no routing hassles for LAN devices, and you can allow whatever you like from LAN to InvaderNet, and nothing at all (the default) from InvaderNet to anywhere… -
Ok! In the attached file you have a Diagram of the net. As you see, it can't get simpler… The aim is to connect the "invader" to the system whose IP Address is not hidden. I actually wanted to add a new network card to this system and directly connect invader and this host through a pfsense box (maybe with crossover cables). But I don't think I am going to be able to add this card, so pfSense would connect the invader and the switch... unless you suggest somenthing different... In the end, what I need is to allow FTP connection between 192.168.200.76 and the invader, and block any other traffic between invader and LAN.
Whatever you need, please tell me.
Thanks!!!!!
-
Ok, so your network has no internet connection? Are you using static IP addresses? You have no central 'server' type device offering services?
You could use pfSense in transparent mode to do this with minimal complication to the rest of your network but it will be a more difficult install.
Steve
-
Exactly! All are static IPs; there is no DHCP services anywhere. What do you mean with "transparent mode"? Can you explain me a little bit more (or help me where to find more info)?
Again, lot of thanks!
-
Or you can easily put Invader on a separate subnet (e.g. make it 192.168.111.2/24 with gateway 192.168.111.1) and setup pfSense with:
WAN: 192.168.111.1/24 and NO gateway defined
LAN: 192.168.200.1/24 (and again no gateway)pfSense then treats these as 2 "LANs" and does not define a default route, does not do NAT between them. It just acts as a firewall and local router. You add whatever pass rules you want to LAN to allow access to WAN, and presumably no pass rules on WAN as you want no traffic initiated from Invader to LAN.
-
Mmmm, I see Phil,…
So, with the scheme you've pointed out, would it be enough defining a rule in the WAN interfaces (Firewall -> Rules -> WAN) allowing TCP port 21 (FTP) from WAN to LAN to get it done? Or do I have to configure somewhere else the routing pfSense must perform (between interfaces), and besides, add that rule? I might be saying kind of a nonsense,... I have quite a lot to learn!!! My doubt is that I don't it is neccessary to first, configure routing, and then, add rules, or just adding rules is enough to tell pfSense to perform routing.
Just in case: please excuse my ignorance!
And thanks a lot!
-
Yep, do what Phil said. Much easier setup. :)
So pfSense firewall rules act on traffic entering the interface. By default the 'WAN' interface (at this point WAN is just a label as you've removed any gateway) blocks all traffic entering it. There are no firewall rules and by default everything that doesn't match a rule is blocked. The LAN interface will be setup to allow any traffic from within it's subnet. This is useful for common configuration where pfSense is an edge device between a local network and the internet but less so in your case.
For your configuration leave the WAN interface with no rules, you do not want to allow the invader to initiate a connection to anywhere on the LAN.
Change the 'default LAN to any' rule so that it allows only traffic with destination 'the invaders IP', using FTP ports, and with source 'myhost IP'.
Leave the anti-lockout rule in place so you can still access the pfSense box.Steve
-
Yep, what Steve said. And pfSense does routing without being specially asked - the underlying FreeBSD routing daemon will route between all the directly-connected networks automagically. Once you actually let traffic in with firewall rules, the routing will "just happen". Like Steve said - remember to always put the pass rules on the interface where the clients are initiating the connections you want to allow.
-
OK, Phil, Steve, I'll do what you both suggest. It sounds good! And quite clear! Thanks again!
Looking forward to have here the Alix board and give it a try!
I'll let you know.
Seriously, thanks a lot for your advice!
-
Hi all,
This is just to say that it works perfectly on the Alix board. I did some penTesting over the firewall and it performs great.
Thanks a lot!